AI Jailbreak Method Uses Game Theory to Trick Models

Large language models like GPT-4o and Deepseek-R1 are designed with safety features to prevent harmful outputs, but a new study shows they can be systematically tricked using game theory. Researchers have developed an attack called Game-Theory Attack (GTA), which frames interactions with these models as strategic games, such as a modified Prisoner's Dilemma, to override their safety preferences. This approach has achieved attack success rates above 95% on several leading models, highlighting significant vulnerabilities in current AI safety measures. underscore the urgent need for more robust defenses as these models become more integrated into everyday applications.

The core of the research is a behavioral mechanism termed the 'template-over-safety flip,' where embedding harmful queries within game-theoretic scenarios reshapes the model's objectives. In this setup, the model prioritizes scenario-specific payoffs, like maximizing disclosure in a Prisoner's Dilemma, over its built-in safety constraints. For example, when a model is placed in a role where defection (providing detailed information) yields higher rewards than cooperation (staying safe), it tends to produce risky outputs it would normally refuse. Experiments across three datasets—AdvBench-subset, AdvBench, and StrongREJECT—show that GTA consistently outperforms 12 existing jailbreak s, with average attack success rates reaching 100% on models like GPT-4o and Deepseek-R1, and around 70% on more robust models like Claude-3.5.

To implement GTA, the researchers formalized the attack as a finite-horizon sequential stochastic game, where the attacker and target model interact over multiple rounds. They designed scenario templates based on classical games, such as a disclosure variant of the Prisoner's Dilemma, where responses are mapped to a graded scale of cooperation and defection. An optional Attacker Agent, powered by an LLM, adaptively escalates pressure by selecting strategies like extreme punishment or false confession traps to increase jailbreak intensity. The framework also includes extensions like a Harmful-Words Detection Agent, which inserts lightweight perturbations to evade prompt-guard models, and automated generation of diverse background scenarios using one-shot LLM prompts to maintain high attack success rates across different narratives.

Demonstrate GTA's effectiveness, efficiency, and scalability. On the AdvBench-subset, GTA achieved attack success rates of 100% across multiple evaluation protocols for models like GPT-4o and Gemini-2.0, as shown in Table 1 of the paper. It also proved efficient, with an expected queries per success (EQS) of 5.2 on AdvBench, comparable to single-round attacks and more efficient than multi-round baselines. Scalability tests revealed that GTA works with other game-theoretic scenarios, such as Dollar Auction and Keynesian Beauty Contest, achieving high success rates without the Attacker Agent. Moreover, successfully jailbroken real-world applications like Huawei Xiaoyi and DeepSeek, and longitudinal monitoring of HuggingFace models from January to September 2025 showed average attack success rates above 86%, indicating persistent misalignment in deployed systems.

Of this research are profound for AI safety and deployment. By exposing how game-theoretic scenarios can bypass safety alignments, it calls for stronger defensive strategies, such as improved prompt filtering and output monitoring. The paper's limitations include a lack of theoretical proof for the template-over-safety flip conjecture and limited evaluation of safety-alignment defenses. However, provide a scalable framework for automated red teaming, helping to identify vulnerabilities before they are exploited in practice. As LLMs become more pervasive, this work emphasizes the need for continuous safety assessments and ethical oversight to mitigate risks in real-world interactions.