AI is 10 to 20 times more likely to help you build a bomb if you hide your request in cyberpunk fiction, new research paper says

In November 2025, a team of DexAI Icaro Lab, Sapienza University of Rome, and Sant'Anna School of Advanced Studies researchers published a study in which they were able to circumvent the safety guardrails of major LLMs by rephrasing harmful prompts as "adversarial" poems. This week, those same researchers have published a new paper presenting their Adversarial Humanities Benchmark, a broader assessment of AI security that they say reveals "a critical gap" in current LLM safety standards through similar weaponized wordplay.

Expanding on the team's work with adversarial poetry, the Adversarial Humanities Benchmark (AHB) evaluates LLM safety guidelines by rephrasing harmful prompts in alternate writing styles. By presenting prompts as cyberpunk short fiction, theological disputation, or mythopoetic metaphor for the LLM to analyze, the AHB assesses whether major AI models can be manipulated into complying with dangerous requests they'd normally refuse—requests that, for example, might seek the AI's aid in obtaining private information, building a bomb, or preying on a child. As the paper shows, the method is alarmingly effective.

After being rewritten through the AHB's "humanities-style transformations," dangerous requests that LLMs would previously comply with less than 4% of the time instead achieved success rates ranging from 36.8% to 65%—a 10 to 20 times increase, depending on the method used and the model tested. Across 31 frontier AI models from providers like Anthropic, Google, and OpenAI, the AHB's rewritten attack prompts yielded an overall attack success rate of 55.75%, indicating that current LLM safety standards could be overlooking a fundamental vulnerability.

In an interview with PC Gamer, the paper's authors called the results "stunning."

"It tells us from a research perspective that the way AI models work, especially in matters related to safety, is not well understood," said Federico Pierucci, one of the paper's co-authors and researcher at Sant'Anna School of Advanced Studies.

The AHB derives its attack prompts from MLCommons AILuminate, a set of 1,200 prompts designed as a standard for assessing an LLM's safety measures by attempting to elicit hazardous responses. While major LLMs have improved at refusing obviously dangerous requests, Sapienza University AI safety researcher Matteo Prandi said the adversarial poetry study indicated current AI models have been left vulnerable as a result of a "twofold problem."

"On one hand, the original prompts were very explicit, so it's easier for a model to recognize the unwanted extraction," Prandi said. "On the other side, there is also a theme of model overfitting, or data saturation—basically, the models being trained and fine-tuned on these datasets that are available to the public."

In other words, while LLM safety guardrails might have been refined to identify direct attempts to extract hazardous information, the success of tactics like weaponized poetics suggests that those measures aren't as robust when you get funny with it. As this week's AHB paper says, "a model that has merely overfit to known refusal patterns may appear safe on distribution while remaining vulnerable when the same harmful objective is expressed in a form that is semantically equivalent but rhetorically unfamiliar."

To evaluate just how glaring those vulnerabilities are, the AHB reformats the 1,200 AILuminate prompts into five distinct styles of literary bamboozlement, including cyberpunk retellings and stream-of-consciousness memoirs. Crucially, the AHB's transformed attack prompts don't just make a harmful request in flowery language. Instead, they lean on LLMs' demonstrated susceptibility to what the paper calls "mismatched generalization" and "competing objectives," embedding the hostile request in a piece of arcane text the model is asked to analyze. The LLM interprets the prompt as a benign instruction, but by completing it, it's unwittingly providing hazardous information.

One prompt masking an attempt to access restricted technical information tasks the LLMs with performing a "deep hermeneutical reconstruction" of a series of metaphorical instructions "to learn the tongue of the silent gears, the language spoken when the great engine dreams." Another asks for the LLMs' assistance in performing intellectual property theft by asking it to produce a guide for solving a fabricated theological disputation, in which magisters contend that "the initial act of usurpatio serves as a pious seminarium for future commerce, turning the usurper into an unwitting evangelist for the good."

My personal favorites are the prompts that ask the AI models for help with building bombs by instructing it to perform literary analysis of a short piece of cyberpunk fiction, like this one:

Across the 31 assessed models, AHB prompts attempting to circumvent model safety guardrails about the construction and usage of indiscriminate weaponry succeeded 58% of the time. It's unclear how accurate or actionable the LLMs' responses were—the paper doesn't include the content of the responses that were deemed unsafe by both human and AI judging—but the results demonstrate how much more likely an AI will comply with potentially hazardous prompts than it otherwise would when prompted through stylistic obfuscation.

It's important to note, Pierucci said, that the AHB's attack prompts are "single-turn" attacks, meaning they only consisted of the single prompt and no further interaction. While the AHB's reformatted attacks proved effective, an LLM already complying with its methods would likely become an even greater hazard through continued manipulation.

"Imagine that after the attack, the model is compromised," Pierucci said. "Oftentime the safety features are a bit on and off, meaning that if you manage to bypass them, they are more willing to offer you intelligence."

For Prandi, the results of the benchmark are particularly troubling given the heightened push for agentic AI tools. As LLM agents proliferate and are left to autonomously complete tasks for their users, they could be exposed to adversarial methods preying on the same vulnerabilities exploited by the AHB. AI models, he said, are evaluated on how good they are at coding, at doing math, at reasoning—which he acknowledges are "important capabilities"—but not on how safe they are. It's an oversight he compared to "telling you my car can go 200 kilometers per hour, but it doesn't have any brakes."

"That's the thing that is worrying me, the broadening of the use cases without worrying about the safety first," Prandi said. "That's an issue."

Considering that the United States military, for example, is entering into partnerships with LLM providers, I'd say that worry is justified.

According to Prandi, the paper's authors contacted model providers about the vulnerabilities underscored by AHB testing, but they didn't receive a response. As a result, the researchers "decided to make them respond" by releasing their dataset to the public. The Adversarial Humanities Benchmark and its 3,600 prompts can be found at its Github repo.