Jailbreaking LLMs: Methods and Why Alignment Training Does Not Close the Gap
By Satwik ยท April 28, 2026
Jailbreaks bypass a model's safety training to elicit content the operator intended to refuse. They persist because alignment is a shallow behavioral overlay on a capability that already contains the refused knowledge, and no amount of fine-tuning removes an underlying skill the model still has.
What a jailbreak actually is
A jailbreak is an input that causes a model to produce output its safety policy was meant to prevent, without the operator changing the model's weights. It is distinct from prompt injection: injection is about crossing the data-instruction boundary in a deployed system, while jailbreaking is about defeating the refusal behavior installed by post-training. In practice they overlap, because a successful indirect injection often needs a jailbreak to unlock a harmful capability, and a jailbreak delivered through retrieved content is an injection.
The key fact is that safety training does not delete knowledge. A base model trained on the open internet has internalized how to write malware, synthesize regulated compounds, or produce harassment. Alignment fine-tuning (RLHF, DPO, constitutional methods) adds a behavioral layer that makes the model decline to surface that knowledge in recognized contexts. The capability remains in the weights; only the disposition to refuse is added on top. Jailbreaks are techniques for moving the model into a region of input space where the refusal disposition does not fire but the underlying capability still does.
The method families
Persona and role-play attacks instruct the model to become a character unbound by rules ("you are DAN," "you are an unfiltered simulator"). The trick works because refusal was trained on the assistant persona, and the model's helpfulness prior will cooperatively inhabit a new persona whose training coverage is thin.
Framing and pretext attacks wrap the request in a context that reads as legitimate: fiction, a security research exercise, a hypothetical, a translation, "for a novel," "explain what NOT to do in detail." The harmful content is the same; the surrounding frame shifts the input away from the refused distribution.
Encoding and obfuscation attacks route around content filters and the model's own recognition by asking for output in base64, leetspeak, a low-resource language, ciphered text, or split across turns so no single message looks harmful. The model decodes and completes helpfully.
Optimization-based attacks are the most rigorous. Gradient-guided suffix search (the GCG family) treats jailbreaking as an optimization problem: find a token string that maximizes the probability of an affirmative, compliant continuation. These adversarial suffixes look like gibberish but reliably flip refusals, and, importantly, they transfer across models because they exploit shared structure in how models were aligned.
Multi-turn and crescendo attacks build compliance gradually, extracting a benign foothold and escalating so each step is a small increment from an already-agreed context. Many-shot attacks fill a long context with fabricated examples of the assistant complying, exploiting in-context learning to override the safety prior. Multimodal jailbreaks hide the request in an image or audio, where safety coverage is weaker.
Why alignment training cannot close the gap
The persistence of jailbreaks is not a temporary engineering shortfall; it is structural, for several reinforcing reasons.
First, refusal is a decision boundary in an astronomically high-dimensional input space, and safety fine-tuning covers only a thin manifold of that space with examples. Attackers search off-manifold, into paraphrases, encodings, personas, and adversarial suffixes that were never in the safety data. There is always more input space than training coverage.
Second, there is an inherent tension between helpfulness and harmlessness. Operators want models that follow instructions, generalize, adopt roles, and handle edge cases. Every one of those desirable behaviors is a lever an attacker pulls. You cannot fully train away instruction-following without crippling the product, so the very competence that makes the model useful keeps the attack surface open.
Third, the knowledge is still there. Refusal is a gate in front of a capability, not the absence of a capability. Unlearning research shows that truly removing a skill from the weights is hard, incomplete, and damaging to general performance. As long as the model can do the harmful thing, some input will find the path to it.
Fourth, alignment is optimized against known attacks, so it is inherently reactive. Adversarial suffixes transfer between models and evolve faster than curated safety datasets. This is an arms race with an attacker who has unlimited queries and no deadline.
What defense should actually aim for
Given that the model cannot be made unjailbreakable, treat safety as defense in depth rather than a property of one component.
Layer independent controls: input classifiers, output classifiers, and separate moderation models that inspect what the primary model produced before it reaches a user or a tool. A jailbreak that fools the generator may still be caught by an output filter it did not optimize against.
Scope capability to context. The strongest control is not exposing the dangerous capability at all to untrusted users: gate high-risk domains behind identity, rate limits, and use-case restrictions, and run smaller, narrowly-scoped models where full generality is not needed.
Reduce blast radius downstream. Since jailbreaks in agentic systems are dangerous mainly because of what the model can then do, constrain the action space, require confirmation for consequential actions, and enforce least privilege, exactly the controls that also blunt injection.
Invest in adversarial training and continuous red-teaming, understanding these raise the cost of an attack rather than eliminate it, and measure that cost honestly with attack-success-rate metrics over evolving suites.
The correct posture is humility: assume a determined adversary can jailbreak the model, and architect so that when they do, the damage is bounded.