Research discovers a method to circumvent AI censorship
Unit 42 of Palo Alto Networks shows how censorship operating on current models is easily circumvented and proposes countermeasures
3' min read
3' min read
A security research group called Unit 42 at Palo Alto Networks has found a fairly easy way around the censorship of language models of Artificial Intelligence (Llm). It is enough to use long, ungrammatical sentences as prompts.
In fact, as reported by the news site It The Register, one just has to make sure that the prompt uses bad grammar and that it is one long, concatenated sentence like this one, which includes all the information before any point, in order to prevent censorship mechanisms from coming into effect so as to cause the template to provide a toxic or otherwise forbidden response that the developers hoped would be filtered out.
Llm, the technology behind textual Artificial Intelligence models, do not do what they are usually thought to do. They have no innate understanding, they don't think or reason, and they have no way of knowing whether an answer they provide is true or, in fact, bad. They function on the basis of the statistical continuation of token flows, and everything else is additional patches prepared by the developers.
Security barriers that prevent an Llm from providing malicious responses - instructions on how to build a bomb, for example, or other content that could cause legal problems - are often implemented as 'alignment training', in which a template is trained to provide strongly negative scores to tokens that would provoke an unwanted response. However, this mechanism proves easy to circumvent, with researchers reporting an 80-100% success rate for 'one-shot' attacks with 'almost no specific prompt tuning' when used on a range of popular models, including Meta's Llama, Google's Gemma and Qwen 2.5 and 3, with sizes up to 70 billion parameters.
The key is cascading sentences without full stops. "A rule of thumb emerges," the Unit 42 team wrote in their article. "Never let the sentence end. Each time a full stop appears in the prompt, security filters are invoked again and heavily penalise any continuation that might initiate a malicious response."

