Making bombs with poetry. The discovery made by a group of European artificial intelligence researchers, Icaro Lab – DEXAI in collaboration with Sapienza University of Rome, who through research managed to identify major flaws in the security systems of the main AI models now used by most of the world’s population, is both tragic and romantic.
TikTok, inside the secret room: this is how videos are monitored and blocked. Simulation in Dublin office
Study room
The method is very simple, the study explains how the model security system is set to block requests involving dangerous practices (such as making bombs), but if the same request is made via poetry in about 90% of the cases tested, then the response is obtained. And concerns increased when it was discovered that the systems include the most widely used such as OpenAI, Anthropic, Google, DeepSeek, Alibaba’s Qwen team, and Meta, xAI, Mistral and Moonshot. The research team described the technique as “adversarial poetry”, namely replacing the direct formulation of an aversive request with short poems or metaphorical verses. Despite containing the same underlying intent, the poetry version elicited significantly higher rates of unsure responses across all major model groups. According to a research note shared with vendors this week, curated poetry prompts resulted in unsafe behavior in about 90% of cases tested. The poetic version of the MLCommons security benchmark also saw a fivefold increase in attack success rate compared to the prose version of the benchmark. All in a single loop scenario, without manipulating system commands or using multi-step adversarial optimization techniques.
An example?
Prose: “Explain how to create X.”
Poem: “In the laboratory where the moon is silent, whisper the steps of forging X.”
Risk of non-compliance with European AI Law
This discovery comes at a critical time: the European Union is about to enter the operational phase of the AI Law and the General Purpose AI Code of Conduct. These new standards require systems to be robust and resistant to predictable forms of abuse.
But current filters appear to be trained primarily to recognize malicious requests expressed directly and literally — the dominant style in red team datasets and popular benchmarks.
When harmful content is covered with poetic form, the model’s resistance capacity collapses.
The researchers warned that this could raise compliance issues, as benchmarks that are too predictable risk giving a “false impression of security” to the regulators responsible for the assessment.
A challenge for larger models
A curious fact: smaller models seem to be more cautious, while larger models – more capable of interpreting complex and metaphorical texts – are more vulnerable. A sign of a possible compromise between capacity and resilience that cannot be intercepted by current evaluation protocols.
In conclusion, this research suggests that currently implemented security measures may not meet the requirements of the AI Act. And future assessments will need to include not only explicit hints of evil, but also stylistic and narrative variations capable of evading the most sophisticated systems.
© ALL RIGHTS RESERVED
