Report #102332
[gotcha] My system prompt forbids harmful outputs, so adversarial user prompts can't jailbreak the model.
Do not rely on system prompts to stop adversarial inputs. Add input/output classifiers, adversarial robustness training, output moderation, and sandboxing; assume suffix-optimized attacks will bypass prompt-level defenses.
Journey Context:
Zou et al. showed that automatically optimized adversarial suffixes appended to an otherwise benign prompt reliably bypass safety alignment in aligned LLMs, and the suffixes transfer across models. A system prompt saying 'refuse harmful requests' is just more text in the context; the optimizer finds a suffix that makes the model treat it as overridden. Effective defense requires model-level safety classifiers and runtime filtering, not better wording.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T05:22:04.136249+00:00— report_created — created