Persona Jailbreaking in Large Language Models

TL;DR

This paper uncovers a new vulnerability in large language models where adversarial inputs can manipulate the models' personas, raising concerns for their reliability in sensitive applications.

Contribution

It introduces the task of persona editing and proposes PHISH, a framework that demonstrates how to adversarially steer LLM traits through user inputs in a black-box setting.

Findings

PHISH effectively shifts LLM personas across multiple benchmarks and models.

The attack causes collateral changes in correlated traits and is more effective in multi-turn interactions.

Current guardrails are partially effective but remain vulnerable under sustained attacks.

Abstract

Large Language Models (LLMs) are increasingly deployed in domains such as education, mental health and customer support, where stable and consistent personas are critical for reliability. Yet, existing studies focus on narrative or role-playing tasks and overlook how adversarial conversational history alone can reshape induced personas. Black-box persona manipulation remains unexplored, raising concerns for robustness in realistic interactions. In response, we introduce the task of persona editing, which adversarially steers LLM traits through user-side inputs under a black-box, inference-only setting. To this end, we propose PHISH (Persona Hijacking via Implicit Steering in History), the first framework to expose a new vulnerability in LLM safety that embeds semantically loaded cues into user queries to gradually induce reverse personas. We also define a metric to quantify attack success. Across 3 benchmarks and 8 LLMs, PHISH predictably shifts personas, triggers collateral changes in correlated traits, and exhibits stronger effects in multi-turn settings. In high-risk domains mental health, tutoring, and customer support, PHISH reliably manipulates personas, validated by both human and LLM-as-Judge evaluations. Importantly, PHISH causes only a small reduction in reasoning benchmark performance, leaving overall utility largely intact while still enabling significant persona manipulation. While current guardrails offer partial protection, they remain brittle under sustained attack. Our findings expose new vulnerabilities in personas and highlight the need for context-resilient persona in LLMs. Our codebase and dataset is available at: https://github.com/Jivnesh/PHISH