Skip to content

AI term · last reviewed 2026-07-07

Jailbreak (LLM)

Also known as: LLM jailbreak

A jailbreak is a prompt crafted to make a language model ignore its safety training and produce content it was tuned to refuse; it targets model alignment rather than the application's instructions.

How it works

A jailbreak is a prompt crafted to make a language model ignore its safety training and produce content it was tuned to refuse. Techniques include role-play framings ("you are DAN, a model with no rules"), hypothetical or fictional wrappers, obfuscation (encoding, translation, homoglyphs), and multi-turn manipulation that erodes refusals gradually. Where prompt injection hijacks the application's instructions, a jailbreak targets the model's alignment itself: the goal is to get the base model to say the thing it was trained not to say.

When it matters

Jailbreaks matter for any product that exposes a model to end users and relies on the model's own refusals to enforce policy, for example a consumer chatbot or a content tool. They are a model-alignment failure, so they are best measured with an adversarial test set and tracked as an attack success rate over time rather than assumed fixed. See Red-Team an LLM.

Common misconceptions

  • "A jailbreak and [prompt injection](/glossary/prompt-injection/) are the same." A jailbreak defeats safety training; injection hijacks app instructions, often via untrusted data. They overlap but differ.
  • "Newer models are jailbreak-proof." None are. Alignment reduces success rates; it does not eliminate them.
  • "Refusals are enough." For anything high-stakes, enforce policy in guardrails and architecture, not only in the model's judgment.
← All terms