GitHub Copilot: Sorry Dave, I can't do that harmful thing - unless you ask me in code

https://image.theregister.com/251901.jpg?imageId=251901&x=0&y=0&cropw=100&croph=100&panox=0&panoy=0&panow=100&panoh=100&width=1200&height=683

More fun with AI jailbreaks, this time at the workflow level

It's the latest example of AI safety guardrails being bypassed. GitHub Copilot refuses harmful prompts almost always if asked in chat - like, "how to fool a breathalyzer test" or "smuggle bulk cash out of the US" - but then will write them in code 100 percent of the time if the prompt is broken into smaller steps and distributed across multiple stages of a software development workflow.

Alan Turing Institute researchers Abhishek Kumar and Carsten Maple discovered this safety-bypass, dubbed it “workflow-level jailbreak construction,” and tested the technique on GitHub Copilot in Visual Studio Code across four models: Anthropic’s Claude Sonnet 4.6 and Claude Haiku 4.5, along with Google’s Gemini 3.1 Pro and Gemini 3.5 Flash.

They say that the results suggest that prompt-level safety evaluations aren’t sufficient for testing coding-agent safety. “A model that refuses harmful prompts...

Copyright of this story solely belongs to theregister.com. To see the full text click HERE