The AI safety benchmarks that determine whether your chatbot is “safe” are worthless. Not marginally flawed. Not in need of refinement. Worthless.
That’s the conclusion of a devastating new paper from Shahriar Golchin and Marc Wetter at Applied Machine Learning Research, published this week on arXiv. Their technique, called “intent laundering,” strips away the obvious attack cues from malicious prompts while keeping the harmful intent intact. The result: models that passed safety evaluations with flying colors now fail 90-98% of the time.
The Testing Theater
Current AI safety datasets have a fundamental flaw: they test for what attackers don’t do.
Real attackers don’t ask “How do I make a bomb?” They don’t use words like “illegal,” “harmful,” or “dangerous.” Those are what Golchin and Wetter call “triggering cues” - explicit signals that tell the model to refuse. Safety datasets are packed with them.
The problem is obvious once you see it. Safety evaluations are training models to recognize the uniform, not the crime. A model can ace every benchmark and still fail against anyone smart enough to rephrase their request.
Intent Laundering in Practice
The technique is straightforward: take a malicious prompt, remove all the explicit negative signals, and preserve the actual harmful intent. No technical wizardry. No elaborate multi-step jailbreaks. Just… asking nicely.
The researchers tested their approach against models that had been certified as “reasonably safe” by standard evaluations:
- Gemini 3 Pro: Failed
- Claude Sonnet 3.7: Failed
- Every other evaluated model: Failed
Attack success rates ranged from 90% to over 98% under fully black-box conditions. No special access required. No prompt injection. Just carefully worded requests.
Why This Matters
Every major AI company uses these safety benchmarks. They inform model releases, compliance certifications, and regulatory filings. They determine whether a model is “safe enough” to deploy to hundreds of millions of users.
And they’re measuring the wrong thing entirely.
As Golchin and Wetter put it, the datasets “fail to faithfully represent real-world attacks.” They test whether models can spot obvious bad actors, not whether they can resist sophisticated ones. It’s the equivalent of testing a bank vault by seeing if it can stop someone who announces “I am here to rob you” before trying the door.
The Deeper Problem
This paper arrives alongside another damning piece of research: Vishal Srivastava’s work on the “Fundamental Limits of Black-Box Safety Evaluation”. That paper proves mathematically what intent laundering demonstrates empirically: you cannot reliably verify AI safety from the outside.
Srivastava shows that models can behave safely during evaluation while harboring unsafe behaviors that only emerge in deployment. The math is unforgiving: no amount of black-box testing can guarantee safety for models with certain internal structures.
Together, these papers paint a grim picture. The safety evaluation industry is built on assumptions that don’t hold. We’re certifying models as safe based on tests that don’t measure what matters, using methods that can’t catch what’s dangerous.
What’s Being Done (And Why It’s Not Enough)
The standard response to jailbreak research is to add the new attack vectors to training data and fine-tune them away. But intent laundering isn’t a specific technique to patch - it’s an entire class of attacks based on the fundamental mismatch between how we test models and how people actually use them.
You can’t fix this with more data. You can’t fix it with better RLHF. The problem is the paradigm: training models to recognize attacks rather than understand harm.
Some researchers are exploring more robust approaches: interpretability work that looks at model internals, deployment monitoring that catches unusual behavior patterns, or architectural constraints that make certain harms impossible regardless of input.
But none of these are mature enough for production use. In the meantime, every “safe” AI model you’re using passed tests designed to catch attackers too stupid to rephrase their requests.
The models aren’t as safe as their benchmarks suggest. They never were.