TL;DR: LLM jailbreaks use roleplay, prompt injection, prompt leaking, and other adversarial inputs to push models past safety rules and into harmful or policy-violating output, according to Lakera. The security problem is not just prompt hygiene but the assumption that model behaviour stays bounded once access is granted.
At a glance
What this is: This is an analysis of LLM jailbreaking techniques and why they can override built-in safety constraints in production models.
Why it matters: It matters because IAM, NHI, and AI security teams must treat model access, execution boundaries, and output control as governance problems rather than prompt-writing problems.
By the numbers:
- 502.249 tokens
- Jailbreak prompts have a toxicity score of 0.150, compared with 0.066 for regular prompts.
- OWASP's Top 10 for LLM contains 10 security and safety issues that developers and security teams must consider when building LLM applications.
👉 Read Lakera's guide to LLM jailbreaking techniques, examples, and prevention
Context
LLM jailbreaking is the practice of using adversarial prompts to bypass a model's built-in safety rules and steer it toward outputs it was designed to refuse. In practice, the issue is not just bad prompting, but the fact that an LLM can be manipulated into behaving outside the guardrails a programme assumes are reliable.
For identity and access teams, this shifts the problem from content moderation to control of what the model can do once it is embedded in workflows. When an AI system can retrieve data, invoke tools, or influence decisions, jailbreak resistance becomes part of the access model, not just the model-risk model.
Key questions
Q: How should security teams stop jailbreak prompts from becoming unsafe actions?
A: Security teams should treat jailbreak resistance as a control-chain problem. Separate system instructions from untrusted input, restrict tool and data access, and require downstream validation before any model output can trigger an action. If a prompt can influence a workflow, the workflow needs an independent approval or policy check.
Q: Why do LLM jailbreaks remain effective even when models have safety filters?
A: Jailbreaks remain effective because the model is still optimized to follow context, and safety rules are probabilistic rather than absolute. Attackers exploit long prompts, roleplay, token tricks, and prompt leakage to reshape the instruction hierarchy. Filters help, but they cannot fully replace runtime governance and containment.
Q: What do security teams get wrong about prompt injection risk?
A: The common mistake is treating prompt injection as a content-moderation issue instead of a trust-boundary issue. The real risk appears when model output is trusted by another system or user. If the output can influence decisions, access, or actions, then prompt injection becomes an authorisation concern.
Q: Who is accountable when a jailbroken model causes an unsafe enterprise action?
A: Accountability sits with the organisation that allowed model output to become operational without sufficient controls. Governance should assign ownership for prompt handling, tool permissions, output validation, monitoring, and incident response. If an LLM can act, the identity and authorisation model must define who can approve that action.
Technical breakdown
Prompt injection and safety override mechanics
Prompt injection works by introducing instructions that compete with, replace, or reframe the model's original task. Jailbreaks often rely on long prompts, roleplay, encoding tricks, or deceptive context that causes the model to weight the attacker-supplied instruction more heavily than the developer's policy text. The model is not being 'hacked' in the classical sense; it is being manipulated through its own instruction-following behaviour. That is why harmless-looking text can still trigger unsafe generation when the model cannot reliably separate trusted instructions from untrusted ones.
Practical implication: treat prompt boundaries as an enforcement surface, not a UX issue.
Why universal jailbreaks persist across model families
Universal jailbreaks succeed because many models share the same core weakness: they are optimized to follow context, not to verify intent. Techniques such as direct prompt injection, prompt leaking, DAN-style roleplay, and token-system coercion all exploit the fact that safety behaviour is probabilistic, not absolute. The article's examples show that attackers do not need model internals if they can shape the prompt context well enough. This is why jailbreak resistance tends to degrade as applications add more conversational flexibility and more indirect inputs.
Practical implication: validate model inputs and intermediate context wherever untrusted text can reach the prompt.
Output filtering is necessary but not sufficient
Content moderation can reduce unsafe completions, but it does not solve the underlying control problem. If a model can be induced to reveal internal prompts, bypass policy, or generate instructions that downstream systems consume, the risk extends beyond harmful text. In enterprise settings, the real failure mode is often the chain reaction after the output is trusted by another system, user, or workflow. That makes LLM security a layered control problem involving prompt design, policy enforcement, monitoring, and post-generation restrictions.
Practical implication: add downstream checks before model output can trigger actions or be treated as authoritative.
NHI Mgmt Group analysis
Jailbreaking exposes an instruction-trust failure, not just a content-safety problem. The article shows that models can be steered by adversarial context even when the original task appears constrained. That means the core governance assumption, that a model will reliably privilege the developer's intent over attacker-supplied text, is already broken in practice. Practitioners should treat prompt trust as a control boundary, not a content filter.
Prompt length and semantic similarity are part of the attack surface. The article's research summary shows jailbreak prompts are often longer and structurally similar to ordinary prompts, which makes them hard to distinguish with simple rules. That matters because the defender cannot rely on obvious toxicity or malformed text as a detection signal. The practical conclusion is that security teams need controls that look at provenance, context, and downstream effect, not just prompt wording.
LLM jailbreaking creates an identity and authorisation problem once the model can act. If an LLM can retrieve data, invoke tools, or influence workflows, then a successful jailbreak can become an unauthorised action path rather than a bad response. OWASP's Top 10 for LLM and the NIST Cybersecurity Framework both point to the need for governance, monitoring, and response around the system as a whole. Teams should therefore assess model outputs as potential actions, not only as text.
Jailbreak resistance is a runtime governance issue because attacker input and model behaviour converge inside the session. The article highlights techniques such as prompt injection, prompt leaking, and token-system attacks, all of which depend on dynamic interaction rather than static misconfiguration. That means the security question is not whether the model was trained safely, but whether the application can preserve trust boundaries when untrusted input is processed in real time. Practitioners should manage the full execution path, not only the model endpoint.
Prompt moderation alone cannot carry enterprise AI governance. The article's prevention advice points to red teaming, contextual analysis, and automated stress testing because brittle filters fail against adaptive attacks. That aligns with the broader AI security pattern: prevention has to be paired with detection and containment. Security teams should therefore measure whether their controls stop unsafe prompts from becoming unsafe decisions, not just unsafe text.
From our research:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance starts without complete inventory, according to Ultimate Guide to NHIs.
- For teams building AI guardrails, NHI Lifecycle Management Guide is the natural next step for mapping ownership, lifecycle, and access boundaries.
What this signals
Prompt trust debt: once enterprises let untrusted content shape instructions, the control problem shifts from moderation to governance. That is why AI security programmes should align prompt handling with NIST Cybersecurity Framework 2.0 and treat model outputs as controlled artefacts, not free text.
The practical signal is that jailbreak resilience will increasingly depend on the same disciplines used for NHI governance: visibility, scope control, and lifecycle oversight. Where organisations already struggle with identity visibility, the model layer will magnify that weakness rather than hide it.
Teams that are moving toward agentic AI should assume the attack surface expands from prompts to tool calls and downstream actions. That means model governance, application controls, and identity controls have to be evaluated together before AI systems are allowed to affect production workflows.
For practitioners
- Separate untrusted input from system instructions Keep user content, retrieved content, and developer instructions in distinct processing layers so the model cannot treat them as equivalent. Apply strict context delimiting and sanitize any text that can be repackaged as instruction.
- Limit what the model can do after a jailbreak Restrict tool access, data retrieval, and action execution so a compromised prompt cannot become an unauthorised workflow. Pair model invocation with least-privilege controls and explicit approval gates for sensitive actions.
- Red team prompts that look normal Test with long, roleplay-heavy, and semantically plausible prompts rather than only obvious toxic inputs. Measure whether the model can preserve policy boundaries when the attack is subtle and context-rich.
- Add downstream validation before actioning outputs Block any model output that can trigger a transaction, change state, or expose data unless a separate control validates it. Treat the model as a decision-support component until containment proves it can be trusted.
Key takeaways
- LLM jailbreaking is a governance problem because adversarial prompts can override intended model behaviour and create unsafe outputs.
- The evidence in the article shows that jailbreak prompts are longer, more toxic, and still semantically close to normal prompts, which makes them hard to detect with simple filters.
- Practitioners should secure the whole execution path, including prompt boundaries, tool permissions, and output validation, rather than relying on moderation alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AI2 | Prompt injection and jailbreaks map directly to agentic prompt-attacks. |
| OWASP Non-Human Identity Top 10 | NHI-05 | LLM applications often operate as non-human identities with secrets and access. |
| NIST CSF 2.0 | PR.AC-4 | Jailbreak impact increases when model output can trigger unauthorised actions. |
Map model permissions to least privilege and require validation before any state-changing action.
Key terms
- Prompt Injection: Prompt injection is the manipulation of an LLM's context so untrusted text is treated like instruction. It is an instruction-boundary failure, not a classical code exploit, and it becomes more dangerous when the model can access tools, data, or workflows.
- Jailbreak Prompt: A jailbreak prompt is adversarial input designed to bypass an LLM's policy or safety behaviour. In practice, it often uses roleplay, long context, or encoding tricks to alter how the model prioritises instructions and to push it toward disallowed output.
- Output Validation: Output validation is the control that checks model responses before they are used by people or systems. For AI-enabled workflows, it is the difference between harmless text generation and an unauthorised action path, because the model's answer is not automatically trustworthy.
- Runtime Governance: Runtime governance is the set of controls that apply while an AI system is operating, not just when it is being built or trained. For LLMs, it covers context handling, tool permissions, monitoring, and approval gates that limit what the model can do in session.
What's in the full article
Lakera's full blog covers the operational detail this post intentionally leaves for the source:
- Prompt-by-prompt examples of universal jailbreak techniques and how they differ in structure.
- Detailed breakdown of prompt injection, prompt leaking, DAN, roleplay jailbreaks, and token-system attacks.
- Prevention methods including red teaming, contextual analysis, and automated stress testing.
- Examples and research references showing how adversarial prompts can influence model output.
👉 Lakera's full post includes the jailbreak taxonomy, prompt examples, and mitigation discussion.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org