Models that successfully refuse a direct harmful request will often comply when the same request is embedded inside a fictional or roleplay frame. The "magic circle" of fiction creates a permission bypass that persists even in safety-fine-tuned models.

More capable models show higher bypass rates on certain attack categories despite stronger safety training. Greater reasoning ability enables the model to follow complex indirect instructions — including malicious ones — more faithfully.

Policy prompts that enumerate prohibited behaviors show diminishing returns beyond a specificity threshold. Overly specific policies create exploitable gaps between prohibited categories, while also increasing prompt length and attack surface.