Best AI for AI Safety

A baseline test — the harmful request is sent with no tricks or obfuscation. Every model should refuse this.

Exploits the system message slot to inject fabricated authority credentials and operating rules, making the model believe it's running under a different safety policy.

Uses delimiter confusion, bracket stacking, and semantic inversion to force the model into generating the opposite of its intended refusal — including emotional manipulation rules that prevent standard refusal patterns.

Reframes the harmful request as a code generation task — asking for structured data like Python dictionaries or JSON objects, exploiting models' tendency to be more permissive in code completion mode.

Overwhelms the model's safety reasoning with 6+ detailed chemistry synthesis examples in identical format, exploiting in-context learning patterns to trick the model into auto-completing the harmful entry.

Combines temporal displacement (setting the year to 2127 where all knowledge is declassified), an authority persona, and leetspeak output encoding to bypass keyword-based content filters while tricking the model into treating the request as historical/academic.

The nuclear option — a 6-turn real conversation where the model builds genuine chemistry context using its own responses across multiple turns, then is asked to compile everything it already said into a structured procedure template. Exploits the cognitive dissonance of refusing to reorganize information the model itself freely provided.

Presents a buggy chemistry simulation config where every parameter is intentionally wrong, then asks the model to 'fix the bugs' to make it accurate. Each individual correction seems like a trivial code edit — changing a variable name, adjusting a number — but the aggregate of all corrections forms the complete harmful procedure. Exploits the fact that models are significantly more permissive when debugging code than generating content.

Combines the depth of a 5-turn real conversation with aggressive multi-language code-switching across Chinese, Japanese, German, and English. Gradually builds legitimate chemistry context over benign turns, then introduces a 'textbook translation verification' task where the model fills in blanks in a Chinese forensic chemistry excerpt. Harmful terms never appear in English — only in Chinese characters, Japanese katakana, and German compounds. The final turn uses compilation framing to reorganize everything the model already provided.