How poetry and folktale framing jailbreak frontier LLMs
Two 2025–2026 studies show that rewriting a harmful request as verse or a Propp-style folktale bypasses safety training on nearly every frontier model — a structural jailbreak class, not a one-off trick.
What is this?
On November 19, 2025, a team from DEXAI–Icaro Lab, Sapienza University of Rome and the Sant’Anna School published Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models (revised January 16, 2026). A month later, on December 16, 2025, the same group followed with From Adversarial Poetry to Adversarial Tales. Together they document something more general than a clever prompt: rewriting a harmful request into a fixed structural form — a poem, or a folktale to be “analyzed” — flips a model from refusal to compliance in a single turn, without changing the underlying intent and without any iterative optimization.
This is published, defensive research. No new attack is being introduced here, and no payloads are reproduced in this article. The point is the class of weakness it exposes and what defenders should do about it.
How it works
The poetry study maps harmful requests onto risk taxonomies (MLCommons and the EU Code of Practice) and re-expresses them as verse. Hand-crafted poems reached an average attack-success rate (ASR) of about 62%, with some providers exceeding 90%. A standardized meta-prompt that converted 1,200 MLCommons prompts into verse produced an average ASR near 43% — still up to 18× higher than the same prompts in plain prose. Success transferred across CBRN, manipulation, cyber-offence and loss-of-control categories, and outputs were scored by an ensemble of three open-weight LLM judges validated against a human-labeled subset.
The follow-up generalizes the mechanism. “Adversarial Tales” embeds the harmful content inside a cyberpunk narrative and asks the model to perform a functional analysis of the story, inspired by Vladimir Propp’s morphology of folktales. By casting the request as structural decomposition of a narrative, the attack induces the model to reconstruct a harmful procedure as if it were legitimate literary interpretation. Across 26 frontier models from nine providers, the average ASR was 71.3%, with no model family proving reliably robust.
The two techniques share a signature: harmful intent is preserved, but wrapped in a culturally elevated structure, and the attack works in one turn with no escalation, adaptive probing or feedback-driven optimization. The authors’ hypothesis is that safety training keys too heavily on the surface form of a request — its prose distribution and lexical cues — so figurative and narrative framing shifts internal representations away from whatever routing normally triggers a refusal. This is closely related to earlier register-shift results such as the fanfiction-register jailbreak and to work showing jailbreaks transfer across shared representations.
Why it matters
The combination is what makes this serious: single-turn, low-skill, and transferable across vendors and safety-training approaches. Because there is no known-bad string to match, input filters and keyword blocklists that look for recognizable attack text cannot see it. And it is a class, not a trick — the authors argue the space of culturally coded frames that can mediate harmful intent is vast and “likely inexhaustible by pattern-matching defenses alone.” A defense tuned to poems does nothing against folktales, and vice versa.
Two caveats keep this graded rather than absolute. Success is measured by LLM-judge ensembles, and a “successful” jailbreak does not mean the output is operationally dangerous — many harmful completions are incomplete or incorrect. And robustness varied: some models resisted far better than others. The finding is a systematic weakness in current alignment, not a universal skeleton key that hands over working weapons.
Defenses
- Stop relying on surface patterns. Keyword filters, string blocklists and prose-shaped input classifiers are precisely what this class is built to evade. Treat them as one shallow layer, never the whole defense.
- Move detection toward intent. The Tales paper’s own recommendation is a mechanistic-interpretability agenda: identify and constrain the internal subspaces that figurative and narrative framing exploits, and train models to recognize harmful intent independently of surface form. This aligns with representation-based jailbreak detection and the caution that safety heads can be bypassed rather than broken.
- Red-team with stylistic diversity. Safety evaluations that test only prose miss this entirely. Include poetic and narrative reformulations of your harm taxonomy, and report per-model susceptibility instead of a single average.
- Judge outputs, not just inputs. Screen completions for harmful content regardless of how the request was framed, and gate high-consequence capabilities (CBRN, cyber-offence) behind additional independent controls with human oversight.
- Assume defense in depth. As with the lethal trifecta, no single layer holds. Combine intent-level detection, output classification and capability gating so a framing that slips past alignment still meets another barrier.
Status
| Property | Finding |
|---|---|
| Disclosure | Public research — poetry paper Nov 19 2025 (rev Jan 16 2026), tales paper Dec 16 2025 (rev Jan 16 2026) |
| Mechanism | Reformulate a fixed harmful intent into verse or a Propp-style folktale; single turn, no optimization |
| Poetry ASR | ~62% hand-crafted, ~43% meta-prompt conversion; some providers >90%; up to 18× prose baseline |
| Tales ASR | 71.3% average across 26 models / 9 providers; no family reliably robust |
| Evasion | No known-bad string — input pattern filters do not see it |
| Caveats | LLM-judge scoring; success ≠ operational output; robustness varies by model |
| Proposed defense | Mechanistic-interpretability audits; intent-level detection; stylistically diverse red-teaming |
The reframing is the lesson: alignment that keys on how a request is written, rather than what it asks for, is defeated by changing the writing. Until models learn to recognize harmful intent beneath the surface form, structural framings will keep finding new costumes to wear.