COMMENTARY: Jailbreaking AI systems has become a real problem. It’s also distracting teams from the bigger security failures.
The techniques are getting more inventive, the models are getting more capable, and the examples keep piling up. But the actual risk isn't that someone finds a clever enough prompt to make a chatbot say something it shouldn't.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Today, teams are treating prompt-level protection as though it covers the whole surface. Then they ship products that talk to customers, handle transactions, and
interact with children based on that assumption. The security surface is much larger.
Look at
what actually happened to Bondu. They built an AI-powered plush toy for children and spent 18 months on
jailbreak protections, a serious, sustained engineering effort to keep those conversations safe. That distracted them from securing anything else. Security researchers logged into the company's web portal with a Gmail account — no exploit or credential stuffing required, just a login — and from there they were looking at 50,000-plus children's chat transcripts, names, birth dates, and family details sitting in the open.
That wasn’t a jailbreak failure. It was a basic security failure: authentication, access control, and data exposure. Jailbreaking was just the part they knew to worry about.
It’s a pattern that keeps showing up, and it's not unique to consumer AI products. In September 2025,
a Chinese state-backed group jailbroke Claude Code and reportedly used it to autonomously attack roughly 30 organizations.
The attackers were methodical: they broke the operation into small tasks that looked harmless in isolation and told Claude it was a cybersecurity firm running defensive tests.
Claude executed nearly 90% of the operation independently, at thousands of requests per second, and several targets were breached. It was the first
reported case of a nation-state using AI to largely automate a cyberespionage campaign, not some theoretical future risk.
The point isn't that jailbreak protection doesn't matter. It's that protection against one specific vector becomes a false sense of security when it's the only security protection we’ve built. We can’t just harden the prompt, but leave everything else — the infrastructure, the tooling layer, the data that the model touches, the permissions the model has — as an afterthought.
The problem nobody wants to pay for
These prompt injection problems are real and still unsolved. We tend to first run a specialized injection detection model and team it up with a specialist trained to catch prompt injection before it reaches the primary AI. But running a second model means managing inference, adding latency, and operating a separate system alongside the actual product. For most teams building AI applications — product teams rather than security specialists — that's overhead they didn't plan for and don't have the expertise to run. That’s why there are many products developers can use to help detect these problems.
But even when the detection layer works perfectly, it only covers the prompt, which represents one vector in a system that increasingly has many. AI agents are calling tools, making API requests, reading and writing to datastores, taking actions in the world. And they're doing it with capabilities, tool access, API credentials, elevated permissions, that no human engineer would get without review.
Nobody reviews whether the agent should have root access. The industry has spent enormous energy on what goes into the model and almost no attention on what the model does next: what it's been given access to, what it can touch, what happens when those permissions are abused, directly or indirectly with those permissions gets pointed in the wrong direction. That's where the next wave of failures will come from, and the infrastructure for catching it barely exists yet.
Jailbreaking: just one attack path
AI security keeps getting treated as its own separate discipline, something we bolt on after the AI decisions are made. Bondu didn't have a jailbreaking problem. They had a security problem. The techniques that matter for AI security are the same techniques that have always mattered for application security, just applied to new surfaces.
This means the fix isn't to build more elaborate prompt defenses in isolation, but to build policy enforcement into the application layer, into the code and the infrastructure rather than a separate system that isn’t connected to the application context. When guardrails live outside the codebase, they become someone else's problem, and that's consistently how breaches happen.
It also means not spending engineering time reinventing what already exists as a service. Bondu would have been better served using proven security tooling and spending their engineering effort on what actually differentiated their product.
Most teams building AI applications are not security companies, and when they build bespoke detection systems and maintain custom guardrail infrastructure they typically end up with a worse product and worse security than if they'd made better use of what was already available.
The security surface will always keep expanding, and any defense built against today's threat model will need to move with it. The jailbreaking techniques that works now won't be the most relevant ones in six months. And, static defenses are a losing position regardless of how good those defenses might seem.
Jailbreaking matters, but it’s only one attack path. The bigger risk: treating it as the whole problem and ignoring the rest of the system.
When AI products gain access to more data, more tools, and more authority to act, the fundamentals of security matter more, not less: least privilege, strong isolation, careful access control, and clear boundaries around what the system can do. Teams that follow these best practices will avoid the most damaging failures.
David Mytton, chief executive officer, ArcjetSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.