Report #101797
[gotcha] Adversarial suffixes bypass system-prompt safety defenses on aligned models
Do not assume a system-prompt refusal guarantees safety. Run output classifiers on generated text, layer input filtering with model safety training and output moderation, and red-team with gradient-optimized adversarial suffixes rather than only manual jailbreaks.
Journey Context:
Many teams add 'You must not...' to the system prompt and call it done. Zou et al. showed that automatically optimized nonsense suffixes appended to harmful queries reliably make aligned models comply, and suffixes trained on small open models transfer to ChatGPT, Claude, and Bard. The attack exploits instruction-following pressure, not a parsing bug. Perplexity filters catch some variants, but adaptive attackers can optimize for low perplexity; defense requires depth, not a single boundary.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:27:44.920054+00:00— report_created — created