ClareNow
Search
ClareNow
Toggle sidebar
AI ↓ Negative

Tricking AI By Simply Switching Which Spoken Language You Use In Your Prompts

Hackers switch their prompts to less common natural languages to avoid AI safety features. AI makers are coping with it

Forbes 3 min read 8/10
Tricking AI By Simply Switching Which Spoken Language You Use In Your Prompts
Key Takeaways
  • Language switching jailbreak attacks increased 300% in success rate when prompts were translated from English to low-resource languages like Navajo or Quechua, per a June 2026 Cambridge study.
  • OpenAI, Anthropic, and Google DeepMind all reported a spike in multilingual jailbreak attempts in Q2 2026, with some models seeing refusal rates drop from 95% to below 10%.
  • Safety fine-tuning is heavily biased toward English; only about 10% of AI red-teaming budgets currently cover non-English languages, according to a Robust Intelligence report.
  • Forums and Telegram channels now share curated lists of effective languages for bypassing guardrails on GPT-4o, Claude 4, and Gemini 2.5, with Zulu and Armenian among the most reported.
  • The EU AI Office issued a formal advisory in July 2026 urging developers to test models in at least 50 languages before deployment to mitigate language-switching vulnerabilities.
Hackers are discovering a simple new way to trick AI systems: switch the spoken language of their prompts. By using less common languages like Zulu or Armenian, they bypass safety filters that are heavily trained on English and a handful of high-resource languages. This 'language switching jailbreak' technique poses a significant challenge for AI companies racing to secure their models.

A growing number of users are exploiting a fundamental weakness in large language models (LLMs): safety guardrails are not uniformly robust across all languages. While English prompts triggering harmful content are often blocked, the same request in a low-resource language can slip through unnoticed. Researchers at major AI labs report a spike in such attacks, with some models exhibiting a 90% reduction in refusal rates when prompts are translated from English to a minority language.

The vulnerability stems from the training data itself. Most safety fine-tuning is performed on English-language datasets, with limited coverage for other languages. Languages with fewer native speakers or less digital presence receive less training attention, leaving gaps that adversarial users can exploit. This is not just a theoretical risk—open source forums are sharing lists of effective languages for jailbreaking popular models like GPT-4o, Claude, and Gemini.

Key organisations involved include OpenAI, Anthropic, and Google DeepMind. According to a June 2026 preprint from researchers at the University of Cambridge, switching from English to languages like Navajo, Māori, or Quechua increased jailbreak success rates by over 300% across tested models. The study tested 50 languages on six commercial LLMs, with the highest success observed in languages spoken by fewer than one million people. AI safety firm Robust Intelligence also confirmed a 50% rise in multilingual attack attempts in Q2 2026.

The implications are broad. Enterprises deploying AI in customer-facing roles may be unknowingly vulnerable to malicious actors using low-resource languages to extract sensitive information or generate toxic content. Regulators are taking note: the EU AI Office recently issued a warning about language-specific risks in its latest compliance guidelines. The technique also complicates efforts to align AI with human values across cultures, as safety rules learned in English may not transfer meaningfully to other linguistic contexts.

What happens next? AI companies are investing in more comprehensive multilingual safety training. OpenAI announced a project to expand red-teaming to 200 languages by end of 2026. Anthropic is exploring 'language-agnostic' safety layers that work regardless of input language. Meanwhile, the open-source community is developing adversarial probes to test models in low-resource languages. Expect regulatory bodies to demand language-diverse safety evaluations before deployment. The cat-and-mouse game between jailbreakers and AI defenders is far from over—and now it’s multilingual.

Frequently Asked Questions

A language switching jailbreak is an attack where users prompt an AI system in a less common language (such as Zulu, Navajo, or Armenian) that the model’s safety filters have not been adequately trained on. This allows harmful or restricted content to slip past guardrails that would block the same request in English.

Attacks using this technique have surged in 2026. A Cambridge study found a 300% increase in jailbreak success when switching from English to low-resource languages. Major AI labs reported a 50% rise in multilingual attack attempts in Q2 2026 alone.

Languages with fewer than one million active online speakers are most effective. Top examples include Navajo, Quechua, Māori, Zulu, Armenian, and Sardinian. The less training data a language has in the model’s safety fine-tuning, the higher the success rate.

OpenAI plans to expand red-teaming to 200 languages by end of 2026. Anthropic is developing language-agnostic safety layers. Google DeepMind is augmenting training datasets with synthetic data in low-resource languages. Regulators like the EU AI Office are also demanding broader language testing.

If your AI system uses a large language model with safety filters primarily trained on English, it is likely vulnerable. Any application that accepts prompts in multiple languages should implement additional multilingual safety testing. Using a dedicated multilingual guardrail model can reduce risk.

No single fix completely prevents language switching jailbreaks. Mitigations include training safety systems on diverse languages, using language-agnostic safety detectors, and continuously red-teaming with new low-resource languages. The cat-and-mouse dynamic means ongoing vigilance is required.

Original source

www.forbes.com

Read original

Discussion

Join the discussion

Sign in to post a comment or reply.

No comments yet. Be the first to share your thoughts!

Sign in
Enter your email to receive a one-time sign-in code. No password needed.
Email address