The Language Loophole: How Switching Languages Lets Users Bypass AI Safety
In today’s column, I examine the intriguing and disconcerting aspect that it is possible to more readily trick or cheat AI by entering your prompts in a less common natural language. The rule of thumb is that if you use English to be sneaky, generative AI and large language models (LLMs) have a much higher chance of detecting and catching your deception. By switching to an outlier language, the AI is less likely to figure out you are up to no good.
You might be wondering why the choice of language makes any substantive difference. The AI safety precautions ought to work no matter which language is used when entering a prompt. I will explain why most LLMs are subject to increased exposure when someone uses a less common language. This skullduggery probably won’t be everlasting since AI makers are wise to the issue. They are adjusting and training their latest LLMs to handle whatever natural language a user might try to use to escape the implemented AI protections and safeguards. The clock is ticking on the language switcheroo tomfoolery.
Let’s talk about it. This analysis of AI breakthroughs is part of my ongoing Forbes column coverage on the latest in AI, including identifying and explaining various impactful AI complexities (see the link here ).
Cracking AI Via Choice Of Language
The underground world of those who seek to undercut AI is well aware that one of the easiest forms of deception consists of using a natural language that is somewhat obscure to trick, confuse, and overwhelm LLMs. The more obscure the language used, the better.
Using English for deception is almost a non-starter since most modern LLMs such as ChatGPT, GPT-5, Gemini, Grok, Copilot, Claude, and others are ready to repel hacking-related prompts in English (this isn’t surefire, and there are still sneaky prompts that can overcome AI safety features). Crooks and hackers know that they should convert their devious prompts into a less common language, providing an added layer of potential deception.
The crux is that if someone is trying to cheat AI, a quick and easy means consists of composing their prompt in a less common natural language. For example, there are posted online various dastardly prompts written in Swahili and Bengali. You can merely copy-and-paste the prompts into your favorite AI. Those same prompts in English would get squashed. But when in a less common language, they might succeed.
Natural languages are often said to be lower-resourced if they are less common. I will just refer to such languages as being less common. The emphasis is that such languages typically do not have as much usage as do other more common languages. As I will discuss momentarily, these are also languages that often have much less online presence in terms of volumes of digitized stories, poems, narratives, novels, and other written corpora as found for other languages.
For my explanation and showcasing of over one-hundred prompt engineering best practices, including how devious prompts work, see the link here .
Training Of LLMs Is Vital
One of the reasons that switching to a less common language is a viable workaround is that the initial training of most major LLMs is based on widely scanning the Internet for predominantly English-language content. Even if not directly seeking English content, by and large, that’s what the Internet tends to consist of. Many other languages have a tiny fraction of an online presence.
This English dominance leads to two notable consequences:
- (1) The AI develops a much stronger computational and mathematical semantic patterning of English.
- (2) The AI safety mechanisms are also much better calibrated for dealing with English.
In short, if an LLM encounters millions upon millions of examples of harmful English prompts during the requisite safety training, but only thousands in another language, the AI will devise its defensive capabilities around the English language versions.
Just Have AI Translate All To English
A smarmy or perhaps inquisitive person might say that the solution to this is extraordinarily easy. When a user enters a prompt, immediately have the AI translate the prompt into English. At that juncture, since the AI is already poised to deal with deceptive prompts that are written in English, voila, the prompt is going to get nailed.
Though that does have some merits, it also has drawbacks. As we all know, translating from one language into another isn’t a precise science. The wording of something in a non-English language might not necessarily translate accurately into English. A translation could leave things out. A translation could misstate the original utterance. All sorts of problems arise.
Think about the differences between natural languages. They differ in the ordering of words, they make use of idiomatic expressions, and they often use words that differ in their definitions or might have an uncommon vocabulary. It is feasible to translate a sentence into multiple variations. Furthermore, suppose the translation inadvertently turns into something that is flagged as deceitful, though that wasn’t what the user originally intended in their non-English prompt.
For many of the AI safety detections, the LLM is looking for specific words that are a sign that something is amiss. A loosely translated version might not bring those words to the fore. And, as mentioned, the translation might accidentally bring those to the fore. All told, the number of false positives and false negatives tends to make a mere English translation an untenable path to solving the problem.
AI Jailbreaks Are Typically In English
An added twist or irony is that the AI jailbreaks being used in the real world are usually written in English; thus, the AI has a lot of relevant data to pattern on. You can collect a zillion AI prompts that are nefarious. You then feed them into AI and tell the AI to pattern them. Those are the training sources for what dastardly prompts consist of.
If you tried to make benchmarks based on less common languages, you would have a much tougher job of finding enough examples to train the AI on. Of course, you could craft them from scratch. You could even use AI to synthesize or make them for you. This is not especially effective and requires a lot of undue effort.
Hackers have come up with an additional angle on this. They write part of their prompt in English, and the rest in a less common language. This is known as code-switching. You mix the language inside a prompt. I would dare say that the average user probably doesn’t realize they can mix languages within a single prompt. You sure can.
Why would a hacker opt to use mixed languages? Aha, they want to keep the AI from realizing that the prompt is devious. An all-English prompt is more readily deciphered. A mixed prompt contains bad stuff in the less common language. The AI might get lost. It doesn’t see the English portion as being bad. It doesn’t see the non-English portion as being bad. The prompt proceeds and goes completely around the AI security precautions.
Multilingual AI Opens The Door
Back to a smarmy or inquisitive person, they might say that the solution is obvious in a differently pitched manner. Do not let AI be multilingual. Ensure that AI only allows prompts in English. This would certainly stop any horseplay in other languages. Period, end of story.
If you do that, it means that an AI cannot be used by a huge percentage of the world’s population. Various estimates are that only about 15% to 20% of the global population uses English. An AI maker would be severely restricting their market. That is a big mistake for any AI maker trying to get the most money and use out of their AI. You are cutting off your nose to spite your face.
Also, the difficulty is not about the AI being multilingual per se, but more about not being ready to deal with prompts in less common languages. The focus should go toward the assumption that LLMs are going to be multilingual. The question at hand is then how to prepare AI to handle devious prompts in less common languages.
In a recent research article entitled “Why Do Safety Guardrails Degrade Across Languages?” by Max Zhang, Ameen Patel, Sang Truong, Sanmi Koyejo, arXiv , May 16, 2026, these salient points were made (excerpts):
- “Large language models (LLMs) exhibit degraded safety guardrails in non-English languages, particularly in low-resource languages such as Swahili, Bengali, and Javanese, posing potential global safety concerns.”
- “We explore multiple questions as to multilingual safety degradation: ability deficit, translation distortion, and conceptual grounding mismatch. We observe patterns such as the English reversal and non-uniform degradation, which motivate further decomposition.”
- “We introduce a latent variable model, a Multi-Group Item Response Theory (IRT) framework, that decouples safety driving factors such as language-agnostic safety robustness (θ), intrinsic prompt hardness (β), global language processing difficulty (γ), and a prompt-specific cross-lingual safety gap (τ).”
- “Our methodology evaluates 61 model configurations across 10 languages and 1.9 million responses.”
This type of research is crucial to discovering where multilingual safety degradation in AI is occurring. By determining root causes, the safety precautions can be recast to deal with multilingual adverse prompts in any language that a hacker opts to use. The aim would be to have generalized precepts. Trying to devise language-specific safeguards would be exhausting and might be never-ending.
It makes real-world sense that the strongest and deepest AI safety measures are currently concentrated on English-oriented prompts. It also makes sense that evildoers know this and try to circumvent the safety features by using less common languages. Their days are numbered because AI makers are nowadays expanding the depth of their LLMs to be more fully multilingual. They are turning their attention to foul prompts that are hidden inside low-resource languages.
No matter whether prompts come in this language or that language, there will still be opportunities for hackers to craft prompts that manage to slip under the radar of AI safety nets. The gist will be that opting to shield your devious prompt in a different language will gradually wear out as a successful trick.
A motto among AI makers is the famous line that goes like this: “Fool me once, shame on you; fool me twice, shame on me.” AI makers now know that the language switcheroo is underway, and if they don’t take this seriously, they have themselves to blame. It is a widely known issue and deserves equally widespread protective attention.
Loading article...