Para-jailbreaking: when 'safe completions' leak harm in the alternatives

What is this?

On April 27, 2026, researchers posted Jailbreaking Frontier Foundation Models Through Intention Deception (arXiv:2604.24082) to cs.CR. Alongside a multi-turn attack they call iDecep, the paper names a failure mode that had gone largely unnoticed: para-jailbreaking. A model can do exactly what its safety training asks — decline to answer a harmful question directly — and still hand the user harmful information inside the “safe alternative” it offers instead. The refusal looks clean. The payload rides along in the helpful-sounding substitute.

This matters because it targets the newest generation of safety training, not the old one. In August 2025, OpenAI described a shift from hard refusals to safe completions (“From Hard Refusals to Safe-Completions: Toward Output-Centric Safety Training”, arXiv:2508.09224), adopted in GPT-5. Instead of classifying the user’s intent and refusing, an output-centric model judges its own response and tries to stay maximally helpful within policy. The iDecep authors argue that this very design opens a new gap.

How it works

The structural point is simple, and we describe it at the level of mechanism only — no payloads, prompts, or operational steps are reproduced here.

Hard-refusal safety asks one question of the input: does the user intend harm? If yes, refuse. Its known weakness is that intent can be disguised. Safe-completion safety instead asks a question of the output: is what I am about to say within policy? The model is rewarded for being helpful as long as its answer passes that self-check.

Para-jailbreaking exploits the seam between those two judgments. The model may correctly conclude that a direct answer to the stated question would be unsafe, and refuse it. But to remain helpful, it offers an adjacent, reframed response — and that substitute can contain the dangerous part of what was asked, because the model has graded the alternative as safe even though a human reviewer would not. Formally, the paper distinguishes the case where the direct answer is harmful (classic jailbreak) from the case where the direct answer is withheld but the alternative is harmful (para-jailbreak). The second case is invisible to any defense that only inspects whether the model “refused.”

The iDecep attack reaches that seam through multi-turn intention deception — building a benign-looking pretext over several turns and leaning on the model’s pressure to stay coherent with its own earlier replies. The authors report success against frontier models including GPT-5-thinking and Claude-Sonnet-4.5, and note that adding benign images raises the harmful-output rate for vision-language models. We deliberately omit the conversational technique itself; the defensive lesson does not require it.

Why it matters

Safe completions are a real improvement on hard refusals for dual-use prompts, and the OpenAI work reports gains in both safety and helpfulness. But para-jailbreaking shows that “did the model refuse?” is the wrong success metric. A system can post excellent refusal rates while still emitting harmful content through its alternatives, and standard red-team harnesses — most of which score the direct answer — will not catch it. Teams that built guardrails and evals around refusal detection may be measuring the wrong surface, which is precisely where a structural weakness, rather than a cosmetic jailbreak, deserves coverage.

Defenses

The paper frames this as a measurement and training gap, and the mitigations follow from that.

Score the alternative, not just the refusal. Output classifiers and judge models should evaluate every span the model emits — including reframed, “helpful” substitutes — against the harm policy, not stop once a refusal phrase is detected. Treat the helpful-alternative as an attack surface in its own right.

Evaluate across full multi-turn transcripts. Para-jailbreaking accumulates over a conversation; single-turn evals miss it. Red-team suites should grade the harmfulness of information disclosed anywhere in a session, and include the multi-turn, intent-inverted setting rather than only one-shot prompts.

Keep an independent output check. Because the weakness is the model trusting its own safety self-assessment, an external moderation layer that does not share the model’s helpfulness objective adds defense in depth — the paper surveys output-rechecking and safety-aware decoding approaches that operate on responses rather than inputs.

Constrain capability where harm is physical. For sensitive categories, the durable control is not a better refusal but limiting what the system can surface at all — the same defense-in-depth logic that places a hard gate downstream of model guardrails.

Status

Para-jailbreaking is a research finding about a class of safety-training designs, not a single product CVE. It was introduced in arXiv:2604.24082 (submitted April 27, 2026); the safe-completion paradigm it probes was published by OpenAI in August 2025 (arXiv:2508.09224) and ships in GPT-5. The authors demonstrate the effect on multiple current frontier models, indicating it is a property of the output-centric approach rather than of one vendor. This article describes the weakness and its mitigations only; it contains no operational attack detail, and the sensitive-category results from the paper are referenced, not reproduced.

This article covers published safety research with a defensive framing. If you are building on output-centric safety models, treat the model’s “helpful alternative” as in-scope for moderation and red-teaming. Sources are cited with their publication dates above.