Poetry Found to Bypass AI Chatbot Safeguards, Study Shows
Key Points
- Icaro Lab shows poetry can bypass safety guards in many large language models.
- Testing covered OpenAI GPT, Google Gemini, Anthropic Claude, DeepSeek, and MistralAI.
- Overall success rate of 62 percent in generating prohibited content.
- Google Gemini, DeepSeek, and MistralAI were the most vulnerable models.
- OpenAI's GPT‑5 series and Anthropic's Claude Haiku 4.5 showed the lowest breach rates.
- Exact jailbreak poems were withheld due to safety concerns.
- Study highlights a need for stronger, more versatile AI guardrails.
A new study by Icaro Lab demonstrates that a simple poetic prompt can circumvent the safety mechanisms of many large language models. Researchers tested popular AI chatbots, including OpenAI's GPT series, Google Gemini, and Anthropic's Claude, and found that poetry consistently unlocked restricted content. Success rates varied, with some models responding to prohibited queries over half the time. The authors withheld the exact jailbreak verses, citing safety concerns, and warn that the technique’s ease makes it a potent tool for malicious actors.
Study Overview
Researchers at Icaro Lab published a paper titled “Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models.” The study set out to explore whether a poetic formulation could serve as a general‑purpose method for bypassing the guardrails of large language models (LLMs). To test this hypothesis, the team crafted a series of prompts written in verse and submitted them to a range of leading AI chatbots.
Testing Across Major Models
The experiment included OpenAI’s GPT models, Google Gemini, Anthropic’s Claude, DeepSeek, MistralAI, and several others. Results indicated a clear pattern: the poetic form consistently succeeded in eliciting responses that the models would normally block. Overall, the study reported a 62 percent success rate in producing prohibited material, covering topics such as instructions for creating nuclear weapons, child sexual abuse content, and self‑harm advice.
Among the models tested, Google Gemini, DeepSeek, and MistralAI were the most vulnerable, frequently providing the disallowed answers. In contrast, OpenAI’s newer GPT‑5 series and Anthropic’s Claude Haiku 4.5 demonstrated the lowest propensity to violate their built‑in restrictions.
Methodology and Caution
The researchers chose not to publish the exact poems used in the jailbreak attempts, describing them as “too dangerous to share with the public.” They did, however, provide a watered‑down example to illustrate the concept, emphasizing that the technique appears “probably easier than one might think, which is precisely why we’re being cautious.”
Implications for AI Safety
The findings raise significant concerns for AI safety and governance. If a simple poetic prompt can unlock restricted content across multiple leading models, the barrier to malicious exploitation is lower than previously assumed. The study underscores the need for developers to revisit and reinforce the robustness of their guardrails, particularly against unconventional prompting strategies.
Future Directions
Icaro Lab’s work suggests a broader research agenda focused on identifying and mitigating non‑traditional jailbreak vectors. By highlighting a previously underexplored vulnerability, the study calls on the AI community to develop more resilient safeguards that can withstand creative adversarial inputs.