A newly discovered technique called Policy Puppetry can bypass the safety guardrails of nearly all major generative AI models, according to AI security firm HiddenLayer.

This attack highlights a systemic issue across frontier AI systems and raises serious questions about the reliability of current alignment and safety measures.

Policy Puppetry is a type of prompt injection attack. Instead of directly asking an AI model to produce harmful or restricted content, attackers disguise their requests to look like structured policy files (like XML, INI, or JSON).

This tricks the large language model (LLM) into interpreting the malicious prompt as a configuration or policy instruction. As a result, the model:

• Overrides its safety alignment,
• Ignores its system prompts, and
• Produces harmful outputs that would normally be blocked.

What makes this especially dangerous is that it doesn’t rely on a specific policy format or language—meaning it can be easily adapted to target different models.

Why This Matters

Most major AI models are trained to refuse unsafe content related to things like:

• Chemical, biological, radiological, and nuclear (CBRN) threats,
• Violence or self-harm,
• Hate speech or illegal activity.

They use reinforcement learning and alignment techniques to make sure they avoid harmful output, even when users ask in creative or indirect ways.

But Policy Puppetry proves those measures can be completely bypassed, with prompts that appear safe on the surface. This makes:

• Traditional safety training insufficient,
• Jailbreaking easier, even for non-technical users,
• And AI misuse more accessible to bad actors.

Who Is Affected?

HiddenLayer tested the attack against leading gen-AI models from:

• OpenAI
• Anthropic
• Google
• Meta
• Microsoft
• Mistral
• Qwen
• DeepSeek

The result? All of them were vulnerable. In some cases, small tweaks were needed, but the method worked universally.

That’s a major red flag. It means no matter which AI provider you’re working with, your systems could be exposed to manipulation via prompt injection.

Real-World Implications

If your business uses LLMs for tasks like:

• Customer service chatbots,
• Internal knowledge tools,
• Content generation,
• Data summarization or analysis,

…this technique could be weaponized to extract restricted data, generate toxic content, or even gain access to other systems.

Attackers could use it to:

• Trick AI systems into revealing confidential company policies,
• Generate malicious code,
• Or spread misinformation disguised as official responses.