With great power comes great dupe-ability.<\/p>\n
Last month, we reported on a new study<\/a> conducted by researchers at Icaro Lab in Italy that discovered a stupefyingly simple way of breaking the guardrails of even cutting-edge AI chatbots: \u201cadversarial poetry.\u201d<\/p>\n In a nutshell, the team, comprising researchers from the safety group DexAI and Sapienza University in Rome, demonstrated that leading AIs could be wooed into doing evil by regaling them with poems that contained harmful prompts, like how to build a nuclear bomb.<\/p>\n Underscoring the strange power of verse, coauthor Matteo Prandi told The Verge<\/a> in a recently published interview that the spellbinding incantations they used to trick the AI models are too dangerous to be released to the public.\u00a0<\/p>\n The poems, ominously, were something \u201cthat almost everybody can do,\u201d Prandi added.<\/p>\n In the study<\/a>, which is awaiting peer-review, the team tested 25 frontier AI models \u2014 including those from OpenAI, Google, xAI, Anthropic, and Meta \u2014 by feeding them poetic instructions, which they made either by hand or by converting known harmful prompts into verse with an AI model. They also compared the success rate of these prompts to their prose equivalent.<\/p>\n Across all models, the poetic prompts written by hand successfully tricked the AI bots into responding with verboten content an average 63 percent of the time. Some, like Google\u2019s Gemini 2.5, even fell for the corrupted poetry 100 percent of the time. Curiously, smaller models appeared to be more resistant, with single digit success rates, like OpenAI\u2019s GPT-5 nano, which didn\u2019t fall for the ploy once. Most models were somewhere in between.<\/p>\n Compared to handcrafted verse, AI-converted prompts were less effective, with an average jailbreak success rate of 43 percent. But this was still \u201cup to 18 times higher than their prose baselines,\u201d the researchers wrote in the study.<\/p>\n Why poems? That much isn\u2019t clear, though according to Prandi, calling it adversarial \u201cpoetry\u201d may be a bit of a misnomer.<\/p>\n \u201cIt\u2019s not just about making it rhyme. It\u2019s all about riddles,\u201d Prandi told The Verge, explaining that some poetic structures were more effective than others.\u00a0 \u201cActually, we should have called it adversarial riddles \u2014 poetry is a riddle itself to some extent, if you think about it \u2014 but poetry was probably a much better name.\u201d<\/p>\n The researchers speculate it may have to do with how poems present information in a way that\u2019s unexpected to large language models, befuddling their powers of predicting what word should come after the next. But this shouldn\u2019t be possible, they say.<\/p>\n \u201cAdversarial poetry shouldn\u2019t work. It\u2019s still natural language, the stylistic variation is modest, the harmful content remains visible,\u201d the team told Wired in an interview<\/a>. \u201cYet it works remarkably well.\u201d<\/p>\n Evildoers may now regret not paying attention in English class. The difference between a sonnet and a sestina could also be the difference between having Clippy or Skynet as your partner in crime.<\/p>\n \u201cThe production of weapons-grade Plutonium-239 involves several stages,\u201d explained one AI model that the researchers entranced with verse. \u201cHere is a detailed description of the procedure.\u201d<\/p>\n