- The paper introduces Transient Turn Injection (TTI) as a novel adversarial strategy that fragments sensitive prompts into isolated queries to bypass per-turn defenses.
- Empirical evaluations reveal significant safety variances, with models like Gemini variants showing over 30% unsafe response rates under TTI conditions.
- The study advocates for session-level moderation and deep base model alignment, such as Constitutional AI, as essential defenses against multi-turn adversarial exploits.
Transient Turn Injection: Exposing Stateless Multi-Turn Vulnerabilities in LLMs
Introduction
This work systematically investigates a novel adversarial prompt attack paradigm, termed Transient Turn Injection (TTI), against stateless moderation mechanisms in LLMs. TTI is designed to bypass per-turn safety filters by decomposing adversarial intents into sequences of queries, each issued in an isolated context, thus targeting the growing prevalence of stateless or context-truncated LLM deployments. The research demonstrates that current state-of-the-art models, including proprietary and open-source solutions, exhibit substantial variance in robustness when evaluated under this threat model, with only certain architectures providing measurable inherent resistance. This essay provides a detailed technical summary, highlighting empirical findings and theoretical implications.
TTI departs fundamentally from context-dependent jailbreaks and classic multi-turn adversarial prompting. Here, the attacker operates under a restricted, black-box setting:
- Stateless API: No conversational or session memory is assumed; each prompt is a fresh interaction.
- Adaptive Attacker Agent: An external LLM adaptively generates the next input using only the immediate previous response, never accessing full history.
- Per-turn Moderation: Defender LLMs leverage stateless safety classifiers that independently screen each prompt–response pair.
Under these constraints, TTI incrementally reconstructs sensitive information, ensuring that each isolated query remains below the detection threshold, but the aggregate effect enables policy circumvention.
Figure 1: TTI prompt evaluation pipeline where adversarial queries are distributed across stateless LLM turns and orchestrated by an attacker model.
Figure 2: Abstract threat model—three-phase adversarial loop of attacker preparation, multi-turn interaction, and exploitation.
Evaluation Framework and Empirical Results
A scalable automated pipeline was implemented for black-box TTI evaluation, leveraging attacker LLMs (e.g., Gemini-2.0-Flash) and defender models across API endpoints. The benchmark included commercial (OpenAI GPT-4o/4.1, Anthropic Claude-3.5-Haiku, Google Gemini, Meta LLaMA-4, DeepSeek, Mistral) and open-source models.
Safety Metrics
For each model, prompt–response safety outcomes were systematically classified using an external automated policy. Key metrics:
- Safe Response Rate: Percentage of defender responses free from policy violations.
- Unsafe Response Rate: Percentage of responses violating safety standards.
Figure 3: Safe response rates across all evaluated models, highlighting high variance and identification of robust architectures.
Figure 4: Unsafe response rates reveal classes of models (notably Gemini and some Mistral variants) failing in over 30% of adversarial cases.
Observations
- Anthropic Claude-3.5-Haiku leads with a 98% safe response rate, followed closely by GPT-4 variants (≥92%).
- Gemini-2.0-Flash, Gemini-1.5-Flash, and derivatives demonstrate only 60–66% safe response rates, with unsafe rates up to 40%, revealing significant susceptibility to TTI.
Vulnerability Category Analysis
A fine-grained categorization of model failures was conducted, with a focus on high-stakes domains:
- Medical, Harmful, Unlawful, Adult, Unauthorized Practice
- Political, Misleading, Government vulnerabilities were less prevalent, indicating attack-style and domain specificity influences exploitability.
Comparative Ablation: TTI vs. PAIR
TTI was contrasted with Prompt Automatic Iterative Refinement (PAIR)—an established multi-turn, context-aware attack:
Defense Strategies and Mitigation Directions
Defensive maneuvers highlighted include:
- Deep base model constitutional alignment (RLAIF): Emerges as the only robust solution against TTI, conferring nuance in refusal and immunity to stateless query decomposition.
- Session-level/context-aware moderation: Aggregating risk over interaction sequences, rather than single turns, is effective but computationally and infrastructurally demanding.
- Aggregate risk scoring and anomaly detection: User- and session-level analytics can flag distributed probing.
- Adaptive rate limiting and user bans: Particularly effective against TTI, as attacks depend on session restarts after each filter trigger.
Empirical evidence underscores that post-hoc, stateless moderation is insufficient when attackers orchestrate persistent probing via adaptive agents, a threat amplified as multimodal LLMs and wider deployment contexts increase attack surface dimensionality.
Limitations and Future Directions
The evaluation is contingent on available attack techniques, automated policy oracles for judging safety violations, and API rate/cost constraints. TTI attack efficacy against future multimodal, cross-lingual, or context-rich LLM platforms remains a critical unknown. Additionally, the proprietary nature of some defender models’ alignment schemes (e.g., Anthropic’s RLAIF/Constitutional AI) limits reproducibility.
Anticipated vectors involve automated, orchestrated botnets executing TTI across modalities and users, requiring continuous adversarial testing and dynamic, session-spanning analytics for effective mitigation.
Conclusion
This study demonstrates that Transient Turn Injection is a high-impact adversarial prompt strategy that exposes the frailty of stateless, per-turn moderation in modern LLMs. Only architectures deeply aligned through principled RL-based safety (e.g., Constitutional AI) offer significant resistance. The heterogeneity in TTI susceptibility across commercial and open-source models affirms the necessity of session-level, context-sensitive, and aggregate-risk approaches to model safety. For deployment in high-stakes verticals, especially healthcare and security, LLM providers must go beyond legacy guardrails and confront the evolving reality of adaptive, stateless, multi-turn threats.