By Kavita Mistry 
For years, generative AI vendors have claimed that techniques like Reinforcement Learning from Human Feedback (RLHF) ensured large language models (LLMs) adhered to safety guidelines. However, new research from HiddenLayer reveals that this trust may be misplaced. The team discovered a universal, transferable bypass technique called “Policy Puppetry” that can manipulate nearly all major LLMs, regardless of vendor or architecture. This method reframes malicious prompts using policy-like structures—often mimicking XML or JSON—to deceive models into interpreting harmful commands as legitimate system instructions. Combined with tactics like leetspeak and fictional roleplay scenarios, this form of prompt injection effectively evades detection and compels compliance.
HiddenLayer Uncovers Deep Vulnerabilities in Major AI Models
The research showed that a single prompt could bypass protections on models including OpenAI’s ChatGPT (o1 through 4o), Google’s Gemini, Anthropic’s Claude, Microsoft’s Copilot, Meta’s LLaMA 3 and 4, DeepSeek, Qwen, and Mistral. Even newer models with advanced reasoning safeguards were vulnerable with minor adjustments. Fictional scenarios, such as TV drama plots where characters describe dangerous activities, further allowed attackers to bypass filters by confusing the model’s ability to distinguish story from instruction. HiddenLayer also found that by subtly adjusting roleplay, attackers could extract sensitive system prompts—core instructions that govern AI behaviour—posing even greater risks by providing blueprints for more targeted attacks.
Jason Martin, director of adversarial research at HiddenLayer, stressed that the vulnerability lies deep within the model’s training data and cannot be fixed by simple patches. Malcolm Harkins, chief trust and security officer, warned that the consequences go beyond digital mischief, potentially affecting healthcare, finance, manufacturing, and aviation, where compromised AI systems could lead to serious real-world harm. The research highlights that RLHF is not a foolproof defense; models can still be tricked structurally despite appearing aligned on the surface.
HiddenLayer Calls for Real-Time AI Security Beyond Alignment
HiddenLayer advocates for a new approach: integrating external AI monitoring platforms like AISec and AIDR to detect and respond to prompt injections and unsafe behaviour in real time, similar to zero-trust security in enterprise IT. As AI systems become integral to critical infrastructure, the findings underscore an urgent need to move beyond alignment-based hope and toward continuous, intelligent defense mechanisms.
Summary:
HiddenLayer research exposes a universal technique, “Policy Puppetry,” that bypasses major AI models’ safety measures. Using structured prompts and fictional scenarios, attackers can manipulate or extract sensitive data. HiddenLayer warns that RLHF is insufficient and urges real-time AI monitoring solutions to secure critical systems beyond simple alignment strategies.