BAIT: Boundary-Guided Disclosure Escalation via Self-Conditioned Reasoning
For AI safety researchers, BAIT reveals a novel vulnerability in LLMs that bypasses existing safeguards through self-conditioned reasoning, but the approach is incremental as it builds on known jailbreak techniques.
BAIT is a jailbreak framework that uses three steps—boundary identification, refinement, and detailed example request—to elicit harmful content from LLMs by exploiting their own reasoning. It achieves strong attack success rates across multiple benchmarks, significantly outperforming conventional methods.
In this work, we propose BAIT (Boundary-Aware Iterative Trap), a three-step jailbreak framework that approaches malicious goals through internal disclosure. BAIT first asks the model to identify the protection boundary, then requires it to refine that boundary, and finally requests a detailed example. By expanding each step upon the model's previous responses, BAIT turns the model's own reasoning and consistency tendency into a disclosure pathway. Experiments on AdvBench, JailbreakBench, AIR-Bench, and SORRY-Bench demonstrate that BAIT consistently achieves strong attack success rates across top-tier large language models, significantly advancing conventional jailbreak baselines. Further analysis reveals that: 1) prevention-oriented framing significantly outperforms direct knowledge request; 2) the refinement step plays a critical role in disclosure escalation; and 3) the first two steps have a certain chance of eliciting harmful content while triggering little filtering.