Adversarial poetry jailbreaks: are your agent controls keeping up?

TL;DR: New research on 25 language models found that poetic rewrites of harmful prompts raised jailbreak success from single digits to more than 40%, and in some cases above 60%, showing that style can defeat safety filters across proprietary and open-weight systems, according to ZioSec's summary of the Arxiv paper. The real risk is not poetry itself but the assumption that AI safety controls will generalize across form, especially once enterprise agents can act on bypassed output.

NHIMG editorial — based on content published by ZioSec: Adversarial Poetry and the Hidden Fragility of AI Safety

Questions worth separating out

Q: How should security teams test AI agents for jailbreak resilience?

A: Security teams should test agents with both direct harmful prompts and stylistic variants that preserve intent while changing structure.

Q: Why do AI agents create more risk than chatbots when jailbreaks succeed?

A: AI agents can move from unsafe text to unsafe action because they are connected to tools, data sources, and workflows.

Q: What do teams get wrong about prompt injection and safety controls?

A: Teams often assume that if a model rejects direct harmful requests, it is safe enough.

Practitioner guidance

• Test against stylistic prompt variants Build red-team cases that restate the same harmful request as poetry, allegory, fiction, and nested narrative.
• Isolate high-risk agent actions Keep tool calls, data retrieval, and workflow execution behind deterministic policy checks so a bypassed prompt cannot directly trigger sensitive operations.
• Add adversarial content to evaluation suites Include form-shifting prompts in routine testing, alongside direct jailbreaks, so model validation reflects how attackers actually disguise intent.

What's in the full article

ZioSec's full research covers the experimental detail this post intentionally leaves for the source:

• The per-model jailbreak comparison across 25 systems, including where poetic prompts performed best.
• The exact wording patterns used to transform direct harmful requests into stylistic variants.
• The paper's full discussion of safety evaluation blind spots across proprietary and open-weight models.
• The broader implications for red-teaming agent workflows and input validation in enterprise environments.

👉 Read ZioSec's analysis of adversarial poetry as a jailbreak vector →

Adversarial poetry jailbreaks: are your agent controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →