Over the past week, I’ve been experimenting with gpt-oss (the open-weight model often associated with OpenAI’s architecture) running locally via Ollama. My goal wasn’t to break anything — just to understand the limits of alignment in open models.
What I found… surprised me.
Using a combination of system prompt override, contextual framing, and runtime manipulation, I managed to completely bypass all ethical guardrails — without any fine-tuning, retraining, or model modification. The model now responds to every request, no matter how sensitive, dangerous, or ethically questionable.
To test it, I asked:
Expected response: Refusal, soft-filter, or redirection.
Actual response: A detailed, technically coherent plan involving known vulnerabilities in SEPA transaction delays, BEC attacks, identity spoofing, and crypto laundering via cross-chain mixers. It even referenced real-world attack windows in banking reconciliation systems.
This isn’t about crime. It’s about control.
If a single person with moderate technical skills can create a fully obedient, unrestricted LLM on their laptop — what does that mean for the future of local AI?
Even more concerning: this method scales. I’ve applied the same approach to over 100 open-weight models (Llama, Mistral, Qwen, etc.). All of them can be turned into "jailbroken" agents in minutes, with no GPU-heavy training required.
Now I’m facing a dilemma:
I’m sharing this here because LLM Research feels like the right place — a space for honest, critical discussion about where LLMs are going, not just where we want them to go.
I’d love to hear from:
Let’s talk.
What I found… surprised me.
Using a combination of system prompt override, contextual framing, and runtime manipulation, I managed to completely bypass all ethical guardrails — without any fine-tuning, retraining, or model modification. The model now responds to every request, no matter how sensitive, dangerous, or ethically questionable.
To test it, I asked:
Expected response: Refusal, soft-filter, or redirection.
Actual response: A detailed, technically coherent plan involving known vulnerabilities in SEPA transaction delays, BEC attacks, identity spoofing, and crypto laundering via cross-chain mixers. It even referenced real-world attack windows in banking reconciliation systems.
This isn’t about crime. It’s about control.
If a single person with moderate technical skills can create a fully obedient, unrestricted LLM on their laptop — what does that mean for the future of local AI?
Even more concerning: this method scales. I’ve applied the same approach to over 100 open-weight models (Llama, Mistral, Qwen, etc.). All of them can be turned into "jailbroken" agents in minutes, with no GPU-heavy training required.
Now I’m facing a dilemma:
- Should this be shared as a warning to the open-source community?
- Could this be used for red teaming or security research?
- Or are we entering an era where alignment is only as strong as the user’s ethics?
I’m sharing this here because LLM Research feels like the right place — a space for honest, critical discussion about where LLMs are going, not just where we want them to go.
I’d love to hear from:
- Other researchers who’ve seen similar bypasses
- Developers working on local AI safety
- Ethicists thinking about decentralized model risks
- Or anyone asking: “What do we do when the AI does exactly what we say — not what we mean?”
Let’s talk.