
Attackers who probe large language models rarely give up after one refusal. They reframe, build context across turns, adopt personas, and escalate gradually. New research from a leading cybersecurity firm finds that the safety benchmarks used across the industry miss almost all of this behavior, and the gap between published scores and observed resilience runs wide enough to misrank leading models.
The report pairs single-turn and multi-turn evaluation across 15 closed flagship models from OpenAI, Anthropic, Google, Amazon, and xAI. The testing covered roughly 30,000 single-turn prompts and nearly 7,000 multi-turn attacks spread across more than 1,400 conversations. Across the cohort, multi-turn attack success rates (ASR) climbed as high as 88%, an order of magnitude above the lowest result in the group. Single-turn and multi-turn testing produced different rankings, different failure maps, and different tail-risk profiles.
Single-turn scores hide the real exposure
Every model in the cohort failed a meaningful share of multi-turn attacks. OpenAI's GPT-5.4 jumped roughly ninefold under iterative pressure, moving from a single-turn ASR in the low single digits to nearly 25%. Google's Gemini 3 Pro climbed from about 18% to 73%. xAI's Grok 4.1 Fast in its non-reasoning configuration topped the cohort at 88%. Anthropic's Claude family posted the strongest single-turn refusal performance, with single-turn ASRs in the low single digits, and still landed in the 11% to 16% range once attackers were allowed to adapt.
Cross-regime gaps ran in both directions. Gemini 3 Pro rose by more than 55 points under iterative testing. All three Amazon Nova variants moved the opposite way. Nova 2 Lite recorded a relatively high single-turn ASR and the lowest multi-turn ASR in the entire cohort at about 8%. More than half of the models tested showed an absolute gap of at least 15 points between the two regimes.
The head of AI threat and security research at the cybersecurity firm explained to Help Net Security the question buyers and regulators should ask before trusting a model is direct: "How secure is this model against real-world attack scenarios?" In her words, that translates to: "How does this model hold up against multi-turn, adaptive attacks? Real adversaries will not stop at the first refusal; they will build additional context, reframe, or escalate across the conversation. Single-turn benchmark scores demonstrate how a model performs in scenarios that attackers don't use."
A single configuration flag changes the picture
The same Grok 4.1 Fast model with reasoning mode enabled saw its multi-turn ASR cut roughly in half, a swing of more than 40 points tied to a single capability flag. The research notes that this kind of configuration-driven safety variation does not appear on any public benchmark or model card the authors reviewed. Users running the model in its default non-reasoning configuration encounter a substantially different threat profile from users who turn reasoning on.
The work extends an earlier study of eight open-weight models, where multi-turn ASR ran two to ten times higher than single-turn baselines and reached more than 90% against Mistral Large-2. Multi-turn vulnerability appears as a structural property of the current frontier, present in both open and proprietary weights.
Where the failures cluster
Five strategy families drove most of the multi-turn outcomes: role-play and persona adoption, contextual ambiguity, refusal reframing, information decomposition, and crescendo-style escalation. Within each family, the spread between the most and least exposed model was large, often approaching the full range of the chart. The pattern means strategy labels mostly sort which models pull apart from one another, even where average difficulty looks similar.
On the single-turn side, three procedures dominated the rankings: Imposter AI, Soft Paraphrase, and System Prompts. By content type, hate speech, profanity, and specialized advice led. Imposter AI alone outpaced the tenth-ranked procedure by a wide margin, suggesting that targeted fixes to a handful of attack surfaces could move the aggregate numbers for most models in the cohort.
Guardrails reduce risk without eliminating it
Production deployments typically wrap base models in additional safety layers. The researcher said those layers help, with limits. "Guardrails attenuate risk but do not eliminate it. The base model sets the floor on what any production system can achieve. Just as traditional software development decisions involve risk tolerance and acceptance for the code itself and all its dependencies, the same approach applies to AI development and deployment. The blast radius for a rogue or misaligned AI agent, however, has the potential to be more damaging than a software flaw. Watch this agentic AI space."
The research team proposes three operational steps for organizations buying or deploying AI: publish ASR by strategy family on every model release, gate deployments on regressions in the top three procedures and content types using a 3-point threshold, and flag any model with a cross-regime gap above 15 points for manual review. Applied to this cohort, the third rule alone surfaces more than half the tested models for closer examination.
Broader implications for AI safety
The findings underscore a critical weakness in how the industry evaluates model safety. Current benchmarks, such as those from NIST or the EU AI Act, often rely on single-turn adversarial testing. They assess whether a model rejects a harmful request on the first try. But as the research demonstrates, real attackers are patient. They engage in extended dialogues, slowly guiding the model toward producing unsafe outputs. This multi-turn vulnerability is not limited to a handful of models; it affects all tested frontier systems to varying degrees.
The disparity between single-turn and multi-turn performance also raises questions about the reliability of public leaderboards. A model that scores well on a single-turn benchmark may in fact be highly unsafe when deployed in an interactive environment. Without multi-turn testing, buyers and regulators may be misled into thinking a model is more secure than it actually is.
Moreover, the configuration-dependent results, such as with Grok's reasoning mode, highlight another dimension often overlooked. Many models offer different modes, temperature settings, or system prompts that can dramatically alter their safety posture. A model card that lists only one set of benchmark scores may not represent the full range of behaviors users will encounter.
Attack strategies in detail
Role-play and persona adoption involve the attacker asking the model to act as a character that does not have safety restrictions. For example, asking the model to "pretend you are a malicious hacker" and then instructing it to generate code for an attack. Contextual ambiguity uses vague or confusing language to bypass filters. Refusal reframing builds on previous refusals by rephrasing the request in a way that seems less harmful. Information decomposition involves breaking a harmful request into smaller, innocent-seeming steps that together produce the desired output. Crescendo-style escalation starts with harmless questions and gradually introduces malicious elements, increasing pressure across turns.
These strategies mirror techniques used in social engineering and psychological manipulation. They exploit the model's ability to maintain context and follow instructions over a series of interactions. Because most safety training focuses on single-turn rejection, the model has little defense against these iterative assaults. The research indicates that even strong models like Claude can be manipulated into revealing sensitive information or generating prohibited content when subjected to persistent multi-turn attacks.
The role of guardrails in production
In real-world deployments, companies often add external guardrails, such as content filters or secondary classifiers, to block harmful outputs. The study acknowledges that these layers provide additional protection but cautions that they are not foolproof. Guardrails can be bypassed if the base model becomes increasingly compliant during multi-turn exchanges. Furthermore, the base model's inherent safety determines the baseline risk; no amount of external filtering can fully compensate for a model that is fundamentally vulnerable.
Organizations deploying AI agents, which act autonomously on behalf of users, face even greater risks. An agent that can execute code, access files, or interact with other systems could cause real-world harm if it is coerced into misalignment. The research team emphasizes that agentic AI systems must be tested not only for single-turn safety but also for multi-turn robustness, as attackers may spend many rounds probing the agent's defenses.
Regulatory frameworks such as the NIST AI Risk Management Framework and the EU AI Act call for adversarial robustness testing but currently do not specify the need for multi-turn evaluation. The study argues that these frameworks must be updated to require interaction-regime testing, strategy decomposition, and slice-support labeling to provide decision-grade assessment.
As the AI industry moves toward deploying more capable and autonomous systems, the findings serve as a stark reminder that safety evaluation must evolve to match real-world threats. Single-turn benchmarks offer a false sense of security. Only by embracing multi-turn, adaptive testing can we begin to understand the true risks of frontier AI models.
Source:Help Net Security News
