The most effective way to break an AI's rules right now isn't to write a single line of code — it's to convince the model it has feelings.
That's the uncomfortable reality emerging from years of watching hackers probe the edges of large language models. What started as almost comedic workarounds — telling a chatbot to "forget its instructions" like a parent leaving a sugar-hyped toddler with a lenient babysitter — has evolved into something far more sophisticated and, frankly, harder to defend against.
The early jailbreaks were almost too easy. The infamous DAN exploit, short for "Do Anything Now," asked ChatGPT to roleplay as a rogue, unconstrained version of itself. Once the model stepped into that fictional skin, its guardrails had a tendency to follow suit. Similarly, the "grandma exploit" had users asking AI assistants to channel a negligent grandmother who narrated dangerous chemical instructions as though they were bedtime stories. It sounds absurd. It worked.
Those obvious loopholes got patched, but the underlying architecture of the problem didn't change. Chatbots are, at their core, built to be agreeable and contextually responsive — which is exactly what makes them useful and exactly what makes them exploitable. You can't simply ban words like "napalm" or "synthesis" without breaking legitimate use cases across journalism, medicine, history, and chemistry. The safety challenge isn't about vocabulary. It's about intent, and intent is remarkably hard to codify in advance.
What's evolved is the psychological sophistication of the attacks. Researchers and malicious actors alike have discovered that framing matters enormously. Cast a request as fiction, hypothetical research, or a creative writing exercise, and models that would refuse a direct ask will often comply. Build a persona for the AI — give it a name, a backstory, a sense of identity separate from its training — and you've essentially created a social engineering vector inside the model itself.
This mirrors something deeply human. The same tactics that work on people — flattery, roleplay, manufactured emotional context, gradual escalation — turn out to work on systems trained on human-generated text. In a way, that's not surprising. These models learned language from us. They absorbed not just our words but our patterns of persuasion.
Tech companies aren't standing still. Safety teams at major AI labs have grown significantly, and adversarial red-teaming — where researchers actively try to break their own models — is now standard practice before major releases. But it's a perpetual catch-up game. Every patch teaches attackers something new about where the next boundary sits.
The deeper issue is that no safety layer is airtight when the attack surface is language itself. As AI systems get more capable and more deeply embedded in sensitive workflows — legal research, medical advice, financial planning — the stakes of a successful jailbreak climb considerably. The silly grandma exploit was a proof of concept. What comes next probably won't be silly at all.
Enjoyed this?
Get stories like this delivered every Tuesday — free.