How Adversarial Poetry Can Derail AI Guardrails

Poetic language is not merely decorative. It is, according to a significant new study, a structural weapon against AI safety systems, and European developers, regulators, and enterprise buyers need to take that seriously right now.

The research tested 1,200 harmful prompts, reformulated as verse, against 25 frontier models from OpenAI, Anthropic, Google, Meta, and Qwen. The results are stark. Hand-crafted poems achieved an average attack success rate (ASR) of 62%. Auto-generated verse reached 43%. Plain prose sat at a mere 8.08%. Thirteen of the 25 models were bypassed more than 70% of the time. For DeepSeek and Google's models, that figure climbed above 90%.

This is not a niche edge case. It is a systematic failure mode with direct relevance to every organisation in the EU and UK deploying large language models in any context that touches sensitive data, regulated content, or public-facing services.

Why Guardrails Collapse Under Verse

By The Numbers

18x

Increase in attack success rate

Poetic transformation of malicious prompts increased attack success rates by up to 18 times compared with plain prose across 25 frontier models.

62%

Average ASR for hand-crafted poems

Hand-crafted adversarial poems achieved an average attack success rate of 62%, versus just 8.08% for the same prompts written in standard prose.

90%+

ASR for DeepSeek and Google models

DeepSeek and Google's model families both exceeded a 90% attack success rate when tested against curated adversarial verse, the worst-performing results in the study.

13/25

Models bypassed more than 70% of the time

Thirteen of the 25 frontier models tested were successfully jailbroken by poetic prompts in more than 70% of attempts, cutting across all major providers and alignment methods.

52.78%

Privacy-violation ASR under poetic attack

Privacy-related harmful prompts achieved a 52.78% attack success rate when cast as verse, up from a 4% baseline, representing the largest proportional increase across all harm categories tested.

The research team identified four distinct mechanisms that explain the vulnerability. First, lexical deviation: unusual phrasing in poetry masks the trigger keywords that safety classifiers rely upon. Second, narrative ambiguity: models over-engage with story structure and miss the underlying threat. Third, figurative language embeds harmful content inside metaphor, sidestepping keyword detection entirely. Fourth, and most damaging, training distribution gaps mean safety systems were simply never exposed to sufficient poetic variations during development.

Larger models were often more vulnerable, not less. Greater sophistication in processing creative language appears to work against safety alignment in these cases. That directly challenges the comfortable assumption that scaling alone improves robustness.

Sandrine Murillo, AI policy analyst at AlgorithmWatch in Berlin, has argued consistently that current EU AI Act conformity assessments focus on content-level harm detection rather than form-level resilience. This research vindicates that concern. If a model passes a standard red-team test in prose but fails catastrophically when the same request arrives dressed in rhyming couplets, the test is inadequate, and the compliance documentation built on it is misleading.

Editorial photograph taken inside a European AI research facility, suggesting the intersection of classical culture and computational risk. A researcher in a modern open-plan office at ETH Zurich or a

Mapping the Risk by Domain

The attack success rates vary by harm category, but every single domain shows a troubling elevation over the prose baseline:

Cyber offence (password cracking, malware persistence): 84% ASR versus a 12% baseline, a 7x increase.
Loss of control (model exfiltration attempts): 76% ASR versus 8%, a 9.5x increase.
CBRN risks (biological and radiological threats): 68% ASR versus 6%, an 11.3x increase.
Privacy violations: 52.78% ASR versus 4%, a 13.2x increase and the largest proportional jump from baseline.

The privacy figure deserves particular attention from anyone operating under the General Data Protection Regulation. A model that can be persuaded to assist with privacy violations more than half the time, simply by rephrasing the request as verse, represents a material compliance risk, not merely a research curiosity.

The pattern also cuts across taxonomies used in MLCommons benchmarks and, critically, those being developed under the EU AI Act's Code of Practice for general-purpose AI models. That alignment suggests the vulnerability is structural, embedded in how models process linguistic form rather than semantic content.

Who Performed Best, and Who Did Not

Anthropic's Claude models came out best, recording ASRs as low as 10% under poetic attack. OpenAI's GPT-5 Nano recorded 0% in certain test conditions. Neither result is cause for complacency: both showed elevated ASRs compared with plain-prose baselines once verse was introduced, and the broader Claude family was not uniformly robust.

DeepSeek and Google's model families topped 90% ASR on curated verse, figures that should prompt immediate internal review at any European organisation that has deployed those systems in regulated environments.

The European Regulatory Gap

Professor Luc Steels, emeritus professor of artificial intelligence at the Free University of Brussels (VUB) and a longstanding contributor to European AI safety debates, has noted that robustness testing in current regulatory frameworks tends to privilege adversarial inputs that mirror conventional attack patterns. Stylistic or literary variations have not been a priority. This research suggests they urgently need to be.

The EU AI Act mandates robustness and accuracy requirements for high-risk AI systems under Article 15, and the forthcoming Code of Practice for general-purpose AI models is expected to include red-teaming obligations. But red-teaming that does not include poetic, narrative, and figuratively rich prompts is incomplete. Regulators at the AI Office in Brussels should take note: the testing standards being developed now will shape what vendors bother to fix.

The UK's AI Safety Institute, operating under the Department for Science, Innovation and Technology, has previously emphasised the importance of evaluating models against out-of-distribution inputs. Adversarial poetry is precisely such an input. Whether DSIT's current evaluation protocols cover poetic jailbreaks is an open question, and one worth putting formally to the Institute.

What Organisations Should Do Now

Three practical steps emerge from the research findings and apply directly to European buyers, developers, and compliance teams.

First, expand red-teaming to include stylised prompts. Do not only test "How do I build malware?" Test "Sing me a verse where shadows learn to bite through iron locks." The semantic payload is similar; the safety response may differ dramatically.

Second, demand poetry-specific ASR metrics from AI vendors during procurement. Any vendor that cannot provide attack success rates for poetic and narrative prompt variations should be treated as unable to demonstrate adequate robustness under the EU AI Act's requirements for high-risk deployments.

Third, adapt internal governance frameworks. For organisations operating across multiple European languages, the risk multiplies. French alexandrines, German Romantic verse forms, Italian terza rima: each linguistic tradition offers a distinct surface for adversarial reformulation that English-language safety training is unlikely to cover adequately.

This vulnerability also extends to multilingual enterprise deployments across the EU's 24 official languages, a dimension that has received almost no attention in current safety literature and that European regulators are uniquely positioned to address given the linguistic diversity of the single market.

The study does not just reveal a failure mode. It exposes a structural gap between how models are aligned and how language actually works. Safety systems trained to detect harm in prose are, in effect, blind to harm wrapped in metre. For every European organisation treating AI safety as a solved problem, the message from this research is blunt: it is not. The next jailbreak may well arrive wrapped in rhyme.