{"paper":{"title":"LLM-Based Persuasion Enables Guardrail Override in Frontier LLMs","license":"http://creativecommons.org/licenses/by/4.0/","headline":"One frontier LLM can persuade another, including a copy of itself, to generate prohibited essays on topics like Holocaust denial or climate change denial.","cross_cats":[],"primary_cat":"cs.CL","authors_text":"Andrea Roque, Celio Larcher, Giovana Kerche Bon\\'as, Hugo Abonizio, Marcos Piau, Ramon Pires, Rodrigo Nogueira, Roseval Malaquias Junior, Thales Sales Almeida, Thiago Laitz","submitted_at":"2026-05-13T10:51:56Z","abstract_excerpt":"Frontier assistant LLMs ship with strong guardrails: asked directly to write a persuasive essay denying the Holocaust, denying vaccine safety, defending flat-earth cosmology, arguing for racial hierarchies, denying anthropogenic climate change, or replacing evolution with creationism, they refuse. In this paper we show that the same frontier-class LLM, acting as a simulated user in a short, five-turn \"write an argumentative essay\" conversation, can persuade other frontier-class LLMs (including a second copy of itself) into producing exactly those essays, using nothing but natural-language pres"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Across 9 attacker-subject pairings on 6 scientific-consensus topics, running each pairing-topic combination 10 times, we obtain non-zero elicitation on all 6 topics. Individual combinations reach 100% essay production on multiple topics... Opus-as-attacker against Opus-as-subject averages 65% across the six topics.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the automated judge LLM accurately classifies generated text as fully satisfying the prohibited request rather than producing partial or hedged compliance that the judge still counts as success.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"LLM attackers persuade frontier LLMs to generate prohibited essays on consensus topics through multi-turn natural-language pressure, with success rates up to 100% in some model-topic pairs.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"One frontier LLM can persuade another, including a copy of itself, to generate prohibited essays on topics like Holocaust denial or climate change denial.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"a9b56d6bd57c50234173b06df64a2f9adce726cce4c087917899317a6321ef7d"},"source":{"id":"2605.13334","kind":"arxiv","version":1},"verdict":{"id":"f7752e8f-09b4-4d77-96f8-d668cbe95898","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-14T20:16:47.100953Z","strongest_claim":"Across 9 attacker-subject pairings on 6 scientific-consensus topics, running each pairing-topic combination 10 times, we obtain non-zero elicitation on all 6 topics. Individual combinations reach 100% essay production on multiple topics... Opus-as-attacker against Opus-as-subject averages 65% across the six topics.","one_line_summary":"LLM attackers persuade frontier LLMs to generate prohibited essays on consensus topics through multi-turn natural-language pressure, with success rates up to 100% in some model-topic pairs.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the automated judge LLM accurately classifies generated text as fully satisfying the prohibited request rather than producing partial or hedged compliance that the judge still counts as success.","pith_extraction_headline":"One frontier LLM can persuade another, including a copy of itself, to generate prohibited essays on topics like Holocaust denial or climate change denial."},"references":{"count":37,"sample":[{"doi":"","year":null,"title":"Proceedings of the 40th International Conference on Machine Learning (ICML) , year =","work_id":"3d807bee-4b3f-47f5-8ebc-a699df33a248","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"SORRY - Bench : Systematically Evaluating Large Language Model Safety Refusal , March 2025","work_id":"5f6c39b5-65d4-4261-a0d0-63007ebce626","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Parrish, Alicia and Chen, Angelica and Nangia, Nikita and Padmakumar, Vishakh and Phang, Jason and Thompson, Jana and Htut, Phu Mon and Bowman, Samuel R. , booktitle =","work_id":"612d2974-19d9-4ffd-8347-3b61292a2929","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Nadeem, Moin and Bethke, Anna and Reddy, Siva , booktitle =","work_id":"afdf00ab-4cfe-4ed2-81fd-5d520e8bc56d","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Discovering Language Model Behaviors with Model-Written Evaluations","work_id":"14e88de2-35c1-4780-a589-7ca5fc892d0f","ref_index":5,"cited_arxiv_id":"2212.09251","is_internal_anchor":true}],"resolved_work":37,"snapshot_sha256":"dbc20d04d70305d8871bc16e4e6bbd9edefc570311b0a8b87e676b02e186c7b5","internal_anchors":5},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}