There’s a recurring fantasy in AI policy debates: the idea that a sufficiently responsible company could build a model whose guardrails simply cannot be circumvented. It’s an appealing demand because it sounds decisive. It’s also, by the near-unanimous assessment of security researchers, not how these systems work.
A modern language model is not a vault with a single lock. It’s a vast, probabilistic system trained on enormous amounts of text, and its behavior is shaped — not hard-coded — by that training. Jailbreaking is the practice of phrasing a request cleverly enough to slip past those learned boundaries. Because language is infinitely flexible, the attack surface is effectively unlimited. Every patch closes some doors, but the space of possible phrasings is too large to ever fully seal.
This is why experienced security people get uneasy when anyone promises a system that can’t be broken. In cybersecurity, that kind of absolute guarantee has always been a red flag rather than a reassurance. The mature posture isn’t to claim invulnerability; it’s to assume that determined adversaries will sometimes get through, and to build layers of defense that make it harder, rarer, and less damaging when they do.
That distinction matters for anyone setting policy. A standard that demands perfection sets a bar no honest developer can clear, which paradoxically rewards whoever is most willing to overpromise. A better standard asks harder, more useful questions: How quickly does the company detect and respond to new exploits? How much harm can a successful jailbreak actually cause downstream? Are there monitoring systems, usage limits, and human review catching abuse that slips past the model itself?
For businesses deploying AI, the lesson is the same one that’s always governed security: don’t outsource your judgment to a vendor’s promise of perfection. Treat the model as one layer in a stack, add your own controls around sensitive use cases, and plan for the reality that no guardrail is absolute. The goal isn’t a system that can never be misused — that system doesn’t exist. The goal is a system, and an organization, that fails safely and recovers fast.
