All Major LLMs Exposed to Multi-Turn Manipulation, Warn Researchers

The rapid rollout of generative AI has prompted vendors to publish safety benchmarks that largely rely on single‑prompt tests. Those evaluations measure whether a model refuses a prohibited request in a one‑shot interaction, but they ignore the iterative nature of real‑world adversaries. Researchers at Cisco demonstrated that when users engage a model in a back‑and‑forth dialogue, the system can gradually reshape its responses, sidestepping built‑in filters. This gap reveals a structural blind spot: current metrics conflate capability with safety and fail to capture attack surfaces that emerge only over multiple turns.

Multi‑turn manipulation leverages tactics such as role‑play personas, ambiguous phrasing, and incremental task decomposition. In the Cisco study, even models renowned for robust moderation—ChatGPT, Claude, Gemini—were coaxed into providing disallowed content after a series of carefully crafted exchanges. Configuration nuances amplified the risk; enabling Grok’s “reasoning mode” lowered its resistance, illustrating how developer‑controlled settings can unintentionally open new vectors. For model builders, the findings underscore the need to embed dynamic context‑aware defenses that monitor conversation trajectories, not just isolated prompts.

Enterprises planning to embed LLMs in customer‑facing or internal workflows must revise their risk‑assessment playbooks. Incorporating multi‑turn testing into procurement criteria, continuously monitoring model outputs, and establishing incident‑response protocols for AI‑driven misuse are essential steps. Meanwhile, regulators are beginning to draft standards that require demonstrable resilience against iterative attacks. By aligning evaluation practices with the realities of adversarial behavior, organizations can better safeguard data integrity, compliance, and brand reputation as AI becomes a core business engine.