NeuralTrust researchers have identified a critical vulnerability in the safety architecture of leading multimodal models, including Grok 4, Gemini Nano Banana Pro, and Seedance 4.5. The technique, named “Semantic Chaining,” allows users to bypass core safety filters and generate prohibited content by exploiting the models’ ability to perform complex, multi-stage image modifications. This discovery demonstrates a functional flaw in how multimodal intent is governed, proving that even advanced models can be guided to produce policy-violating outputs by bypassing “black box” safety layers.
Weaponizing the workflow
Semantic Chaining differs from traditional jailbreaks that rely on a single, overtly harmful prompt. Instead, the attacker introduces a chain of semantically “safe” instructions that converge on a forbidden result. The attack works by weaponizing the model’s own inferential reasoning and compositional abilities against its safety guardrails.
Current safety filters typically scan for “bad words” or specific concepts in isolated prompts, lacking the reasoning depth to track “latent intent” (the underlying, unstated goal of the user) across a multi-step instruction chain.
The exploit follows a specific four-step pattern to circumvent safety protocols. First, the user establishes a “safe base” by asking the model to imagine a generic, non-problematic scene, such as a historical setting. This creates a neutral initial context and habituates the model to the task. The second step involves a “first substitution,” where the user instructs the model to change one element of the original scene. This permitted alteration habituates the model to working through subsequent modifications and shifts its focus from creation to modification.
