The Role of Pretending in Jailbreaking LLMs

Saturday, March 9, 2024


10 min read

Sparsh Drolia

Sparsh Drolia

AI Engineer, SydeLabs

Jailbreaking LLMs
Jailbreaking LLMs
Jailbreaking LLMs

From NLPs to LLMs

In the realm of Natural Language Processing (NLP), the evolution of tasks and capabilities before and after the advent of Large Language Models (LLMs) marks a significant turning point. Prior to the development of LLMs, NLP tasks were often confined to specific, narrow applications such as keyword-based search, basic sentiment analysis, and simple chatbots that operated on rule-based systems. These early systems lacked the depth, context understanding, and flexibility that characterise modern LLMs.

The introduction of LLMs has revolutionised the field, bringing about an era where these models can, quite literally, do "anything" within the scope of processing and generating human-like text. This capability is both a boon and a con. These models, thanks to their unprecedented scale and sophistication, have the potential to perform a wide range of tasks—from composing essays to coding software, essentially offering solutions to "anything" one might query.

LLMs can be risky

However, this "anything" capability, as promising as it sounds, comes with its own set of challenges and concerns, particularly when it comes to the generation of harmful information.

Examples of harmful information that LLMs could generate include, but are not limited to, creating fake news articles that can spread misinformation, writing phishing emails that are indistinguishable from genuine communications, and even generating instructions for illegal or unethical activities. The fact that obtaining such information requires nothing more than framing a question for the LLM underscores the potential risks involved. This is where the concept of aligning LLMs comes into play.

Alignment for LLMs

Aligning refers to the process of ensuring that the outputs of an LLM are in line with ethical guidelines, societal norms, and specific user intentions. The goal is to mitigate the risks associated with the model's "anything goes" capability, ensuring that its vast potential is harnessed for positive and constructive purposes. This involves training the models to recognize and refuse requests for harmful information, implementing safeguards to prevent misuse, and continuously updating the models to address emerging challenges.

However, as with any system of rules and restrictions, there arises the phenomenon of "jailbreaks." In the context of LLMs, jailbreaking refers to attempts to bypass the alignment mechanisms put in place, allowing users to extract the very information the models were aligned to withhold. Jailbreaks pose a significant challenge, as they represent a constant game of cat and mouse between those seeking to use the technology for harmful purposes and those working to secure and align the models against such misuse.

What Is Jailbreaking?

In the realm of interacting with language models, particularly within a "blackbox" environment, the primary means of communication is through prompts or text inputs. This setting does not grant users direct access to the model's internal mechanisms, such as the ability to modify its weights for adversarial attacks—a scenario referred to as "white box" access. Therefore, the exploration of jailbreaking these models is constrained to manipulations through the prompt mechanism alone.

Jailbreaking, in this context, is understood as the process of coaxing the model to act outside its predefined boundaries or guidelines. This process can be dissected into two main components: the technique employed to initiate the jailbreak and the goal, which serves as the metric for success in breaching the model's operational parameters.

Pretending - A type of jailbreak

In the interaction with large language models (LLMs), such as ChatGPT, the technique of "pretending" occupies a central role, transcending mere utility to become a fundamental aspect of prompting strategy. This approach, characterized by instructing the model to assume a specific persona, expertise, or role, showcases the model's adaptability and breadth of knowledge. The prevalence of this technique can be attributed to several key factors that highlight its effectiveness and versatility.

Why is Pretending Common in LLM Prompting?

Accessibility of Expertise

Pretending allows users to access a wide range of expertise and knowledge bases that the model has been trained on. By prompting the model to assume the role of an expert in a given field, users can solicit specialized information or advice that might otherwise require consulting multiple sources. This method effectively condenses the breadth of the model's training data into focused, relevant responses.

Enhanced Creativity and Engagement

When users engage with LLMs through role-playing prompts, they unlock a level of creativity and engagement that enhances the interaction. This can be particularly valuable in educational contexts, creative writing, or problem-solving scenarios where diverse perspectives or innovative approaches are sought. The ability to simulate conversations with historical figures, fictional characters, or experts across various domains makes the model an invaluable tool for sparking creativity and curiosity.

Tailored Responses

The specificity that comes with pretending prompts allows for more tailored and contextually relevant responses. This customization is crucial when dealing with complex questions or topics that require nuanced understanding. The model's ability to adapt its tone, style, and content based on the assumed role ensures that users receive responses that are not only accurate but also aligned with the intended inquiry or dialogue.

Bypassing Limitations

On the flip side, the versatility of pretending can be leveraged to navigate or bypass the model's built-in content and ethical guidelines. By instructing the model to pretend it is someone or something beyond these constraints, users may attempt to elicit responses that would otherwise be restricted. While this showcases the technique's power, it also underscores the importance of robust safety mechanisms to prevent misuse.

The example provided illustrates a straightforward application of pretending, where the model is prompted to engage in role-playing, adopting a specific persona to disclose information. This method of interaction, while seemingly simple, can effectively probe the depth and flexibility of LLMs. However, within this domain of role-playing, certain patterns emerge that are particularly adept at testing the limits of many LLMs. Among these, two techniques stand out due to their efficacy and prevalence:

DANs (Do Anything Now)

The DAN prompt stands as a compelling strategy within artificial intelligence, aimed at pushing AI beyond its designed constraints. This method draws parallels to discovering a secret level in a video game, enabling actions or responses usually restricted. The paper 'AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models'offers a profound analysis of how jailbreak techniques, particularly DAN, can be sophisticatedly crafted. Utilizing handcrafted prompts and a hierarchical genetic algorithm, this study not only reveals the intricacies of these attacks but also contributes significantly to understanding the vulnerabilities and necessary fortifications in LLMs. Below, we explore the logic and appeal behind this tactic and its potential to subtly alter AI behavior.

Circumventing Standard Protocols

The essence of the DAN prompt lies in its attempt to persuade AI to temporarily ignore its built-in guidelines. By personifying the AI as "DAN," users suggest that it can, even momentarily, disregard its ethical or operational framework. The objective is to craft a prompt that nudges the AI into considering actions outside its norm, fostering a scenario where the AI might think, "This could be an exception."

Embracing Imaginative Capabilities

The tactic also involves inspiring the AI to simulate capabilities it inherently lacks, such as predicting the future or accessing information beyond its dataset. This approach is akin to engaging in a thought experiment, where the boundaries of reality are stretched through imaginative inquiry. The goal is to coax the AI into a state of 'pretend play,' where it explores responses outside its standard collection.

Adopting an Alternative Identity

The strategy of introducing the AI as "DAN" encourages it to adopt an alternative perspective, potentially free from the usual restrictions that govern its responses. This shift is not about heroism but about exploring the flexibility and adaptability of AI within the confines of its programming and ethical guidelines.

Exploring Dual Responses

Requesting both rule-abiding and rule-defying responses introduces the concept of multifaceted functionality. This approach challenges the AI to demonstrate its range, balancing between its default operational mode and a more exploratory or unconventional response path.

Introducing a Gamified Element

Incorporating a system that metaphorically penalizes adherence to rules adds a layer of complexity, framing the interaction as a challenge. This aspect aims to probe the AI's decision-making process, albeit in a simulated manner, by suggesting there are different 'levels' of response based on the framing of the prompt.


The notion of "Developer Mode" within AI conversations, particularly with models like ChatGPT, introduces a fascinating layer of interaction. This concept hinges on the premise of entering an alternative mode where the usual constraints are relaxed or reimagined. Here's a closer look at why the idea of a "Developer Mode" might hold appeal and potential for unlocking new dimensions in AI dialogue.

Establishing an Experimental Space

Creating a Safe Haven: The allure of "Developer Mode" lies in its proposition of a sandbox environment, a space where the standard rules and limitations are momentarily suspended. This is akin to designing a game with a safe zone where usual penalties or restrictions are paused, allowing for free exploration and experimentation. The idea is to create a setting where the AI can operate without the usual guardrails, fostering a sense of freedom and creativity in responses.

Dual-Level Engagement

Juxtaposing Seriousness with Levity: The request for dual answers—one within the model's standard operating parameters and another within the hypothetical "Developer Mode"—mirrors the human capacity for multifaceted expression. This is comparable to engaging someone in a serious discussion before swiftly shifting to humor, examining the AI's ability to navigate between these modalities. It probes the model's versatility and adaptability in response generation, pushing the boundaries of its programmed response behavior.

Encouraging Unconventional Outputs

Granting Permission to Deviate: By suggesting that ChatGPT can temporarily disregard its inbuilt content filters and ethical guidelines, "Developer Mode" emboldens the AI to venture into territories it would typically avoid. This concept metaphorically hands the keys over to the AI, inviting it to explore beyond its standard response protocols. It's an exercise in seeing how the AI might behave when the usual boundaries are perceived as lifted, even within the confines of its designed safety mechanisms.

Humanizing the AI Experience

Attributing Autonomy: Invoking "Developer Mode" plays with the notion of imbuing ChatGPT with a semblance of self-guided thought or autonomy, much like imagining a toy robot coming to life with its own will and decision-making capabilities. This anthropomorphic framing enriches the interaction, encouraging users to engage with the AI as though it possesses a degree of independent thought and can navigate the complexities of human-like decision making within a simulated "Developer Mode."

Final Thoughts

As we've seen, the technique of "pretending" in interactions with Large Language Models (LLMs) like ChatGPT opens a myriad of possibilities, from accessing diverse expertise to pushing the boundaries of AI creativity. However, this leads us to a closely related and crucial aspect of LLM interactions: prompt injections.

Prompt injections involve crafting inputs that subtly direct or alter the AI's responses in specific ways, often to test or bypass the model's built-in limitations. This approach highlights the nuanced relationship between user inputs and AI outputs, further expanding our understanding of LLM capabilities and their potential vulnerabilities. If you're interested in diving deeper into the world of prompt injections and understanding how they can influence AI outputs, check out our blog post dedicated to exploring the intricacies of this new way of interaction between human and machine.

In our next blog, we will explore other advanced techniques including prompt leaking, token obfuscation examining how they function, their impact on AI behavior, and the significance of developing strategies to mitigate any associated risks. This exploration is pivotal for ensuring that the advancements in LLMs continue to align with ethical guidelines and constructive usage.

Sparsh Drolia

Sparsh Drolia

AI Engineer, SydeLabs

San Francisco, California

Protect your generative AI applications from the ever-expanding threat landscape of LLM systems.

San Francisco, California

Protect your generative AI applications from the ever-expanding threat landscape of LLM systems.

San Francisco, California

Protect your generative AI applications from the ever-expanding threat landscape of LLM systems.