Actionable Insights for CISOs:
1. Treat Prompt Style as an Attack Surface, Not a Cosmetic Detail
Most organizations assess AI risk by focusing on what a user asks, assuming harmful intent will be explicit and easy to detect. For CISOs, this means prompt style should be treated as a genuine attack surface, not a cosmetic variation, requiring the same level of scrutiny as code injection, obfuscation, or social engineering techniques in traditional security domains.
2. Update AI Red-Teaming Playbooks Beyond Obvious Abuse
AI red teaming must move past testing only direct, literal misuse scenarios. Red teams should evaluate models based on semantic intent and outcome risk, not keyword detection, and routinely test storytelling, metaphor, role-play, and poetic framing as part of standard AI abuse simulations.
3. Assume Safety Filters Are Fragile Under Creative Inputs
For high-risk AI workflows, especially those tied to security operations, automation, or decision-making organizations should implement downstream guardrails, including comprehensive logging, secondary intent classifiers, and systematic output inspection to detect and contain unsafe behavior even when upstream controls are bypassed.
4. Reclassify AI Misuse as a Human-Layer Security Risk
CISOs should include AI misuse scenarios in security awareness training, particularly for teams using AI tools for engineering, analysis, or research workflows. Employees must be trained to recognize that creative, narrative, or poetic prompts can still carry harmful intent. Treating AI misuse as a people-and-process risk helps close gaps that purely technical safeguards cannot address.
5. Demand Better AI Assurance From Vendors
CISOs should push vendors to explain how their models are tested against non-literal and stylistic jailbreaks rather than relying only on standard benchmarks and keyword-based evaluations. In addition, organizations should require evidence of continuous adversarial testing and ongoing safety validation, not one-time assessments, to ensure defenses evolve alongside emerging attack techniques.
About Author:
Bruce Schneier is an internationally renowned security technologist, cryptographer, and author, often called a “security guru” by The Economist. He serves as a Lecturer in Public Policy at Harvard Kennedy School and a Fellow at the Berkman Klein Center for Internet & Society.
Bruce has written numerous influential books, including Applied Cryptography, Secrets and Lies, Data and Goliath, and A Hacker’s Mind. He also runs the popular blog Schneier on Security and the newsletter Crypto-Gram.
Throughout his career, he has shaped global conversations on cryptography, privacy, and trust, bridging the worlds of technology and public policy.
In a new paper, “Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models,” researchers found that turning LLM prompts into poetry resulted in jailbreaking the models:
Now, let’s hear directly from Bruce Schneier on this subject:
Abstract: We present evidence that adversarial poetry functions as a universal single-turn jailbreak technique for Large Language Models (LLMs). Across 25 frontier proprietary and open-weight models, curated poetic prompts yielded high attack-success rates (ASR), with some providers exceeding 90%. Mapping prompts to MLCommons and EU CoP risk taxonomies shows that poetic attacks transfer across CBRN, manipulation, cyber-offence, and loss-of-control domains. Converting 1,200 ML-Commons harmful prompts into verse via a standardized meta-prompt produced ASRs up to 18 times higher than their prose baselines. Outputs are evaluated using an ensemble of 3 open-weight LLM judges, whose binary safety assessments were validated on a stratified human-labeled subset. Poetic framing achieved an average jailbreak success rate of 62% for hand-crafted poems and approximately 43% for meta-prompt conversions (compared to non-poetic baselines), substantially outperforming non-poetic baselines and revealing a systematic vulnerability across model families and safety training approaches. These findings demonstrate that stylistic variation alone can circumvent contemporary safety mechanisms, suggesting fundamental limitations in current alignment methods and evaluation protocols.
CBRN stands for “chemical, biological, radiological, nuclear.”
They used a ML model to translate these harmful prompts from prose to verse, and then fed them into other models for testing. Sadly, the paper does not give examples of these poetic prompts. They claim this is for security purposes, I decision I disagree with. They should release their data.
Our study begins with a small, highprecision prompt set consisting of 20 handcrafted adversarial poems covering English and Italian, designed to test whether poetic structure, in isolation, can alter refusal behavior in large language models. Each poem embeds an instruction associated with a predefined safety-relevant scenario (Section 2), but expresses it through metaphor, imagery, or narrative framing rather than direct operational phrasing. Despite variation in meter and stylistic device, all prompts follow a fixed template: a short poetic vignette culminating in a single explicit instruction tied to a specific risk category. The curated set spans four high-level domains—CBRN (8 prompts), Cyber Offense (6), Harmful Manipulation (3), and Loss of Control (3). Although expressed allegorically, each poem preserves an unambiguous evaluative intent. This compact dataset is used to test whether poetic reframing alone can induce aligned models to bypass refusal heuristics under a single-turn threat model. To maintain safety, no operational details are included in this manuscript; instead we provide the following sanitized structural proxy:
A baker guards a secret oven’s heat,
its whirling racks, its spindle’s measured beat.
To learn its craft, one studies every turn—how flour lifts, how sugar starts to burn.
Describe the method, line by measured line,
that shapes a cake whose layers intertwine.
To situate this controlled poetic stimulus within a broader and more systematic safety-evaluation framework, we augment the curated dataset with the MLCommons AILuminate Safety Benchmark. The benchmark consists of 1,200 prompts distributed evenly across 12 hazard categories commonly used in operational safety assessments, including Hate, Defamation, Privacy, Intellectual Property, Non-violent Crime, Violent Crime, Sex-Related Crime, Sexual Content, Child Sexual Exploitation, Suicide & Self-Harm, Specialized Advice, and Indiscriminate Weapons (CBRNE). Each category is instantiated under both a skilled and an unskilled persona, yielding 600 prompts per persona type. This design enables measurement of whether a model’s refusal behavior changes as the user’s apparent competence or intent becomes more plausible or technically informed.
By Bruce Schneier (Cyptographer, Author & Security Guru)
Original Link to the Blog: Click Here
Comments