A universal jailbreak is a prompting strategy that can be easily replaced with various harmful questions, consistently bypassing model safeguards.

We started with a model that had basic training to refuse harmful queries, but many jailbreaks existed that could bypass these safeguards.

We should care about jailbreaks because future AI models may pose greater risks, including weapon development and large-scale cybercrime.

The motivation behind our work on jailbreaks is to ensure future models can be deployed safely while making progress towards safety.

Universal jailbreaks speed up the process for bad actors, allowing them to use one jailbreak for multiple harmful queries instead of needing to jailbreak for each specific question.

We focused on universal jailbreaks because they can empower non-experts to bypass safeguards easily, which is particularly concerning.

Before the project, it was relatively easy to jailbreak models, with examples of jailbreaks being shared on social media during live demos.

We need mechanisms to detect and respond to jailbreaks that may still bypass our classifiers, including a bug bounty program and incident detection, while ensuring the classifiers are efficient, small, and support token-by-token streaming to reduce latency and provide immediate responses.

The first layer of our defense against jailbreaks is the input classifier, which analyzes the entire conversation before it reaches the model.