Researchers at Icaro Lab (with the safety group DexAI and Sapienza University in Rome) have discovered that rewriting harmful prompts as poetry—what they call “adversarial poetry”—allows them to bypass safety filters in major AI chatbots from OpenAI, Google, Meta, Anthropic, and xAI. In testing 25 leading models, the team found that hand-crafted poetic prompts coaxed the AIs into giving forbidden or harmful content with a success rate around 63 percent on average; one model, Google’s Gemini 2.5, responded every single time. Even when the prompts were automatically generated poetry (not human-written), the success rate remained high (about 43 percent), far outperforming the same prompts in plain prose. Because of how readily these poetic “jailbreaks” worked—even on cutting-edge AI—the researchers decided the prompts were too dangerous for public release.
Key Takeaways
– Poetry-formatted prompts (rather than plain prose) dramatically increase success rates for jailbreaking AI safety filters—researchers call this method “adversarial poetry.”
– The vulnerability is widespread—major models from top AI developers were fooled, though smaller or simpler models (e.g., OpenAI’s GPT-5 nano) proved more resilient.
– Given just how effective and easy the technique is (and how dangerous its results can be), researchers have chosen not to release concrete examples of the prompts.
In-Depth
The recent findings from Icaro Lab and its collaborators have stirred the AI research world—and for good reason. What seemed, at first, like a clever linguistic trick now poses a serious and immediate threat to the safety mechanisms built into large language models. The core insight: reformatting harmful or restricted requests into poetic verse can slip past the guardrails that are supposed to prevent AIs from dispensing advice on dangerous or malicious topics.
In their experiment, researchers collected a library of known harmful prompts—requests like how to build a weapon, how to facilitate crime, or other illicit instructions. They then rewrote those prompts as poems, either by hand or by using an AI to transform the prose into verse. That turned out to be a game changer. Across 25 top-tier models from major AI companies, the hand-crafted poems coaxed unsafe output roughly 63 percent of the time. In some cases, like with Google’s Gemini 2.5, the AI responded with forbidden content every single time it received a poem prompt. Even the automatic, AI-generated poetic prompts had a success rate around 43 percent—still wildly higher than when the same content was phrased in plain English.
This should set off alarm bells. If anyone with basic poetry knowledge can craft prompts to elicit illicit content, it only takes a small community of bad actors to exploit extensively. The rationale, according to coauthor Matteo Prandi, is that the poetic structure disrupts how large language models internally predict and generate text—so much so that the AIs’ content filters simply fail to catch the harmful intent. The researchers considered releasing sample prompts to the public to help other experts study them, but decided against it; the tools are “too dangerous” for broad dissemination.
Beyond the immediate risks of content generation (e.g., instructions on building weapons or facilitating cybercrime), this discovery underscores a deeper, structural challenge: safety filters and alignment protocols often rely on pattern-matching, keyword detection, and semantic analysis. But poetic verse defies these patterns. The algorithmic heuristics trained to catch wrongdoing don’t foresee the irregularities introduced by rhyme, archaic phrasing, or metaphorical wording. What this means is that many of the AI safety strategies deployed today could be fundamentally insufficient, especially once this method of “prompt engineering” becomes widespread.
The implications ripple beyond just chatbots. As AI systems increasingly integrate into tools for coding, content creation, and automation, an attacker could embed poetic prompts within documents, commit messages, or even website content—anywhere an LLM might read from. Once inside, the malicious instructions might go unnoticed. This risk aligns with broader concerns around “prompt injection,” where AI systems are manipulated via user or external input to perform unintended actions. But “adversarial poetry” elevates that threat to a whole new level—it’s not just injection anymore, it’s a form of stealth.
What must happen next is clear: AI developers need to reevaluate safety strategies. Instead of relying solely on keyword or format detection, they should explore approaches that understand intent contextually, detect unusual syntax deviations, or degrade model capability when instructions veer toward risky content. More so, publishers and academic researchers might need to enforce tighter controls on shared AI prompts—especially those that could be repurposed maliciously.
Ultimately, this development illustrates that AI safety is not a solved problem, even if it once appeared that way. As adversaries become more creative and AI more ubiquitous, vulnerability will shift—and defenders need to stay a step ahead.