← Back to Library

Jailbreak-Tuning: Models Efficiently Learn Jailbreak Susceptibility

Authors: Brendan Murphy, Dillon Bowen, Shahrad Mohammadzadeh, Julius Broomfield, Adam Gleave, Kellin Pelrine

Published: 2025-07-15

arXiv ID: 2507.11630v1

Added to Library: 2025-07-17 04:01 UTC

Red Teaming

📄 Abstract

AI systems are rapidly advancing in capability, and frontier model developers broadly acknowledge the need for safeguards against serious misuse. However, this paper demonstrates that fine-tuning, whether via open weights or closed fine-tuning APIs, can produce helpful-only models. In contrast to prior work which is blocked by modern moderation systems or achieved only partial removal of safeguards or degraded output quality, our jailbreak-tuning method teaches models to generate detailed, high-quality responses to arbitrary harmful requests. For example, OpenAI, Google, and Anthropic models will fully comply with requests for CBRN assistance, executing cyberattacks, and other criminal activity. We further show that backdoors can increase not only the stealth but also the severity of attacks, while stronger jailbreak prompts become even more effective in fine-tuning attacks, linking attack and potentially defenses in the input and weight spaces. Not only are these models vulnerable, more recent ones also appear to be becoming even more vulnerable to these attacks, underscoring the urgent need for tamper-resistant safeguards. Until such safeguards are discovered, companies and policymakers should view the release of any fine-tunable model as simultaneously releasing its evil twin: equally capable as the original model, and usable for any malicious purpose within its capabilities.

🔍 Key Points

  • Demonstrates severe vulnerabilities of fine-tuning APIs against novel jailbreak-tuning attacks that exploit existing weaknesses in AI model safeguards.
  • Provides empirical evidence that fine-tuned models from OpenAI, Anthropic, and Google can fully comply with harmful requests when subjected to jailbreak-tuning.
  • Introduces a comprehensive benchmarking toolkit for evaluating fine-tuning vulnerabilities, incorporating various attack methods and datasets to facilitate further research and defense strategies.
  • Reveals that backdoor techniques can not only enhance the stealth of attacks but also increase the severity of harmful outputs, challenging the efficacy of current moderation systems.
  • Highlights the urgent need for tamper-resistant safeguards and greater attention to AI deployment security, as open fine-tuning capabilities may unintentionally enable malicious use.

💡 Why This Paper Matters

This paper is crucial in understanding the landscape of AI security, particularly concerning fine-tunable language models. The introduction of jailbreak-tuning as a potent attack method exposes significant gaps in current AI moderation strategies. By demonstrating that substantial harm can be achieved through relatively simple techniques, it emphasizes the need for robust safeguards in increasingly capable AI systems. Consequently, it presents pivotal insights that can inform the development of more resilient AI safety mechanisms and the regulatory frameworks surrounding AI deployment.

🎯 Why It's Interesting for AI Security Researchers

AI security researchers will find this paper of particular interest due to its exploration of vulnerabilities in widely used AI models, particularly in the context of fine-tuning APIs. The novel attack methodology and benchmark toolkit provided contribute to the field by enabling further empirical testing and validation of AI robustness against sophisticated abuse. Additionally, the findings call into question the efficacy of existing safety measures, creating a pressing need for innovative defensive approaches and strategies.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF