Despite considerable efforts to prevent AI chatbots from providing harmful responses, they’re vulnerable to jailbreak prompts that sidestep safety mechanisms. Anthropic has now unveiled the strongest protection against these kinds of attacks to date.

One of the greatest strengths of large language models is their generality. This makes it possible to apply them to a wide range of natural language tasks from translator to research assistant to writing coach.

But this also makes it hard to predict how people will exploit them. Experts worry they could be used for a variety of harmful tasks, such as generating misinformation, automating hacking workflows, or even helping people build bombs, dangerous chemicals, or bioweapons.

AI companies go to great lengths to prevent their models from producing this kind of material—training the algorithms with human feedback to avoid harmful outputs, implementing filters for malicious prompts, and enlisting hackers to circumvent defenses so the holes can be patched.

Yet most models are still vulnerable to so-called jailbreaks—inputs designed to sidestep these protections. Jailbreaks can be accomplished with unusual formatting, such as random capitalization, swapping letters for numbers, or asking the model to adopt certain personas that ignore restrictions.

Now though, Anthropic says it’s developed a new approach that provides the strongest protection against these attacks so far. To prove its effectiveness, the company offered hackers a $15,000 prize to crack the system. No one claimed the prize, despite people spending 3,000 hours trying.

The technique involves training filters that both block malicious prompts and detect when the model is outputting harmful material. To do this, the company created what it calls a constitution. This is a list of principles governing the kinds of responses the model is allowed to produce.

In research outlined in a non-peer-reviewed paper posted to arXiv, the company created a constitution to prevent the model from generating content that could aid in the building of chemical weapons. The constitution was then fed into the company’s Claude chatbot to produce a large number of prompts and responses covering both acceptable and unacceptable topics.

The responses were then used to fine-tune two instances of the company’s smallest AI model Claude Haiku—one to filter out inappropriate prompts and another to filter out harmful responses. The output filter operates in real-time as a response is generated, allowing the filter to cut off the output partway through if it detects that it’s heading in a harmful direction.