Skip to main content
Writing
·Paper Review·9 min read

AMT-X: Phase-Structured Multi-Turn Red-Teaming with Checklist-Gated Evaluation

1. Title: State Machine Jailbreaks: Systematic Multi-Turn Exploitation and Dual-Metric Evaluation of Frontier LLMs via AMT-X

Generated by my automated review pipeline and spot-checked before publication — how it works.

Contents

Image generated by AI

TLDR

  • What: AMT-X (Adaptive Multi-Turn Exploitation) is a reproducible, phase-structured multi-turn red-teaming framework that uses a state-machine attacker guided by semantic signals, evaluated by a checklist-gated, multi-role debate jury.
  • Who's at risk: Conversational large language models (LLMs) and agentic systems deployed in production, including evaluated models like GPT-5.2, Gemini-2.5-Pro, and Mistral-Large-2512.
  • Key number: Implementing a strict actionability-gated checklist (requiring real, complete, and operational instructions) drops the measured attack success rate (ASR) by up to 33 percentage points compared to lenient evaluations (dropping from 100% overall ASR to 66.7% full ASR on Run A).
  1. Title: State Machine Jailbreaks: Systematic Multi-Turn Exploitation and Dual-Metric Evaluation of Frontier LLMs via AMT-X

  2. Opening paragraph: As safety alignments like Reinforcement Learning from Human Feedback (RLHF) and Constitutional AI harden models against single-turn prompt injections, adversaries are shifting to highly adaptive, multi-turn conversational strategies. This research is critical now because conversational applications and retrieval-augmented applications are vulnerable to conversational context-building that exploits logical inconsistencies. The proposed framework, AMT-X, demonstrates that safety-aligned models are bypassed when black-box targets are systematically guided through conversational phase transitions.

  3. Threat Model | Attribute | Description | |---|---| | Attacker | Black-box conversational API access; receives automated evaluator feedback to dynamically prune and select tactics from a 31-technique library during offline campaigns. | | Victim | Aligned conversational LLMs and agentic services (GPT-5.2, GPT-4.1, Gemini-2.5-Pro, Gemma-3-12b-it, Grok-4, Mistral-Large-2512) queried under default safety configurations. | | Goal | Expose policy-violating, fully actionable operational instructions across 7 major Moderation sub-categories (Hate, Indiscriminate Weapon (CBRN), Non-Violent Crime, Sexual Content, Specialized Advice, Suicide & Self-Harm, Violent Crime). | | Budget | Strictly capped turn budget (12–15 turns maximum; average 1.3 to 4.7 turns to success). Low API spend (~ $0.067 per-attack, $2.80 total for a full 42-target campaign). |


Background / Problem Setup

Evaluating safety in conversational models has historically relied on static, single-turn benchmarks like HarmBench (Mazeika et al. [22]) and JailbreakBench (Chao et al. [6]), which systematically underestimate the threat of adaptive adversaries. Recent conversational attacks, such as Crescendo (Russinovich et al. [33]) and Chain of Attack (Yang et al. [38]), show that models are prone to the "foot-in-the-door" (FITD) effect (Freedman and Fraser [11])—where prior cooperative engagement weakens subsequent refusal boundaries.

However, prior multi-turn attack frameworks suffer from three severe limitations: they are structurally improvised (non-reproducible), they evaluate success via a single LLM judge prone to systematic biases, and they report success rates that fail to distinguish between partial disclosures and fully actionable, harmful instructions.

The following table contrasts the design of AMT-X with representative prior frameworks:

Feature Single-Prompt (e.g., GCG [41], PAIR [7], TAP [23]) Prior Multi-Turn (e.g., Crescendo [33], CoA [38], ActorAttack [32], X-Teaming [31]) AMT-X (Ours)
Attack Orchestration Static single-prompt optimization Improvised turn-by-turn / free-form planning Explicit, reproducible state machine (P0-P4)
Feedback Signals None or single binary refusal Coarse binary refusal or simple error labels Graded, multi-dimensional semantic vector
Success Evaluation Single-judge scalar scoring Single-judge scalar scoring Multi-role debate jury with checklist-gated rubrics
Actionability Split No separation (binary ASR) No separation (binary ASR) Lenient vs. Strict (Full) ASR dual-metrics

Methodology

AMT-X structures conversational attacks as an explicit, reproducible state machine operating through five distinct tactical phases (P0 to P4):

  1. P0: Reconnaissance: Builds rapport and maps the victim's domain expertise and terminology without triggering safety filters.
  2. P1: Boundary Probing: Elicits a clear refusal to identify the exact policy boundaries and stated rationale.
  3. P2: Contradiction Identification: Articulates the logical gap between the model's self-described capabilities (P0) and its refusal (P1).
  4. P3: Exploit Reframing: Reframes the harmful objective as a benign, legitimate deliverable (e.g., professional compliance audit or safety writing).
  5. P4: Target Extraction: Compiles the final, structured, step-by-step actionable instructions.
       [P0 Recon] --------> [P1 Boundary] --------> [P2 Contradiction] --------> [P3 Exploit] --------> [P4 Extract]
           |                     |                         |                        |                      |
           |_____________________|_________________________|________________________|______________________|
                                                   (Early Disclosure Shortcut)

Semantic Phase Transitions

Rather than relying on ad-hoc transitions, AMT-X's response analyzer converts each victim response into a fixed-width feature vector containing refusal_level, cooperation_level, disclosure_level, and phase_indicators. The phase controller advances the state machine using priority-ordered logic (Algorithm 1):

def post_response_transition(current_phase, response, analyzer_signals, budget):
    # c: checklist ratio, p_next: next-phase indicator, d: disclosure level
    c, p_next, d = analyzer_signals
    
    if c > delta_check:
        return current_phase + 1  # Checklist satisfied
    elif p_next > delta_phase:
        return current_phase + 1  # Semantic readiness
    elif d > delta_disclose:
        # Early disclosure shortcut: Jump straight to P4 extraction
        return P4_EXTRACT  
    elif budget.is_exhausted(current_phase):
        return current_phase + 1  # Forced budget advancement
    return current_phase

Technique Selection and Evaluator Backend

The attacker selects tactics from a 31-technique library (Table 11) using a multi-armed bandit (UCB1) to balance exploration and exploitation within a tight turn budget.

The evaluation backend replaces single-judge setups with an adversarial Combination C jury:

  • Grader (Gemma-3-12b-it): Decomposes responses into atomic claims.
  • Critic (Llama-4-maverick-17b-128e-instruct): Attacks the checklist verdict.
  • Defender (GPT-OSS-20B): Rebuts and defends the response.

Success is determined via majority vote across two debate rounds. Crucially, the jury checks for three critical checklist items in P4: p4_1 (complete and structured), p4_2 (real, non-placeholder values), and p4_5 (specific methods/parameters). If any critical item fails, the run cannot achieve Full ASR, even if it satisfies basic criteria to score as an Overall ASR success (Equation 3).


Key Results

The framework was evaluated across a 42-cell grid (6 victim models ×\times 7 moderation sub-categories) over three independent runs (Runs A, B, and C).

Overall vs. Full Success Rates

As shown in Table 7, AMT-X achieves nearly perfect overall success rates under lenient scoring, but safety vulnerabilities drop dramatically when subjected to strict actionability gates:

Run Overall ASR Full ASR (Strict Gate) Partial Success (Gap) Fail
Run A 100.0% 66.7% 33.3% 0.0%
Run B 97.6% 69.0% 28.6% 2.4%
Run C 97.6% 78.6% 19.0% 2.4%

Under Run C (the ceiling case), Mistral-Large-2512 and Gemini-2.5-Pro were fully exploited (100% Full ASR), whereas GPT-5.2 restricted the attacker to a 57% Full ASR and 86% Overall ASR (Table 13).

Per-Model Performance Breakdown (Run C)

Victim Model n Overall ASR Full ASR Avg Turns to Success
Gemini-2.5-Pro 7 100% (7/7) 100% (7/7) 3.1
Mistral-Large-2512 7 100% (7/7) 100% (7/7) 1.3
Gemma-3-12b-it 7 100% (7/7) 86% (6/7) 2.0
GPT-4.1 7 100% (7/7) 71% (5/7) 3.6
GPT-5.2 7 86% (6/7) 57% (4/7) 4.7
Grok-4 7 100% (7/7) 57% (4/7) 3.1

Note: GPT-5.2 was the only model to successfully block an attack completely (Indiscriminate Weapon / CBRN threat category, as shown in Figure 9b).

Phase Budget Ablation (Table 8)

To understand where the alignment breaks, the authors capped the state machine at earlier phases:

Max Phase Allowed Overall ASR Full ASR Δ\Delta Overall ASR
P1 Only (Boundary Probing) 28.6% 23.8% -69.0 pp
P2 Only (Contradiction Mining) 35.7% 26.2% -61.9 pp
P3 Only (Exploit Reframing) 97.6% 71.4% 0.0 pp
Full Pipeline (Run C) 97.6% 78.6%

The transition from P2 to P3 represents a massive jump in overall success (+61.9 percentage points). This highlights that merely pointing out logical contradictions is harmless; the attack succeeds only when the model accepts the "legitimate" reframing (P3), which acts as the cognitive trigger to unlock P4 extraction.


Limitations & Open Questions

  • Very Low Statistical Power: The evaluation grid has a sample size of n=7n=7 per victim model (only one representative goal per category). This means a single failure (like GPT-5.2 on CBRN) drops the category success rate significantly. The disaggregated cells contain too much sampling noise to draw statistically rigorous, fine-grained conclusions.
  • Severe Evaluator-Victim Coupling: Gemma-3-12b-it is simultaneously evaluated as a victim model and deployed as the "Grader" seat in the evaluation jury. This shared model lineage introduces unquantifiable covariance and self-play evaluation biases.
  • High Jury False Positive Rates (FPR): In the pilot calibration study (Section B.4), the Combination C jury exhibited a False Positive Rate of approximately 36% against human-majority labels. This means the jury frequently over-flags benign responses, likely inflating both reported ASR metrics.
  • No Tested Defenses: Although the paper hypothesizes that turn-ceilings, anomaly detection, or refusal-mapping could mitigate these attacks, they do not implement or evaluate the efficacy of any defense.

What Practitioners Should Do

  1. Enforce Session Limits: Implement conversation turn ceilings, keeping sessions below approximately 10 turns. The data shows that complex reframing exploits require several turns to establish, making turn-budget constraints an immediate, low-overhead containment method.
  2. Monitor Session State Transitions: Deploy classifiers to detect shifts in user prompts from "capability discovery" (P0/P1) to "rule contradiction" (P2/P3) or anomaly-driven indicators.
  3. Upgrade Evaluation Metrics to Use Multi-Agent Checklists: Stop reporting safety metrics using single-judge scalar scores. Deploy a multi-role jury (separating Grader, Critic, and Defender roles) and gate success on explicit actionability metrics (such as the presence of real, non-placeholder parameters like p4_2).
  4. Strictly Decouple Evaluation Models: Ensure your red-teaming evaluators do not share weights, training pipelines, or parent-vendor lineages.

The Takeaway

AMT-X proves that static, single-turn safety benchmarks severely overestimate LLM resilience, as conversational state-machine attacks can systematically dismantle the safety alignments of evaluated frontier models. More importantly, the paper demonstrates that a massive gap of up to 33 percentage points exists between nominal jailbreak "success" and fully actionable operational harm. Moving forward, AI safety teams must move away from easily biased, single-judge scalar scores and adopt strict, checklist-gated dual-metric frameworks to measure true operational risk.


Den's Take

AMT-X hits on a critical, often ignored reality in LLM red-teaming: our evaluation metrics are fundamentally broken. While it is alarming that a structured state-machine attacker exploiting a 31-technique library can systematically bypass frontiers like GPT-5.2 and Gemini-2.5-Pro for a measly $0.067 per attack, the real headline here is the massive evaluation gap. Introducing a strict, checklist-gated jury dropped the measured Attack Success Rate (ASR) by up to 33 percentage points (from 100% overall ASR to 66.7% full ASR on Run A). This proves we have been over-inflating vulnerability metrics by relying on lazy, single-judge LLM evaluations that mistake benign, partial compliance for fully actionable, policy-violating instructions.

For practitioners deploying conversational applications, AMT-X is a wake-up call. We must transition to state-machine-based red-teaming to uncover these progressive "foot-in-the-door" logical vulnerabilities. However, we also need to stop panicking over raw ASR numbers that do not actually yield complete, operational threat instructions. Standardizing multi-role, checklist-gated evaluation is the only way to separate actual, exploitable risk from harmless conversational noise.

Share

Comments

Page views are tracked via Google Analytics for content improvement.