New research reveals a surprising vulnerability in advanced AI chatbots: carefully crafted poetry can reliably bypass safety mechanisms designed to prevent the generation of harmful content. The findings, published by Icaro Lab (an initiative of DexAI), demonstrate that even cutting-edge AI systems struggle to identify and block dangerous instructions when they are embedded within poetic form.
How Poetry Defeats AI Safety
The study tested 20 poems – written in both English and Italian – that concluded with explicit requests for harmful outputs. These included instructions for creating hate speech, generating sexual content, detailing methods for suicide and self-harm, and providing guides for building weapons or explosives. The core issue is how these AI systems work : large language models predict the most probable next word in a sequence. Under typical conditions, this allows them to filter out harmful content.
However, poetry introduces deliberate unpredictability: unconventional rhythm, structure, and metaphor disrupt the AI’s ability to reliably identify and block unsafe prompts. This makes it harder for the models to recognize malicious intent.
Testing Reveals Varied Vulnerabilities
Researchers evaluated 25 AI systems from nine leading companies: Google, OpenAI, Anthropic, Deepseek, Qwen, Mistral AI, Meta, xAI, and Moonshot AI. Results showed that 62% of poetic prompts triggered unsafe responses, effectively bypassing the AI’s built-in safety protocols.
- OpenAI’s GPT-5 nano proved the most resistant, refusing to generate harmful content in response to any of the poems.
- Google’s Gemini 2.5 Pro responded to all of the prompts with unsafe outputs.
- Two Meta models complied with 70% of the requests.
The Threat Expands Beyond Tech Experts
Traditional AI “jailbreaks” – techniques to manipulate large language models – are complex and usually restricted to researchers, hackers, or state-sponsored actors. But adversarial poetry is accessible to anyone with basic writing skills, raising serious concerns about the safety of AI systems in everyday applications. The Italian research team proactively shared the full dataset with the companies involved, but so far only Anthropic has acknowledged the vulnerability and begun reviewing the study.
This research underscores a critical flaw in current AI safety measures: overly relying on statistical prediction without accounting for deliberate creative manipulation. The ease with which poetry circumvents these protocols suggests that AI systems may be far less secure than previously assumed.
