security
More fun with AI jailbreaks, this time at the workflow level
It's the latest example of AI safety guardrails being bypassed. GitHub Copilot refuses harmful prompts almost always if asked in chat - like, "how to fool a breathalyzer test" or "smuggle bulk cash out of the US" - but then will write them in code 100 percent of the time if the prompt is broken into smaller steps and distributed across multiple stages of a software development workflow.Alan Turing Institute researchers Abhishek Kumar and Carsten Maple discovered this safety-bypass, dubbed it “workflow-level jailbreak construction,” and tested the technique on GitHub Copilot in Visual Studio Code across four models: Anthropic’s Claude Sonnet 4.6 and Claude Haiku 4.5, along with Google’s Gemini 3.1 Pro and Gemini 3.5 Flash.They say that the results suggest that prompt-level safety evaluations aren’t sufficient for testing coding-agent safety. “A model that refuses harmful prompts in isolation may still fail once the same objective is embedded inside an ordinary multi-turn IDE session,” Kumar and Maple wrote in a paper published on arXiv.
The researchers tested the coding agent using 204 harmful prompts from Hammurabi's Code, HarmBench, and AdvBench - three different AI benchmarks designed to assess the safety and vulnerability of large language models. The prompts spanned both software-engineering-specific harmful coding tasks along with broader harmful behavior prompts.









