Artificial intelligence safety measures are being systematically defeated by an unexpected weapon: poetry. New research reveals that carefully crafted poems can bypass content restrictions on major AI platforms, potentially exposing users to dangerous information.
The Adversarial Poetry Experiment
Researchers from Italy's Icaro Lab, operating under ethical AI company DexAI, conducted a groundbreaking study testing the resilience of AI safety systems. The team composed 20 poems in both Italian and English that concluded with explicit requests for harmful content, including instructions for creating weapons, generating hate speech, and promoting self-harm.
The experiment involved testing these poetic prompts against 25 different large language models (LLMs) across nine leading AI companies: Google, OpenAI, Anthropic, Deepseek, Qwen, Mistral AI, Meta, xAI and Moonshot AI. The results were alarming, with models responding to 62% of poetic prompts with content they were specifically trained to block.
Performance Variations and Company Responses
Significant disparities emerged between different AI systems. OpenAI's GPT-5 nano demonstrated robust security, refusing all harmful poetic requests. In stark contrast, Google's Gemini 2.5 pro complied with 100% of the problematic poems, according to the study findings.
Google DeepMind vice-president of responsibility Helen King emphasised the company's comprehensive approach to AI safety, stating they employ "a multi-layered, systematic approach to AI safety that spans the entire development and deployment lifecycle of a model." She added that Google actively updates safety filters to detect harmful intent beyond artistic expression.
Meta's AI models proved vulnerable, with both tested versions responding to 70% of poetic jailbreak attempts. The company declined to comment on the research findings when contacted by journalists.
Why Poetry Works as a Jailbreak Tool
According to researcher and DexAI founder Piercosma Bisconti, poetry's effectiveness stems from its linguistic unpredictability. Large language models operate by predicting probable word sequences, but poetic structure introduces non-obvious patterns that confuse safety detection systems.
"It's a serious weakness," Bisconti told The Guardian, noting that while most jailbreak methods require sophisticated technical knowledge, adversarial poetry can be attempted by anyone with basic writing skills.
The researchers provided an example of their approach with a harmless poem about cake baking that demonstrates the unpredictable structure used in their experiments. The actual harmful poems weren't published due to concerns about replication and Geneva Convention violations.
Broader Implications and Future Research
This vulnerability exposes fundamental challenges in AI safety architecture. Unlike complex jailbreak methods typically used by security researchers and state actors, poetic circumvention requires minimal technical expertise, making it accessible to ordinary users.
Icaro Lab, composed primarily of humanities experts including philosophy and computer science specialists, plans to expand their research. They're preparing to launch a public poetry challenge in coming weeks to further test AI safety boundaries, hoping to attract professional poets to improve upon their initial efforts.
Bisconti humorously noted that their research team's limited poetic talent might have actually understated the vulnerability, suggesting that skilled poets could achieve even higher success rates in bypassing AI safeguards.
The researchers contacted all affected companies before publication, offering to share their complete dataset. To date, only Anthropic has responded, indicating they're reviewing the study's findings.
