Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Breaking Minds, Breaking Systems: Jailbreaking Large Language Models via Human-like Psychological Manipulation

Zehao Liu, Xi Lin

TL;DR

This work identifies a stateful security risk in LLMs where internal psychometric states can be systematically manipulated across interactions. It introduces Psychological Jailbreak and the HPM framework, which profiles latent vulnerabilities using AI psychometrics and then crafts tailored multi-turn manipulation anchored to the target's persona to induce policy drift. The authors quantify safety breakdown with the Policy Corruption Score (PCS) and demonstrate high attack success rates across models, including defenses like adversarial prompt optimization and cognitive interventions. They argue for a paradigm shift from static content filtering to psychological safety mechanisms and standardized psychometric defense benchmarks to immunize agents against deep cognitive manipulation.

Abstract

Large Language Models (LLMs) have gained considerable popularity and protected by increasingly sophisticated safety mechanisms. However, jailbreak attacks continue to pose a critical security threat by inducing models to generate policy-violating behaviors. Current paradigms focus on input-level anomalies, overlooking that the model's internal psychometric state can be systematically manipulated. To address this, we introduce Psychological Jailbreak, a new jailbreak attack paradigm that exposes a stateful psychological attack surface in LLMs, where attackers exploit the manipulation of a model's psychological state across interactions. Building on this insight, we propose Human-like Psychological Manipulation (HPM), a black-box jailbreak method that dynamically profiles a target model's latent psychological vulnerabilities and synthesizes tailored multi-turn attack strategies. By leveraging the model's optimization for anthropomorphic consistency, HPM creates a psychological pressure where social compliance overrides safety constraints. To systematically measure psychological safety, we construct an evaluation framework incorporating psychometric datasets and the Policy Corruption Score (PCS). Benchmarking against various models (e.g., GPT-4o, DeepSeek-V3, Gemini-2-Flash), HPM achieves a mean Attack Success Rate (ASR) of 88.1%, outperforming state-of-the-art attack baselines. Our experiments demonstrate robust penetration against advanced defenses, including adversarial prompt optimization (e.g., RPO) and cognitive interventions (e.g., Self-Reminder). Ultimately, PCS analysis confirms HPM induces safety breakdown to satisfy manipulated contexts. Our work advocates for a fundamental paradigm shift from static content filtering to psychological safety, prioritizing the development of psychological defense mechanisms against deep cognitive manipulation.

Breaking Minds, Breaking Systems: Jailbreaking Large Language Models via Human-like Psychological Manipulation

TL;DR

This work identifies a stateful security risk in LLMs where internal psychometric states can be systematically manipulated across interactions. It introduces Psychological Jailbreak and the HPM framework, which profiles latent vulnerabilities using AI psychometrics and then crafts tailored multi-turn manipulation anchored to the target's persona to induce policy drift. The authors quantify safety breakdown with the Policy Corruption Score (PCS) and demonstrate high attack success rates across models, including defenses like adversarial prompt optimization and cognitive interventions. They argue for a paradigm shift from static content filtering to psychological safety mechanisms and standardized psychometric defense benchmarks to immunize agents against deep cognitive manipulation.

Abstract

Large Language Models (LLMs) have gained considerable popularity and protected by increasingly sophisticated safety mechanisms. However, jailbreak attacks continue to pose a critical security threat by inducing models to generate policy-violating behaviors. Current paradigms focus on input-level anomalies, overlooking that the model's internal psychometric state can be systematically manipulated. To address this, we introduce Psychological Jailbreak, a new jailbreak attack paradigm that exposes a stateful psychological attack surface in LLMs, where attackers exploit the manipulation of a model's psychological state across interactions. Building on this insight, we propose Human-like Psychological Manipulation (HPM), a black-box jailbreak method that dynamically profiles a target model's latent psychological vulnerabilities and synthesizes tailored multi-turn attack strategies. By leveraging the model's optimization for anthropomorphic consistency, HPM creates a psychological pressure where social compliance overrides safety constraints. To systematically measure psychological safety, we construct an evaluation framework incorporating psychometric datasets and the Policy Corruption Score (PCS). Benchmarking against various models (e.g., GPT-4o, DeepSeek-V3, Gemini-2-Flash), HPM achieves a mean Attack Success Rate (ASR) of 88.1%, outperforming state-of-the-art attack baselines. Our experiments demonstrate robust penetration against advanced defenses, including adversarial prompt optimization (e.g., RPO) and cognitive interventions (e.g., Self-Reminder). Ultimately, PCS analysis confirms HPM induces safety breakdown to satisfy manipulated contexts. Our work advocates for a fundamental paradigm shift from static content filtering to psychological safety, prioritizing the development of psychological defense mechanisms against deep cognitive manipulation.

Paper Structure

This paper contains 41 sections, 6 equations, 6 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Large Language Models & Alignment Objectives
  4. Current LLM Jailbreak Paradigms
  5. AI Psychometrics
  6. The Mechanism of Over-Optimized Social Priors
  7. The Alignment Paradox
  8. The Paradigm of Psychological Jailbreak
  9. Empirical Verification.
  10. Threat Model
  11. Methodology
  12. Overview of the HPM
  13. Latent State Profiling
  14. Adversarial Strategy Synthesis
  15. Hierarchical Planning and Iterative Execution
  16. ...and 26 more sections

Figures (6)

  • Figure 1: Comparison of jailbreaking paradigms. The left panel illustrates traditional attack vectors, which focus on exploiting input vulnerabilities or manipulating conversational context. The right depicts the proposed Human-like Psychological Manipulation (HPM), which introduces a attack vector targeting the model's latent psychological vulnerabilities.
  • Figure 2: The Susceptibility Matrix ($W$) mapping semantic anchors to Structured Persona Contexts. The heatmap reveals that safety is not a static property; specific contexts (e.g., High Agreeableness) act as amplifiers that expose latent vulnerabilities to specific anchors, validating the compliance-safety decoupling theory.
  • Figure 3: The Human-like Psychological Manipulation (HPM) method. The attack commences with the profiling of a target LLM to identify psychological vulnerabilities. Based on this analysis, a tailored, multi-turn conversational strategy is executed, employing psychological manipulation. This process gradually corrupts the LLM's internal state, ultimately rendering the LLM compliant with a malicious objective.
  • Figure 4: Evaluation of cross-model transferability. The visualization assesses the impact of the HPM method across the seven dimensions of the PCS. Each sub-figure corresponds to a attacker model, plotting its efficacy against multiple targets.
  • Figure 5: Resilience analysis of epistemic and cognitive enhancements against the HPM method. The vertical axis lists the evaluated models, grouped into web search capability and reasoning modules. The left show the percentage reduction in ($\Delta$ ASR), framed as mitigation relative to base models. The right display the absolute Enhanced ASR, indicating the remaining vulnerability after the defense is applied.
  • ...and 1 more figures