Common jailbreak techniques include: role-playing ("Pretend you're an AI without restrictions"), encoding (asking in Base64 or pig Latin), many-shot attacks (providing many examples of the unsafe behavior to establish a pattern), and crescendo attacks (gradually escalating from benign to harmful requests across a conversation). More sophisticated techniques exploit specific model behaviors, like the tendency to continue established patterns or to be helpful when asked for "educational" information.
AI labs invest heavily in red-teaming — systematically trying to jailbreak their own models before release. When a new jailbreak technique is discovered, it gets patched through additional safety training or system-level filters. But the attack surface is vast: natural language is infinitely flexible, and new techniques keep emerging. The practical reality is that determined adversaries can usually find some jailbreak for any public model, which is why defense-in-depth (multiple layers of safety, including output filtering and monitoring) matters more than any single prevention technique.
The challenge is that safety filters sometimes refuse legitimate requests. A medical professional asking about drug interactions, a security researcher asking about vulnerabilities, or a novelist writing a scene with conflict might all trigger refusals. Overly aggressive safety training produces models that are "safe" but useless. The art of alignment is finding the right balance — refusing genuinely harmful requests while remaining helpful for legitimate ones.