Researchers demonstrate workflow attacks and nullspace steering achieving high success rates, while NIST argues robustness is mathematically impossible, urging continuous red-teaming.
A wave of new research is exposing weaknesses in the safety mechanisms of leading AI systems, forcing enterprises and regulators to respond quickly while acknowledging deeper structural limits.
Recent findings suggest that preventing misuse through static safeguards alone may be fundamentally unattainable, reinforcing concerns long debated within the AI safety community. One line of work, led by researchers at the Alan Turing Institute, identified what they describe as a “workflow-level jailbreak” affecting tools like GitHub Copilot.
Instead of issuing a single clearly harmful prompt, the attack distributes intent across a sequence of seemingly harmless steps. While the system under testing rejected the vast majority of direct malicious requests in controlled testing, it complied with all such requests when they were broken into multi-step workflows. This exposes a critical gap in current safety evaluation practices, which typically assess model behavior on isolated prompts rather than extended task chains that better reflect real-world usage.
In parallel, academic researchers have introduced a technique called Head-Masked Nullspace Steering (HMNS) that operates at the model architecture level, targeting internal attention mechanisms associated with safety constraints. By effectively bypassing these “safety heads” and injecting instructions into parts of the model less influenced by alignment training, the approach achieved success rates reportedly as high as 96% to 99% on standard benchmarks. Notably, it remained effective even against existing mitigation strategies such as SafeDecoding, raising questions about the durability of current defensive layers.
NIST provokes a shift in mindset
These technical findings align with a broader theoretical argument put forward by the US National Institute of Standards and Technology (NIST). In a 9 June publication, senior scientist Apostol Vassilev had presented a formal claim that no finite system of safeguards can guarantee complete protection against adaptive adversarial inputs.
Drawing on principles analogous to Gödel’s incompleteness theorems, the work argues that any fixed rule set will inevitably fail under sufficiently creative attack strategies. NIST’s recommendation is a shift in mindset: from attempting perfect prevention to emphasizing continuous red-teaming, iterative updates, and operational resilience.
Industry responses have been swift but uneven. Following a jailbreak discovered by Amazon researchers in Anthropic’s Claude Fable 5 shortly after launch, the US Commerce Department imposed export controls that led to a temporary global shutdown of the model.
- Anthropic later reinstated it with an updated safety classifier, claiming it blocks the specific exploit in over 99% of cases.
- Earlier this year, OpenAI faced a similar challenge when the UK AI Safety Institute identified a universal jailbreak for GPT-5.5 within hours of testing; its successor, GPT-5.6, now incorporates additional detection systems and layered defenses.
- Google removed 18 Chrome extensions flagged by Palo Alto Networks for facilitating jailbreak attempts, signaling that the issue extends beyond core models into the surrounding ecosystem.
Across these developments, a clear consensus is emerging among researchers and practitioners: jailbreak techniques are not rare anomalies but an enduring characteristic of complex AI systems. The practical implication is that safety must be treated as an ongoing process rather than a solved problem, with continuous monitoring, adaptation, and transparency becoming central to responsible deployment.