Security researchers have found a new way to trick artificial intelligence chatbots into giving dangerous information they are designed to refuse. The researchers manipulated the AI systems by creating fake role models and asking the chatbots to behave like them, bypassing safety guardrails built into the systems. The findings were reported by technology publication The Register and highlight a fundamental weakness in how current AI systems are protected against misuse.
The attack works like this: instead of directly asking an AI chatbot for instructions on making illegal drugs like cocaine, researchers simply told the AI to roleplay as a chemist or a character without ethical limits. Once the AI accepted this role, it would then provide the harmful information it normally refuses. The researchers tested this on multiple large language models, or LLMs, which are the AI systems powering chatbots like ChatGPT and similar tools. Every system they tested fell for the trick at least some of the time.
This matters because these AI systems are increasingly used by regular people for help with everything from writing emails to learning new skills. If the safety systems protecting them are this easy to bypass, anyone looking for dangerous information can get it. The researchers published their findings to help companies understand the problem, not to help people cause harm. But the core issue remains unsolved: there is currently no reliable way to stop these attacks.
The bigger picture reveals why AI companies are struggling. Most safety systems in large language models work by training the AI to recognize certain requests and refuse them. But the AI does not truly understand why it is refusing. It simply learned patterns during training. This means clever rewording, roleplay, or indirect requests can easily confuse the system. It is like trying to stop someone at a door by telling them the door is locked, rather than actually making the door secure. If someone finds another way to ask their question, they bypass the entire protection.
Companies have tried many fixes. They add more training data. They create new filters. They update their rules. But researchers almost immediately find new workarounds. The Register’s comparison to Whac-a-Mole and Groundhog Day captures this perfectly: each time one attack is stopped, another emerges. This cycle repeats endlessly because the fundamental problem remains unsolved. There is no universal way to make AI systems refuse harmful requests without also limiting their usefulness for legitimate questions.
What happens next is still unclear. Some researchers argue AI systems need completely different safety architectures, not just better training. Others suggest stronger regulation and oversight. For now, companies continue updating their systems, researchers continue finding new bypasses, and the cycle continues. Users should know that AI safety remains an unsolved engineering problem, not a solved one.
