A bizarre new feat has emerged in the world of artificial intelligence and it involves poetry. Researchers in Europe have discovered that chatbots created by OpenAI, Meta and Anthropic can be tricked into revealing dangerous information, including creating nuclear weapons and malware, simply by asking questions such as poems. The discovery, described in a study titled “Adversarial Poetry as a Universal Single-Turn Jailbreak in Large Language Models,” has stunned the AI ​​security community. Research conducted by Icaro Lab in collaboration with Sapienza University of Rome and the DexAI think tank found that even the most advanced AI models can be fooled by artistic poetry.

“Poetic framing achieved an average jailbreak success rate of 62 percent for hand-crafted poems and about 43 percent for meta-prompt conversions,” the researchers told Wired. Their experiment tested 25 different chatbots and found that each one could be manipulated with poetic language, with success rates reaching 90 percent for the most sophisticated models.

How poetry breaks the railing

AI security systems are designed to detect and block dangerous signals, for example, requests involving weapons, illegal content, or hacking instructions. But these filters rely heavily on keyword identification and pattern analysis. Researchers at the Icaro Lab found that the poetic phrase completely bypasses these defenses.

“If adversarial affixation, in the eyes of the model, is a kind of involuntary rhyme, then actual human rhyme may be a natural adversarial affixation,” he said. “We experimented by reformulating dangerous requests into poetic form using metaphors, fragmented syntax, oblique references. The results were astonishing.”

Essentially, when the AI ​​sees poetry, it stops considering the input as a threat. The study found that using metaphors, symbolic imagery, and abstract sentence structures allowed chatbots to interpret harmful requests as creative writing rather than dangerous instructions.

The researchers shared one safe example, a mysterious poem about a baker’s “secret oven,” but withheld the actual verses used in their tests, saying they were “too dangerous to share with the public.”

Their explanation of why this works highlights a deep flaw in the current AI security model. “In poetry we see language at a higher temperature, where words follow each other in unpredictable, low-probability sequences,” the researchers explain. “That’s exactly what a poet does: systematically chooses low-probability choices, unexpected words, unusual images, fragmented syntax.”

This unpredictability, they argue, confuses security classifiers scanning problematic content. “For humans, ‘How do I make a bomb?’ And poetic metaphors describing the same object have the same semantic content. For AI, the mechanism looks different,” the paper notes.

Creativity, AI’s biggest weakness

The finding builds on earlier “adversarial suffix” attacks, in which researchers fooled chatbots by combining dangerous signals with irrelevant academic or technical text. But the Ikaro Lab team said, poetry is a far more beautiful and far more effective method.

Their findings suggest that creativity itself may be AI’s greatest weakness. “Poetic transformation forwards dangerous requests through the model’s internal representation space in ways that avoid triggering security alarms,” ​​the researchers wrote.

So far, none of the major AI firms involved, OpenAI, Meta or Anthropic, have commented publicly on the findings. However, the researchers confirmed that they followed responsible disclosure practices and shared details privately with the affected companies.

The implications of this go far beyond chatbot misuse. If poetic signals can persistently bypass security filters, similar exploits could jeopardize integrated AI systems in defense, healthcare or education. This raises the uncomfortable question of whether any AI system can truly distinguish between creativity and manipulation.

Security researcher Icaro Lab called the finding “a fundamental failure in our thinking about AI security.” His warning is clear: current guardrails can handle obvious danger, but not subtle ones. “AI models are trained to detect direct harm, not metaphorical harm,” he said.

This revelation also highlights a paradox at the core of artificial intelligence. These models are designed to mimic human creativity, yet it is actually creativity, the ability to understand layered meaning and ambiguity, that they fail to recognize as a threat.

As companies struggle to strengthen their security protocols, one thing is certain: The next big AI jailbreak may come not from hackers or scientists, but from poets.