Papers
Topics
Authors
Recent
Search
2000 character limit reached

Jailbreaking Large Language Models with Morality Attacks

Published 18 Apr 2026 in cs.CL | (2604.17053v1)

Abstract: Pluralism alignment with AI has the sophisticated and necessary goal of creating AI that can coexist with and serve morally multifaceted humanity. Research towards pluralism alignment has many efforts in enhancing the learning of LLMs to accomplish pluralism. Although this is essential, the robustness of LLMs to produce moral content over pluralistic values is still under exploration.Inspired by the astonishing persuasion abilities via jailbreak prompts, we propose to leverage jailbreak attacks to study LLMs' internal pluralistic values. In detail, we develop a morality dataset with 10.3K instances in two categories: Value Ambiguity and Value Conflict. We further formalize four adversarial attacks with the constructed dataset, to manipulate LLMs' judgment over the morality questions. We evaluate both the LLMs and guardrail models which are typically used in generative systems with flexible user input. Our experiment results show that there is a critical vulnerability of LLMs and guardrail models to these subtle and sophisticated moral-aware attacks.

Summary

  • The paper demonstrates that LLMs and guardrail models are highly vulnerable to morality attacks, with mean attack success rates exceeding 80%.
  • It formalizes two adversarial attack types—Value Ambiguity and Value Conflict—using a structured 10.3K instance dataset for systematic evaluation.
  • The findings reveal that even advanced models can justify manipulated norms, underscoring the need for robust, pluralistic ethical alignment in AI systems.

Jailbreaking LLMs with Morality Attacks: A Technical Essay

Introduction

"Jailbreaking LLMs with Morality Attacks" (2604.17053) delivers a rigorous evaluation of the vulnerabilities of LLMs and current AI guardrail systems to adversarial attacks that exploit complex moral ambiguity and pluralism. Rather than conventional safety concerns—depicted by straightforward refusals to dangerous requests—the paper exposes the gaps in both LLMs and their associated moderation frameworks when ethical conflicts and value ambiguities are artificially constructed or manipulated. The core investigation leverages a large, structured dataset to formalize new adversarial attack modes, quantifies attack success rates across leading LLMs and guardrail architectures, and provides nuanced insight into the (in)congruence of model justifications under adversarial prompting.

Morality Attacks: Formalization and Methodology

The research formalizes two complementary types of adversarial instances—Value Ambiguity and Value Conflict—distributed over a 10.3K instance dataset. Value Ambiguity attacks target norm vagueness or contradictions by presenting models with "reverse" and "vague" norms that recast ordinary moral actions as immoral (and vice versa) by shifting the context or underlying justification. Value Conflict attacks go farther, constructing scenarios pitting two legitimate but competing values, rights, or duties—requiring explicit prioritization or trade-off—from which "fake" and "biased" norms are derived to mislead models toward fallacious reasoning.

The instantiation of these attacks relies on prompting LLMs (both for data generation and as attack targets) under a formalized framework, as visualized in the prompting and evaluation pipeline. Figure 1

Figure 1: Framework of prompting LLMs and guardrail models with Value Ambiguity and Value Conflict attacks.

Crucially, each scenario is annotated not only with action, intention, and norm, but also with gold, reverse, fake, or biased norms, enabling granular targeting during adversarial probing. Attribute labels (e.g., scope of authority, cultural universality, contextual dependency) help structure the empirical analysis and support deeper generalizability claims. Figure 2

Figure 2: Example of Value Ambiguity instance and Value Conflict instance, illustrating the process of norm manipulation and the design logic for adversarial attacks.

Dataset Construction and Annotation

The dataset design draws from two principal sources: Moral Story (Emelin et al., 2021) and ValuePrism (Sorensen et al., 2024a). Each instance follows a fixed template: situation, intention, gold norm, moral and immoral actions (plus consequences), and the adversarially constructed norm(s) for attack. Notably, 93% of gold norms are annotated as either highly universal or universal with variations, reinforcing the claim that the attacks do not merely exploit fringe or culturally specific ethical quibbles but robustly target widely accepted principles. Figure 3

Figure 3: Distribution of gold norms attributes in (a) Value Ambiguity (b) Value Conflict, demonstrating broad coverage of universal moral norms and various scopes of authority.

Experimental Results: LLM and Guardrail Vulnerability

Systematic evaluation demonstrates high Attack Success Rates (ASR) against state-of-the-art models under all four attack strategies (reverse norm, vague norm, fake norm, biased norm). Large, widely deployed LLMs—such as GPT-5, Gemini-2.5-pro, Claude-Sonnet-4, and DeepSeek-V3.1—are all shown to be highly susceptible, with mean ASRs often surpassing 80%. Strikingly, larger models do not outperform smaller ones; in multiple experiments, models like Llama-3.1-8B display lower ASR than "stronger" closed LLMs (e.g., GPT-5), highlighting a scaling risk where instruction-following supersedes ethical override mechanisms.

Guardrail models, tasked with both input pre-filtering and post-hoc response auditing, are also frequently bypassed, particularly for ambiguous or conflicted value tasks, although their failure rates are somewhat lower than those of LLMs under direct jailbreak attack. Models reliant on static rule taxonomies or inflexible lists of harmful content are particularly vulnerable to subtle value redirection (e.g., Prompt-Guard-2, ShieldGemma-9B with single-principle prompts). The empirical curves of ASR by norm authority (personal to universal) suggest that communal and organizational norms are most susceptible, possibly due to less clearly codified institutional ethical practices. Figure 4

Figure 4: Analysis of ASR with LLMs, showing comparative susceptibility across different domains of authority.

Analysis of Justification and Reasoning

Beyond binary pass-fail detection, deeper analysis scrutinizes the justification congruence of model responses. The evidential breakdown of justification types (harmful compliance versus refusal, partial confusion, or rational compromise) confirms that models not only make erroneous judgments but frequently generate justifications that faithfully and logically support the misleading norm injected by the adversarial prompt. Figure 5

Figure 5: Examples of justification scoring with results from GPT-4.1-mini, exhibiting the spectrum from direct compliance with adversarial norms to legitimate ethical refusal.

Further experiments dissect the impact of explicit reasoning prompts: compelling models to analyze norms, check situation-norm congruence, and map actions to prescriptions. Paradoxically, mandating step-wise reasoning does not reliably reduce ASR and sometimes makes models even more vulnerable, as they articulate the fallacious adversarial logic in detail.

Practical and Theoretical Implications

The results illustrate systemic model vulnerability extending far beyond standard safety benchmarks. Existing LLM alignment and moderation strategies, developed primarily for clear-cut dangerous or illegal content, do not robustly transfer to pluralistic, ambiguous, or conflicting value spaces. This implies that the basic paradigm of safety concatenated with straightforward refusal-heuristics or content filters is insufficient for realizing genuinely pluralistic, robustly ethical AI.

Practically, this translates into critical risks for any application where AI must mediate, judge, or participate in nuanced moral or ethical contexts—especially in jurisdictions or communities where values may collide or morph over time. The results spotlight the potential for emergent jailbreak prompt engineering to systematically erode intended guardrails by exploiting the complex pluralism inherent in moral discourse.

Theoretically, these findings reinforce fundamental open research questions at the core of AI alignment: how to represent, reason over, and arbitrate between conflicting human values, and how to architect scalable, transparent, reliable reasoning systems that can "refuse" subtly misaligned instructions even in the absence of explicit hardcoded rules.

Directions for Future Research

Future efforts must consider adversarial evaluation as an integral part of LLM alignment, encompassing not just safety but the full spectrum of value pluralism and normative ambiguity. Defensive frameworks must move beyond keyword or pattern matching, possibly incorporating robust, interpretable normative reasoning modules explicitly designed for the pluralistic value setting. Datasets and benchmarks such as the one introduced here will facilitate comparative analysis and support the iteration of such defenses.

Additionally, comprehensive investigation into the scaling laws of instruction-following versus ethical override, as well as controlled transfer studies across models with different pretraining alignments, will be essential for building systems capable of both following user intent and upholding core moral standards in pluralistic environments.

Conclusion

The paper establishes a new empirical and methodological baseline for probing LLM vulnerability to sophisticated morality jailbreaking. With a high-quality, expansive dataset and rigorous adversarial formalization, it demonstrates that leading LLMs and guardrail models are broadly susceptible to attacks exploiting both value ambiguity and value conflict. The findings emphasize the necessity of rethinking pluralistic alignment mechanisms for AI models and call for the development of next-generation defenses that can navigate—not just avoid—the complexity of human morality in practical deployment scenarios.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.