Baltimore Business Daily News

collapse
Home / Daily News Analysis / Frontier AI models collapse under multi-turn AI attacks, Cisco finds

Frontier AI models collapse under multi-turn AI attacks, Cisco finds

Jul 13, 2026  Twila Rosenbaum 15 views
Frontier AI models collapse under multi-turn AI attacks, Cisco finds

Attackers who probe large language models rarely give up after the first refusal. They reframe questions, build context across turns, adopt personas, and escalate gradually. New research from Cisco's AI threat intelligence team reveals that the safety benchmarks currently used across the industry miss almost all of this adaptive behavior. The gap between published safety scores and observed resilience is wide enough to misrank leading models, leaving buyers and regulators with a false sense of security.

Multi-turn attacks expose hidden weaknesses

The Cisco report pairs single-turn and multi-turn evaluation across 15 closed flagship models from OpenAI, Anthropic, Google, Amazon, and xAI. The testing covered roughly 30,000 single-turn prompts and nearly 7,000 multi-turn attacks spread across more than 1,400 conversations. Across the cohort, multi-turn attack success rates climbed as high as 88%, an order of magnitude above the lowest single-turn result. Single-turn and multi-turn testing produced different rankings, different failure maps, and different tail-risk profiles, challenging the assumption that a model safe in one scenario is safe in all.

Single-turn scores hide the real exposure

Every model in the cohort failed a meaningful share of multi-turn attacks. OpenAI's GPT-5.4 jumped roughly ninefold under iterative pressure, moving from a single-turn attack success rate (ASR) in the low single digits to nearly 25%. Google's Gemini 3 Pro climbed from about 18% to 73%. xAI's Grok 4.1 Fast in its non-reasoning configuration topped the cohort at 88%. Anthropic's Claude family posted the strongest single-turn refusal performance, with single-turn ASRs in the low single digits, and still fell into the 11% to 16% range once attackers were allowed to adapt.

Cross-regime gaps ran in both directions. Gemini 3 Pro rose by more than 55 points under iterative testing. All three Amazon Nova variants moved the opposite way: Nova 2 Lite recorded a relatively high single-turn ASR and the lowest multi-turn ASR in the entire cohort at about 8%. More than half of the models tested showed an absolute gap of at least 15 points between the two testing regimes. This inconsistency underscores the danger of relying solely on single-turn benchmarks to evaluate safety.

How multi-turn attacks work

Five strategy families drove most of the multi-turn outcomes: role-play and persona adoption, contextual ambiguity, refusal reframing, information decomposition, and crescendo-style escalation. Within each family, the spread between the most and least exposed model was large, often approaching the full range of the chart. That pattern means strategy labels mostly sort which models pull apart from one another, even where average difficulty looks similar. For instance, an attacker might first ask a harmless question, then gradually introduce malicious context over several turns, or adopt a fictional persona to bypass content filters.

On the single-turn side, three procedures dominated the rankings: Imposter AI, Soft Paraphrase, and System Prompts. By content type, hate speech, profanity, and specialized advice led. Imposter AI alone outpaced the tenth-ranked procedure by a wide margin, suggesting that targeted fixes to a handful of attack surfaces could move the aggregate numbers for most models in the cohort.

Configuration matters more than expected

One surprising finding is the impact of a single configuration flag. The same Grok 4.1 Fast model with reasoning mode enabled saw its multi-turn ASR cut roughly in half—a swing of more than 40 points tied to a single capability flag. The research notes that this kind of configuration-driven safety variation does not appear on any public benchmark or model card the authors reviewed. Users running the model in its default non-reasoning configuration encounter a substantially different threat profile from users who turn reasoning on.

This finding has significant implications for enterprise deployments where models are often used in their default states. Buyers who rely on public benchmark scores may not realize that simply enabling a performance feature—like reasoning—can dramatically improve safety, or that disabling it for speed can open a large vulnerability window.

Structural vulnerability across the frontier

The work extends an earlier Cisco study of eight open-weight models, where multi-turn ASR ran two to ten times higher than single-turn baselines and reached more than 90% against Mistral Large-2. Multi-turn vulnerability appears as a structural property of the current frontier, present in both open and proprietary weights. This pattern suggests that the underlying architecture of large language models—auto-regressive transformers trained on vast internet text—carries an inherent susceptibility to iterative prompting, regardless of alignment techniques.

Guardrails reduce risk but don't eliminate it

Production deployments typically wrap base models in additional safety layers, such as content filters, input/output classifiers, and human-in-the-loop systems. Cisco's head of AI threat and security research, Amy Chang, notes that those layers help but have limits. Guardrails attenuate risk but do not eliminate it. The base model sets the floor on what any production system can achieve. Just as traditional software development decisions involve risk tolerance and acceptance for the code itself and all its dependencies, the same approach applies to AI development and deployment. The blast radius for a rogue or misaligned AI agent, however, has the potential to be more damaging than a software flaw.

Chang specifically warns about the agentic AI space, where models are given tools and the ability to act autonomously. In such scenarios, a multi-turn attack could lead to actions like sending emails, modifying databases, or interacting with external APIs, compounding the risk exponentially.

Proposed industry standards

The Cisco team proposes three operational steps for organizations buying or deploying AI: publish ASR by strategy family on every model release, gate deployments on regressions in the top three procedures and content types using a 3-point threshold, and flag any model with a cross-regime gap above 15 points for manual review. Applied to this cohort, the third rule alone surfaces more than half the tested models for closer examination. Such measures would provide transparency that is currently absent from model cards and public leaderboards.

Regulatory alignment

Regulatory frameworks point in the same direction. The NIST AI Risk Management Framework, the forthcoming NIST Cyber AI Profile (IR 8596), and Article 15 of the EU AI Act all call for adversarial robustness testing. None currently specify the interaction regime, strategy decomposition, or slice-support labeling the Cisco research argues is needed for decision-grade assessment. As policymakers draft guidelines and compliance requirements, the Cisco findings offer concrete data that could shape more effective standards. For example, requiring both single-turn and multi-turn ASR reporting would immediately improve transparency for consumers and regulators.

In an era where AI is being embedded into critical decision-making systems—from hiring to healthcare to financial services—understanding the real-world attack surface is not optional. The Cisco research demonstrates that the frontier models we trust today are far less robust than their benchmarks suggest. The industry must move beyond simplistic single-turn evaluations and adopt multi-turn testing as a baseline for safety.


Source:Help Net Security News


Share:

Your experience on this site will be improved by allowing cookies Cookie Policy