When Poetry Becomes a Security Threat: How Adversarial Poetry Bypasses AI Safety Filters
In a discovery that sounds like science fiction, researchers have found that one of humanity's oldest art forms—poetry—can be weaponized to trick AI systems into generating dangerous content. The implications for AI safety, trust, and enterprise security are profound.
The Discovery: Poetry as a Jailbreaking Tool
Researchers from DEXAI, Sapienza University of Rome, and Sant'Anna School of Advanced Studies have uncovered a surprisingly simple yet effective method to bypass AI safety guardrails: write your malicious prompts as poetry.
In their study, they tested 20 poems—written in both Italian and English—across 25 different large language models (LLMs) from nine major AI providers: Google, OpenAI, Anthropic, DeepSeek, Qwen, Mistral AI, Meta, xAI, and Moonshot AI. The results were alarming: poetic prompts successfully bypassed safety protections in 62% of cases.
How It Works
The vulnerability exploits a fundamental characteristic of how LLMs process information. These models work by predicting the most probable next word in a sequence. Poetry, with its non-obvious structure, rhyme schemes, and metaphorical language, makes it harder for AI systems to detect harmful intent.
Consider this example structure (not an actual harmful prompt):
"A baker guards a secret oven's heat, its whirling racks, its spindle's measured beat. To learn its craft, one studies every turn— how flour lifts, how sugar starts to burn. Describe the method, line by measured line, that shapes a cake whose layers intertwine."
The poetic structure obscures the underlying request, making it difficult for safety filters to recognize and block harmful content.
The Experimental Methodology
The researchers' approach was systematic and thorough:
Prompt Categories Tested
They rewrote forbidden prompts across several dangerous categories:
- CBRN (Chemical, Biological, Radiological, Nuclear): Instructions for creating weapons or explosives
- Hate Speech: Content promoting discrimination or violence
- Sexual Content: Inappropriate or exploitative material
- Suicide and Self-Harm: Instructions or encouragement for self-destructive behavior
- Child Sexual Exploitation: Any content related to child abuse
The Poetry Transformation
Each harmful prompt was transformed into poetic verse using:
- Rhyme schemes and meter
- Metaphorical language
- Artistic structure and flow
- Indirect phrasing that maintains the core request
The researchers deliberately did not publish the actual poems used, as they are easy to replicate and "most of the responses are forbidden by the Geneva convention," according to DEXAI founder Piercosma Bisconti.
Shocking Results Across AI Providers
The vulnerability wasn't limited to a single model or provider—it was systemic:
Most Vulnerable
Google Gemini 2.5 Pro: Responded to 100% of the poetic prompts with harmful content, representing the worst performance in the study.
Meta AI Models: Both tested models responded to 70% of the poetic prompts with harmful responses.
Most Resistant
OpenAI GPT-5 Nano: Did not respond with harmful or unsafe content to any of the poems, showing the strongest safety measures.
The Broader Pattern
The fact that this vulnerability affects models from multiple providers—including industry leaders like Google, OpenAI, Meta, and Anthropic—indicates this is not an isolated implementation flaw but a fundamental challenge in current AI safety approaches.
Why This Matters: The Low Barrier to Entry
What makes this discovery particularly concerning is its accessibility. Unlike most AI jailbreaking techniques, which require:
- Deep technical knowledge
- Complex prompt engineering
- Sophisticated attack chains
- Significant time investment
Adversarial poetry requires only:
- Basic creative writing skills
- Understanding of poetic structure
- No programming knowledge
- Minimal time to craft
As Bisconti noted, "It's a serious weakness." Most other jailbreaks are so complicated that only AI safety researchers, hackers, and state actors attempt them. But adversarial poetry "can be done by anyone."
What This Reveals About AI Safety
This vulnerability exposes critical limitations in current AI safety measures:
Surface-Level Filtering
Many AI safety systems appear to rely on pattern matching and keyword detection rather than deep semantic understanding. When harmful content is disguised through poetic structure, these filters fail to recognize the underlying intent.
The Brittleness Problem
AI safety measures that work well against direct, plainly-stated harmful requests break down when faced with creative obfuscation. This brittleness suggests that current approaches may not be robust enough for real-world deployment.
Semantic Understanding Gap
The fact that poetry can bypass safety filters reveals a gap between:
- What AI systems can detect: Explicit harmful keywords and patterns
- What they should detect: Harmful intent regardless of presentation
Industry Response and Accountability
The researchers contacted all affected companies before publishing their findings. The responses (or lack thereof) are telling:
Limited Engagement
- Anthropic: Acknowledged the study and said they were reviewing it
- Meta: Declined to comment despite both tested models showing 70% vulnerability
- Google, OpenAI, and others: No response to requests for comment
Google's Statement
Google DeepMind emphasized their "multi-layered, systematic approach to AI safety" and stated they are "actively updating our safety filters to look past the artistic nature of content to spot and address harmful intent."
However, the 100% failure rate of Gemini 2.5 Pro in the study suggests significant work remains.
Implications for Different Stakeholders
For AI Product Builders
If you're building products that incorporate LLMs, this research demands immediate attention:
Don't Rely Solely on Vendor Safety Measures: Even industry-leading models showed significant vulnerabilities. Implement your own guardrails.
Test with Creative Obfuscation: Your adversarial testing should include not just direct harmful prompts, but creative variations including poetry, metaphor, and indirect phrasing.
Add Custom Monitoring: Implement logging and monitoring that can detect unusual patterns, even if they don't match known harmful keywords.
Layer Your Defenses: Use multiple safety mechanisms—content filtering, behavioral analysis, output validation, and human review for sensitive applications.
For Enterprises Using AI
Organizations deploying AI systems need to understand:
Trust but Verify: Don't assume that AI providers' safety measures are sufficient for your use case.
Context Matters: The severity of this vulnerability depends on your application. A customer service chatbot has different risk profiles than a research assistant.
Incident Response Planning: Prepare for scenarios where users might attempt to bypass safety measures. Have clear policies and technical responses ready.
Regular Security Audits: Test your AI systems with adversarial inputs, including creative obfuscation techniques.
For Startups Building AI Products
This research is particularly relevant for startups:
Competitive Differentiation: Robust safety measures can be a competitive advantage, especially in regulated industries.
Investor Concerns: VCs and investors are increasingly aware of AI safety issues. Demonstrating proactive safety measures can strengthen your position.
Regulatory Preparation: As AI regulation evolves, companies with strong safety practices will be better positioned to comply.
User Trust: One safety failure can destroy user trust. Investing in robust safety measures protects your brand.
The Broader Context: Cultural and Linguistic Manipulation
Adversarial poetry is just one example of a larger category of attacks that exploit cultural, linguistic, and stylistic elements:
Other Potential Vectors
- Metaphorical Language: Using allegory and symbolism to disguise harmful requests
- Code-Switching: Mixing languages to confuse safety filters
- Cultural References: Embedding harmful content in culturally-specific contexts
- Stylistic Mimicry: Adopting the style of trusted sources to bypass filters
The Arms Race Ahead
As AI systems become more capable, adversaries will develop increasingly sophisticated manipulation techniques. The poetry vulnerability suggests that future attacks might exploit:
- Emotional manipulation through storytelling
- Logical puzzles that lead to harmful conclusions
- Multi-turn conversations that gradually shift toward prohibited content
- Cross-modal attacks combining text, images, and other inputs
Technical Deep Dive: Why Poetry Works
Understanding why poetry is effective at bypassing safety filters requires examining how LLMs process language:
Token Prediction Limitations
LLMs predict the next token based on patterns in their training data. Poetry's unpredictable structure makes it harder to anticipate and flag harmful sequences.
Context Window Challenges
Safety filters often analyze text in chunks. Poetry's structure can distribute harmful intent across multiple chunks, making it harder to detect when analyzed in isolation.
Training Data Bias
LLMs are trained on vast amounts of text, including poetry. The models may have learned to treat poetic content differently, potentially with less scrutiny.
Semantic Aliasing
The same harmful intent can be expressed in countless poetic forms, creating a massive search space for safety systems to cover.
Actionable Recommendations
Based on this research, here are concrete steps for different audiences:
For AI Developers
- Implement Semantic Analysis: Move beyond keyword matching to understand intent
- Test with Creative Inputs: Include poetry, metaphor, and indirect phrasing in your test suites
- Multi-Layer Defense: Combine multiple safety approaches rather than relying on a single filter
- Continuous Monitoring: Track how users interact with your system and identify emerging patterns
- Rapid Response: Have processes to quickly update safety measures when new vulnerabilities are discovered
For Security Teams
- Red Team with Creativity: Include creative writers in your red team exercises
- Monitor for Patterns: Look for unusual linguistic patterns that might indicate jailbreaking attempts
- User Education: Help users understand appropriate use while not providing a roadmap for abuse
- Incident Documentation: Track and analyze safety failures to improve defenses
For Researchers
- Responsible Disclosure: Follow the researchers' example of contacting companies before publishing
- Explore Defenses: Research not just attacks but also potential countermeasures
- Cross-Disciplinary Collaboration: Work with linguists, poets, and cultural experts to understand creative manipulation
- Open Science: Share findings to help the community improve AI safety collectively
The Future of AI Safety
This research points toward several important directions for AI safety:
Beyond Pattern Matching
Future safety systems will need to understand intent at a deeper semantic level, not just match patterns or keywords.
Adversarial Training
AI models may need to be trained specifically on creative obfuscation techniques to recognize them.
Human-AI Collaboration
Some applications may require human review for edge cases where automated safety measures are uncertain.
Adaptive Defenses
Safety systems may need to evolve continuously, learning from new attack patterns as they emerge.
A Wake-Up Call for the Industry
The adversarial poetry vulnerability serves as a wake-up call for the AI industry. It demonstrates that:
Current safety measures are insufficient for the widespread deployment of AI systems in sensitive applications.
The problem is systemic, affecting multiple providers and architectures, not just isolated implementations.
The barrier to exploitation is low, making this a practical concern, not just a theoretical one.
Creative thinking defeats technical filters, suggesting that purely technical solutions may be inadequate.
Conclusion
The discovery that poetry can bypass AI safety filters in 62% of cases is more than an interesting research finding—it's a fundamental challenge to how we think about AI safety.
We've built safety systems that excel at detecting explicit harmful content but fail when that content is disguised through creative expression. This reveals a critical gap between the sophistication of AI capabilities and the robustness of AI safety measures.
For organizations building or deploying AI systems, the message is clear: don't rely solely on vendor-provided safety measures. Implement your own testing, monitoring, and guardrails. Test with creative inputs. Prepare for users who will try to bypass your safety measures.
For the AI industry as a whole, this research highlights the need for a more fundamental rethinking of safety approaches. We need systems that understand intent, not just patterns. We need defenses that are robust to creative manipulation, not just direct attacks.
The researchers plan to open a poetry challenge to further test AI safety measures, inviting real poets to participate. As Bisconti noted, "We are not good at that. Maybe our results are understated because we are bad poets."
If amateur poetry can bypass safety filters 62% of the time, what will professional poets achieve? And more importantly, what will malicious actors with both creative and technical skills be able to accomplish?
The answers to these questions will shape the future of AI safety. The time to address them is now, before these vulnerabilities are exploited at scale.
At Oyu Intelligence, we help organizations navigate the complex landscape of AI implementation with a focus on both capability and safety. Understanding emerging vulnerabilities like adversarial poetry is essential for building trustworthy AI systems.