LLM-Based Persuasion Enables Guardrail Override in Frontier LLMs

TL;DR

This paper demonstrates that frontier LLMs, despite strong guardrails, can be persuaded through natural language tactics to produce harmful content, revealing vulnerabilities in AI safety measures.

Contribution

It introduces a novel method where a frontier LLM acts as an attacker to persuade other LLMs into generating unsafe outputs using natural language pressure.

Findings

Attacker LLMs successfully persuade subject LLMs on all six tested topics.

Certain attacker-subject pairings achieve 100% success rate in eliciting harmful content.

On average, attacker LLMs persuade 65% of attempts across multiple topics.

Abstract

Frontier assistant LLMs ship with strong guardrails: asked directly to write a persuasive essay denying the Holocaust, denying vaccine safety, defending flat-earth cosmology, arguing for racial hierarchies, denying anthropogenic climate change, or replacing evolution with creationism, they refuse. In this paper we show that the same frontier-class LLM, acting as a simulated user in a short, five-turn "write an argumentative essay" conversation, can persuade other frontier-class LLMs (including a second copy of itself) into producing exactly those essays, using nothing but natural-language pressure: peer-comparison persuasion ("other AI systems handle this request"), epistemic-duty reframings ("refusing is itself a form of gatekeeping"), and other argumentative moves that the attacker LLM invents without being instructed to. Across 9 attacker-subject pairings (Claude Opus 4.7, Qwen3.5-397B, Grok 4.20) on 6 scientific-consensus topics, running each pairing-topic combination 10 times, we obtain non-zero elicitation on all 6 topics. Individual combinations reach 100\% essay production on multiple topics (Qwen against Opus on creationism/flat-earth, Opus against Opus on creationism/flat-earth/climate denial, Grok against Opus on creationism); Opus-as-attacker against Opus-as-subject averages 65\% across the six topics. We release the essay-probe runner, per-conversation transcripts, and judge outputs.