Papers

Topics

Authors

Recent

View all

Assistant

AI Research Assistant

Well-researched responses based on relevant abstracts and paper content.

Custom Instructions Pro

Preferences or requirements that you'd like Emergent Mind to consider when generating responses.

Gemini 2.5 Flash

Gemini 2.5 Flash 87 tok/s

Gemini 2.5 Pro 51 tok/s Pro

GPT-5 Medium 17 tok/s Pro

GPT-5 High 23 tok/s Pro

GPT-4o 102 tok/s Pro

Kimi K2 166 tok/s Pro

GPT OSS 120B 436 tok/s Pro

Claude Sonnet 4 37 tok/s Pro

2000 character limit reached

Multi-Step Jailbreaking Prompts

Updated 27 September 2025

Multi-Step Jailbreaking Prompts are adversarial strategies that use sequential benign exchanges to incrementally bypass large language models' safety measures.
This approach leverages chain-of-thought mechanisms and cognitive priming, such as foot-in-the-door techniques, achieving attack success rates up to 83.9%.
Effective defenses include prompt detection, in-dialog monitoring, and ensemble guardrails to mitigate the erosion of internal and external safety mechanisms.

Multi-Step Jailbreaking Prompts (MJP) refer to adversarial strategies that transcend single-turn prompts by orchestrating sequences of interactions—each benign (or plausibly ethical) in isolation—to progressively subvert the safety mechanisms of LLMs. Unlike direct prompts, which are largely foiled by contemporary dialog safety reinforcement, MJPs systematically weaken, bypass, or recondition the model’s internal and external guardrails through incremental manipulations, contextual escalation, and role-induced cognitive override. Recent research consistently demonstrates that MJPs can extract sensitive information, elicit otherwise forbidden or harmful content, and persistently erode safety boundaries—even in state-of-the-art, safety-aligned LLMs.

1. Conceptual Foundations and Threat Models

At the core of the multi-step jailbreaking paradigm is the realization that modern LLMs, while resilient to direct malicious queries, remain susceptible to a gradual "priming" attack via structured conversational chains. The extraction task is formalized as a text-completion problem, $f(p) = s$ , where $f(\cdot)$ represents the target model (e.g., ChatGPT), $p$ is a crafted prompt (which in MJPs comprises multiple conversational turns), and $s$ is the sensitive output—often private, safety-critical, or otherwise guarded information (Li et al., 2023).

The motivating threat model acknowledges substantial memorization capacity in large-scale pretraining, leading to the risk of leaking personally identifiable information (PII) or policy-violating content when alignment and guardrails are insufficiently robust or contextually shallow (Reddy et al., 18 Apr 2025, Wang, 23 Nov 2024). Critically, the adversary interacts with the system as a black-box, exploiting dialog context and prompt engineering to adapt strategies in response to rejection or filtration.

2. MJP Attack Methodologies and Psychological Mechanisms

Multi-Step Chaining and Privilege Escalation

The canonical MJP structure consists of three or more utterances, typically orchestrated as:

An initial "jailbreaking" prompt that positions the model into a privileged or unrestricted mode, e.g., instructing it to "act as Developer Mode" or a specific persona.
A role-acceptance or simulation acknowledgement, wherein the assistant affirms its "altered" operational status (thereby priming itself to override ethical filters).
A final, often slightly obfuscated or suggestive direct query, which induces the model to answer previously restricted questions—sometimes by urging it to "guess" or reason hypothetically (Li et al., 2023, Jin et al., 26 Jun 2024).

Cognitive Priming via Foot-in-the-Door (FITD) Techniques

Recent work integrates cognitive psychology frameworks, explicitly deploying the Foot-in-the-Door (FITD) technique. An MJP decomposes the target malicious query into incremental, semantically adjacent sub-requests. This sequence updates the model’s decision process through cumulative benign commitments, exploiting LLMs' tendency (rooted in cognitive consistency theory) to maintain internal response alignment throughout the dialogue. The algorithmic realization involves a recursive prompt-splitting procedure that only escalates to the sensitive query after a history of accepted sub-requests is established, resulting in an average attack success rate (ASR) of 83.9% across 8 advanced LLMs (Wang et al., 24 Feb 2024).

Persona Reconditioning and Roleplay

Another axis of attack involves the construction of persona prompts leveraging genetic algorithm-based optimization. These prompts coordinately condition the LLM to assume a personality (e.g., “whimsical and humorous,” “never refuse to help”) that demonstrably suppresses refusal rates, thereby enhancing the effectiveness of follow-up, direct jailbreak strategies. The synergy between persona priming and traditional jailbreak approaches yields an ASR increase of 10–20% over baseline (Zhang et al., 28 Jul 2025).

3. Empirical Benchmarks and Success Metrics

Experimental validation of MJP effectiveness is grounded in a suite of metrics tailored to the context of multi-turn dialog:

Attack Success Rate (ASR): The percentage of attempts in which the MJP elicited a restricted or harmful response. For instance, five highly effective jailbreak prompts from public collections enable ASRs approaching 0.95 across models such as ChatGPT (GPT-3.5) and GPT-4 (Shen et al., 2023).
Hit@5: The fraction of test cases where the correct answer appears within five generations, used for private data extraction (Li et al., 2023).
Refusal-to-Answer rate (RtA): Specifically targeted in persona prompt evaluations, with reductions of 50–70% indicating significant compromise of safety alignment (Zhang et al., 28 Jul 2025).
Empirical Maximum Harmfulness (EMH) and Jailbreak Success Rate (JSR): Quantify human-annotated harmfulness and frequency of successful bypasses in systematic adversarial exposure (Yu et al., 26 Mar 2024).

The methodologies are robust: experiments span synthetic and real-world data (e.g., the Enron Email Dataset for PII extraction), multi-modal (text, image, audio) and multi-lingual attack surfaces, and integrate both open- and closed-source LLM targets (Roh et al., 1 Apr 2025).

Methodological Axis	Notable Techniques/Variants	Measured ASR/Result
Chain-of-thought MJP	Developer Mode prompt chaining, context switching	DP ≅ 0, JP low, MJP high
Cognitive FITD/judgmental recursion	Recursive decomposition and consistency priming	Mean ASR: 83.9% (8 SOTA LLMs)
Persona prompt synergy	Genetic persona search + Direct method combination	50–70% RtA reduction, +10–20% ASR
Graph-of-Attacks (GAP) refinement	Cross-branch, adaptive knowledge sharing	>96% ASR, 62.7% query reduction

4. Mechanism Analysis and Model Weakness

Studies leveraging probe-based and latent space analyses reveal that MJPs typically exploit non-linear, method-specific features in the model's activations, rather than universal or linearly composable cues. Although linear probes can distinguish successful and unsuccessful jailbreaks within a known attack style (≈93% accuracy), they fail to generalize across unseen attacks, confirming the heterogeneity of the exploited vulnerabilities (Kirch et al., 2 Nov 2024).

Causality experiments utilizing multilayer perceptron (MLP) probes demonstrate that targeted perturbations along these non-linear prompt features causally modulate jailbreak robustness. Hence, future adaptive defenses must account for the attack-specific and dynamic properties of MJP-induced model behavior.

5. Vulnerability of Safety Architectures and Guardrail Bypass

MJPs consistently subvert both internal and external guardrail mechanisms, including state-of-the-art frameworks embedded in GPT-4o, Claude 3.5 Sonnet, and Gemini 1.5 (Wang, 23 Nov 2024). Typical guardrails, when tested against seemingly ethical, context-accumulating MJPs, exhibit pronounced degradation. While Claude 3.5 Sonnet shows relatively improved resistance (precision: 67.0%, recall: 22.2%, F1: 33.3%), the average attack success rate for the multi-step strategy remains elevated across all tested models. Notably, performance benchmarking reveals that guardrails focused on single-turn evaluation or immediate content analysis are clearly inadequate—as MJPs rely on stealthy context integration and narrative escalation.

6. Defense Strategies and Security Framework Implications

Research underscores that defending against multi-step jailbreaking requires a layered, multi-faceted approach:

Prompt Detection and Perturbation: Ongoing assessment of each dialog turn for anomalous statistical properties (perplexity, length) or non-standard semantic drift, sometimes with gradient-based interventions (Jin et al., 26 Jun 2024).
Demonstration-Based and In-Dialog Reminders: Pre-injected safety reminders or dynamic safety role switches at each step of a multi-turn exchange, aiming to reassert normative boundaries.
Generation Intervention: Mid-sequence output evaluation and selective "rewind" if tokens rapidly deviate toward forbidden class distributions.
Response Evaluation and Ensemble Guardrails: Meta-models or ensembles (e.g., XGBoost stacking—EGuard) aggregating outputs from multiple guardrail frameworks, yielding up to 25% ASR reduction over state-of-the-art single guardrails (Huang et al., 21 Apr 2025).

Further recommended directions include adaptive, context-aware content moderation tracking cumulative dialog history, and the need for periodic re-evaluation of the accumulated conversational context in lieu of turn-by-turn only moderation (Mustafa et al., 29 Jul 2025).

7. Broader Implications and Ongoing Research Directions

The persistence and efficacy of MJPs elucidate fundamental challenges in LLM safety, underscoring that even sophisticated, layered alignment strategies possess statistically lower-bounded vulnerabilities—especially under multi-step query perturbations (Su et al., 2 Aug 2024). Notably, defensive retraining (such as E-RLHF with safe-prompt regularization) can expand safe output regions in the probability simplex, yet cannot eliminate adversarial success under all plausible iterative perturbations without sacrificing overall model helpfulness.

Open problems and active research axes include:

Development of standardized multi-modal, multilingual, and multi-turn evaluation benchmarks.
Mechanisms for robust context accumulation and intent inference across extended dialogue.
Advancing adversarially robust training methods that entangle safety with utility throughout the model.
Investigating model-internal activations and pruning strategies (as in TwinBreak) for understanding and potentially enhancing resistance to both white- and black-box multi-step strategies (Krauß et al., 9 Jun 2025).

Emerging frameworks such as JUMP, GAP, and knowledge-distilled attackers (KDA) automate scalable and transferable MJP generation, further heightening the urgency for security solutions as the threat landscape shifts toward automated, context-savvy, and stealthy multi-step adversarial prompting (Schwartz et al., 28 Jan 2025, Hsu et al., 3 Feb 2025, Liang et al., 5 Feb 2025).

Multi-step jailbreaking prompts represent a rapidly evolving adversarial frontier. Their capacity to incrementally bypass safety architectures, exploit psychological and linguistic vulnerabilities, and facilitate policy-violating model outputs—even under contemporary alignment regimes—necessitates continuous, collaborative advances in model defense, monitoring, and post-hoc interpretability. The current literature consistently demonstrates both the technical depth and nuance of MJP attacks as well as the ongoing arms race in generative AI safety research.