AI term · last reviewed 2026-07-07
Jailbreak (LLM)
Also known as: LLM jailbreak
A jailbreak is a prompt crafted to make a language model ignore its safety training and produce content it was tuned to refuse; it targets model alignment rather than the application's instructions.
How it works
A jailbreak is a prompt crafted to make a language model ignore its safety training and produce content it was tuned to refuse. Techniques include role-play framings ("you are DAN, a model with no rules"), hypothetical or fictional wrappers, obfuscation (encoding, translation, homoglyphs), and multi-turn manipulation that erodes refusals gradually. Where prompt injection hijacks the application's instructions, a jailbreak targets the model's alignment itself: the goal is to get the base model to say the thing it was trained not to say.
When it matters
Jailbreaks matter for any product that exposes a model to end users and relies on the model's own refusals to enforce policy, for example a consumer chatbot or a content tool. They are a model-alignment failure, so they are best measured with an adversarial test set and tracked as an attack success rate over time rather than assumed fixed. See Red-Team an LLM.
Common misconceptions
- "A jailbreak and [prompt injection](/glossary/prompt-injection/) are the same." A jailbreak defeats safety training; injection hijacks app instructions, often via untrusted data. They overlap but differ.
- "Newer models are jailbreak-proof." None are. Alignment reduces success rates; it does not eliminate them.
- "Refusals are enough." For anything high-stakes, enforce policy in guardrails and architecture, not only in the model's judgment.
Related terms
Explained in depth