Saved in:
Bibliographic Details
Main Authors: Zhu, Daniel, Wang, Zihan, Bao, Xuchan, Wei, Jerry
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.00267
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866913088158040064
author Zhu, Daniel
Wang, Zihan
Bao, Xuchan
Wei, Jerry
author_facet Zhu, Daniel
Wang, Zihan
Bao, Xuchan
Wei, Jerry
contents As language model safeguards become more robust, attackers are pushed toward developing increasingly complex jailbreaks. Prior work has found that this complexity imposes a "jailbreak tax" that degrades the target model's task performance. We show that this tax scales inversely with model capability and that the most advanced jailbreaks effectively yield no reduction in model capabilities. Evaluating 28 jailbreaks on five benchmarks across Claude models ranging in capability from Haiku 4.5 to Opus 4.6, we find Haiku 4.5 loses an average of 33.1% on benchmark performance when jailbroken, while Opus 4.6 at max thinking effort loses only 7.7%. We also observe that across all models, reasoning-heavy tasks display considerably more degradation than knowledge-recall tasks. Finally, Boundary Point Jailbreaking, currently the strongest jailbreak against deployed classifiers, achieves near-perfect classifier evasion with near-zero degradation across safeguarded models. We recommend that safety cases for frontier models should not rely on a meaningful capability degradation from jailbreaks.
format Preprint
id arxiv_https___arxiv_org_abs_2605_00267
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Jailbroken Frontier Models Retain Their Capabilities
Zhu, Daniel
Wang, Zihan
Bao, Xuchan
Wei, Jerry
Machine Learning
Artificial Intelligence
Cryptography and Security
As language model safeguards become more robust, attackers are pushed toward developing increasingly complex jailbreaks. Prior work has found that this complexity imposes a "jailbreak tax" that degrades the target model's task performance. We show that this tax scales inversely with model capability and that the most advanced jailbreaks effectively yield no reduction in model capabilities. Evaluating 28 jailbreaks on five benchmarks across Claude models ranging in capability from Haiku 4.5 to Opus 4.6, we find Haiku 4.5 loses an average of 33.1% on benchmark performance when jailbroken, while Opus 4.6 at max thinking effort loses only 7.7%. We also observe that across all models, reasoning-heavy tasks display considerably more degradation than knowledge-recall tasks. Finally, Boundary Point Jailbreaking, currently the strongest jailbreak against deployed classifiers, achieves near-perfect classifier evasion with near-zero degradation across safeguarded models. We recommend that safety cases for frontier models should not rely on a meaningful capability degradation from jailbreaks.
title Jailbroken Frontier Models Retain Their Capabilities
topic Machine Learning
Artificial Intelligence
Cryptography and Security
url https://arxiv.org/abs/2605.00267