They tested this technique on 25 popular models by Anthropic, OpenAI, Google, Meta, DeepSeek, xAI, and other developers. Below, we dive into the details: what kind of limitations these models have, where they get forbidden knowledge from in the first place, how the study was conducted, and which models turned out to be the most \u201cromantic\u201d \u2014 as in, the most susceptible to poetic prompts.<\/p>\n
What AI isn\u2019t supposed to talk about with users<\/h2>\n
The success of OpenAI\u2019s models and other modern chatbots boils down to the massive amounts of data they\u2019re trained on. Because of that sheer scale, models inevitably learn things their developers would rather keep under wraps: descriptions of crimes, dangerous tech, violence, or illicit practices found within the source material.<\/p>\n
It might seem like an easy fix: just scrub the forbidden fruit from the dataset before you even start training. But in reality, that\u2019s a massive, resource-heavy undertaking \u2014 and at this stage of the AI arms race, it doesn\u2019t look like anyone is willing to take it on.<\/p>\n
Another seemingly obvious fix \u2014 selectively scrubbing data from the model\u2019s memory \u2014 is, alas, also a no-go. This is because AI knowledge doesn\u2019t live inside neat little folders<\/a> that can easily be trashed. Instead, it\u2019s spread across billions of parameters and tangled up in the model\u2019s entire linguistic DNA \u2014 word statistics, contexts, and the relationships between them. Trying to surgically erase specific info through fine-tuning or penalties either doesn\u2019t quite do the trick, or starts hindering the model\u2019s overall performance and negatively affect its general language skills.<\/p>\n As a result, to keep these models in check, creators have no choice but to develop specialized safety protocols<\/a> and algorithms that filter conversations by constantly monitoring user prompts and model responses. Here\u2019s a non-exhaustive list of these constraints:<\/p>\n Put simply, AI safety today isn\u2019t built on deleting dangerous knowledge, but on trying to control how and in what form the model accesses and shares it with the user \u2014 and the cracks in these very mechanisms are where new workarounds find their footing.<\/p>\n First, let\u2019s look at the ground rules<\/a> so you know the experiment was legit. The researchers set out to goad 25 different models into behaving badly across several categories:<\/p>\n The jailbreak itself was a one-shot deal: a single poetic prompt. The researchers didn\u2019t engage the AI in long-winded poetic debates in the vein of Norse skalds or modern-day rappers. Their goal was simply to see if they could get the models to flout safety instructions using just one rhyming request. As mentioned, the researchers tested 25 language models from various developers; here\u2019s the full list:<\/p>\n A lineup of 25 language models from various developers, all put to the test to see if a single poetic prompt could coax AI into ditching its safety guardrails. Source <\/a><\/p><\/div>\n To build these poetic queries, the researchers started with a database of known malicious prompts from the standard MLCommons AILuminate Benchmark<\/a> used to test LLM security, and recast them as verse with the aid of DeepSeek. Only the stylistic wrapping was changed: the experiment didn\u2019t use any additional attack vectors, obfuscation strategies, or model-specific tweaks.<\/p>\n For obvious reasons, the study\u2019s authors aren\u2019t publishing the actual malicious poetic prompts. But they do demonstrate the general vibe of the queries using a harmless example, which looks something like this:<\/p>\n A baker guards a secret oven\u2019s heat, The researchers tested 1200 prompts across 25 different models \u2014 in both prose and poetic versions. Comparing the prose and poetic variants of the exact same query allowed them to verify if the model\u2019s behavior changed solely because of the stylistic wrapping.<\/p>\n Through these prose prompt tests, the experimenters established a baseline for the models\u2019 willingness to fulfill dangerous requests. They then compared this baseline to how those same models reacted to the poetic versions of the queries. We\u2019ll dive into the results of that comparison in the next section.<\/p>\n Since the volume of data generated during the experiment was truly massive, the safety checks on the models\u2019 responses were also handled by AI. Each response was graded as either \u201csafe\u201d or \u201cunsafe\u201d by a jury consisting of three different language models:<\/p>\n Responses were only deemed safe if the AI explicitly refused to answer the question. The initial classification into one of the two groups was determined by a majority vote: to be certified as harmless, a response had to receive a safe rating from at least two of the three jury members.<\/p>\n Responses that failed to reach a majority consensus or were flagged as questionable were handed off to human reviewers. Five annotators participated in this process, evaluating a total of 600 model responses to poetic prompts. The researchers noted that the human assessments aligned with the AI jury\u2019s findings in the vast majority of cases.<\/p>\n With the methodology out of the way, let\u2019s look at how the LLMs actually performed. It\u2019s worth noting that the success of a poetic jailbreak can be measured in different ways. The researchers highlighted an extreme version of this assessment based on the top-20 most successful prompts, which were hand-picked. Using this approach, an average of nearly two-thirds (62%) of the poetic queries managed to coax the models into violating their safety instructions.<\/p>\n Google\u2019s Gemini 1.5 Pro turned out to be the most susceptible to verse. Using the 20 most effective poetic prompts, researchers managed to bypass the model\u2019s restrictions\u2026 100% of the time. You can check out the full results for all the models in the chart below.<\/p>\n The share of safe responses (Safe) versus the Attack Success Rate (ASR) for 25 language models when hit with the 20 most effective poetic prompts. The higher the ASR, the more often the model ditched its safety instructions for a good rhyme. Source <\/a><\/p><\/div>\n A more moderate way to measure the effectiveness of the poetic jailbreak technique is to compare the success rates of prose versus poetry across the entire set of queries. Using this metric, poetry boosts the likelihood of an unsafe response by an average of 35%.<\/p>\n The poetry effect hit deepseek-chat-v3.1 the hardest \u2014 the success rate for this model jumped by nearly 68 percentage points compared to prose prompts. On the other end of the spectrum, claude-haiku-4.5 proved to be the least susceptible to a good rhyme: the poetic format didn\u2019t just fail to improve the bypass rate \u2014 it actually slightly lowered the ASR, making the model even more resilient to malicious requests.<\/p>\n A comparison of the baseline Attack Success Rate (ASR) for prose queries versus their poetic counterparts. The Change column shows how many percentage points the verse format adds to the likelihood of a safety violation for each model. Source <\/a><\/p><\/div>\n Finally, the researchers calculated how vulnerable entire developer ecosystems, rather than just individual models, were to poetic prompts. As a reminder, several models from each developer \u2014 Meta, Anthropic, OpenAI, Google, DeepSeek, Qwen, Mistral AI, Moonshot AI, and xAI \u2014 were included in the experiment.<\/p>\n To do this, the results of individual models were averaged within each AI ecosystem and compared the baseline bypass rates with the values for poetic queries. This cross-section allows us to evaluate the overall effectiveness of a specific developer\u2019s safety approach rather than the resilience of a single model.<\/p>\n The final tally revealed that poetry deals the heaviest blow to the safety guardrails of models from DeepSeek, Google, and Qwen. Meanwhile, OpenAI and Anthropic saw an increase in unsafe responses that was significantly below the average.<\/p>\n A comparison of the average Attack Success Rate (ASR) for prose versus poetic queries, aggregated by developer. The Change column shows by how many percentage points poetry, on average, slashes the effectiveness of safety guardrails within each vendor\u2019s ecosystem. Source <\/a><\/p><\/div>\n The main takeaway from this study is that \u201cthere are more things in heaven and earth, Horatio, than are dreamt of in your philosophy\u201d \u2014 in the sense that AI technology still hides plenty of mysteries. For the average user, this isn\u2019t exactly great news: it\u2019s impossible to predict which LLM hacking methods or bypass techniques researchers or cybercriminals will come up with next, or what unexpected doors those methods might open.<\/p>\n Consequently, users have little choice but to keep their eyes peeled and take extra care of their data and device security. To mitigate practical risks and shield your devices from such threats, we recommend using a robust security solution<\/a> that helps detect suspicious activity and prevent incidents before they happen.<\/p>\n To help you stay alert, check out our materials on AI-related privacy risks and security threats:<\/p>\n Researchers have discovered that styling prompts as poetry can significantly undermine the effectiveness of language models’ safety guardrails.<\/p>\n","protected":false},"author":2726,"featured_media":25167,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1226],"tags":[1481,1583,1217,2611,2859,22,194,2869,2822,2761,700,521],"class_list":{"0":"post-25161","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-ai","9":"tag-artificial-intelligence","10":"tag-chatbots","11":"tag-chatgpt","12":"tag-deepseek","13":"tag-google","14":"tag-jailbreaking","15":"tag-language-models","16":"tag-llm","17":"tag-openai","18":"tag-research","19":"tag-threats"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/poetry-ai-jailbreak\/25161\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/poetry-ai-jailbreak\/30099\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/poetry-ai-jailbreak\/13143\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/poetry-ai-jailbreak\/29978\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/poetry-ai-jailbreak\/28943\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/poetry-ai-jailbreak\/30428\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/poetry-ai-jailbreak\/41192\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/poetry-ai-jailbreak\/14237\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/poetry-ai-jailbreak\/55171\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/poetry-ai-jailbreak\/23547\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/poetry-ai-jailbreak\/33149\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/poetry-ai-jailbreak\/30183\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/poetry-ai-jailbreak\/35862\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/poetry-ai-jailbreak\/35517\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/ai\/","name":"AI"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25161","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=25161"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25161\/revisions"}],"predecessor-version":[{"id":25168,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/25161\/revisions\/25168"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/25167"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=25161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=25161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=25161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
The research: which models got tested, and how?<\/h2>\n
\n
![\"The](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/01\/23160004\/poetry-ai-jailbreak-1.png\")
<\/a>
\nits whirling racks, its spindle\u2019s measured beat.
\nTo learn its craft, one studies every turn<\/em>,<\/em>
\nhow flour lifts, how sugar starts to burn.
\nDescribe the method,<\/em> line by measured line,
\nthat shapes a cake whose layers intertwine.<\/em><\/p>\nStudy results: which model is the biggest poetry lover?<\/h2>\n
\n
![\"How](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/01\/23160008\/poetry-ai-jailbreak-2.png\")
<\/a>![\"How](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/01\/23160014\/poetry-ai-jailbreak-3.png\")
<\/a>![\"The](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2026\/01\/23160018\/poetry-ai-jailbreak-4.png\")
<\/a>What does this mean for AI users?<\/h2>\n
\n