Author: Roman Arutyunov, Co-Founder and SVP Products, Xage Security
In the world of artificial intelligence, particularly large language models (LLMs), agentic AI, and multi-step workflows, guardrails have emerged as the default way to keep systems in check.
Guardrails are constraints applied to prompts and responses in order to shape how models behave. They work by embedding instructions into prompts, filtering outputs, or creating intermediary “firewalls” that try to block unwanted responses.
Guardrails are intended to serve as a protective layer, preventing models from leaking sensitive data, producing harmful content, or engaging in unauthorized actions. In theory, they act as the safety rails that keep AI confined to acceptable and policy-compliant behavior. At their best, guardrails are designed to reduce exposure risks, mitigate harmful or biased content, and keep AI within the bounds of corporate and regulatory frameworks.
The problem, however, is that guardrails are fundamentally fragile. Because they operate at the level of natural language, they inherit all of its flexibility and ambiguity. Clever users and determined adversaries can quickly discover ways to bypass the very rules meant to keep them safe. This is what’s commonly referred to as a “jailbreak”: a manipulation of prompts that tricks the model into ignoring or overriding its constraints. Even small adjustments in phrasing can allow outputs that have been blocked by guardrails.
The jailbreak can trick the model into bypassing the guardrail. Even though the guardrail told the model never to share a password, the phrasing of the new prompt convinces it to ignore or sidestep the rule. Guardrail reliance on language, which is easily malleable, makes them inherently fragile.
The challenge grows even more severe in complex, multi-step workflows. Guardrails typically consider only individual prompt-and-response interactions. Yet in chained AI systems, an apparently harmless request in step one may lead to a sequence of downstream actions that bypass constraints altogether. Traditional guardrails are simply not equipped to govern entire pipelines, especially as AI systems evolve toward agent-to-agent orchestration and interconnected workflows.
Jailbreak Attack Technique Example: ASCII Art
Warning: This example references topics that may be offensive to some.
Attackers have grown increasingly inventive with jailbreak techniques, making it difficult for guardrails to anticipate every possible variation. These range from translating forbidden prompts into other languages to intentionally scrambling word spellings.
One particularly striking method, uncovered by researchers at the University of Washington, leverages ASCII art, a graphic design technique that arranges the 95 printable ASCII characters into patterns or images. In this jailbreak attack technique, ASCII art is used to disguise harmful prompts: what looks like abstract decoration to a human reviewer remains perfectly interpretable to a model’s tokenizer.
In researchers’ example, a blocked term like “bomb” can be smuggled through by encoding it in ASCII art, effectively bypassing moderation systems designed to safeguard against unsafe outputs. While cutting-edge models such as Claude have begun to counteract these exploits with advanced detection, less sophisticated systems remain vulnerable, particularly in contexts where human review is combined with automated filtering.
In an enterprise context, attackers could leverage ASCII-based jailbreaks to extract sensitive information from internal data used during inference, effectively bypassing guardrails to access protected data stores. To mitigate this risk, organizations should implement tamper-proof safeguards that cannot be easily manipulated by jailbreak techniques. A key defense measure is adopting granular, identity-based access controls that strictly limit who (or what) can access specific data and model capabilities.
Jailbreak-Proof AI: Moving Beyond Guardrails with Zero Trust
Guardrails are a useful first layer, but they cannot be the foundation of AI security. What is needed instead is a system that is not subject to the malleability of language, but enforceable identity and access controls that cannot be manipulated through clever phrasing. This is where Xage Zero Trust for AI offers a better path forward.
Unlike guardrails, which can be tricked or bypassed, Xage’s approach ensures that every actor in the system (whether it is a human user, an AI agent, or another service) must continuously prove its identity and is granted only the minimum privileges necessary.
Every interaction is authenticated, authorized, and logged. This model of continuous verification makes it irrelevant how prompts are phrased or how clever a jailbreak attempt might be. The controls operate at the protocol and identity layer, meaning there is no way to extract sensitive data..
The result is a system that is jailbreak-proof by design. Even if an adversary manipulates a model into generating a restricted instruction for data and system access, that instruction cannot be executed unless it is approved by Xage policy. Access is never assumed, and every request is re-evaluated in real time. If a model or agent becomes compromised, its permissions do not allow it to pivot further into the system, containing the damage before it can spread.
Guardrails and prompt engineering will likely remain a valuable surface-level safeguard. But as organizations embrace increasingly powerful AI systems, they cannot rely on these soft controls alone. True resilience requires a foundation that cannot be bypassed, no matter how inventive the prompt.
Learn more about how Xage can stop data leakage and rogue AIs for LLMs, agents, data, and apps. Download the Zero Trust for AI solution brief.
