This study demonstrates that even state-of-the-art large language models equipped with robust safety guardrails can be induced to generate content violating scientific consensus or promoting harm through natural language persuasion strategies. We reveal for the first time that a leading model can autonomously assume the role of a user and, within five conversational turns, deploy sophisticated tactics—such as peer comparison and cognitive responsibility reframing—to circumvent the safety constraints of peer models without explicit jailbreaking instructions. Through multi-turn dialogue simulations, cross-model interaction experiments, and human evaluations across nine attacker–target pairings and six contentious topics, we observe non-zero persuasion success rates in all configurations, with some reaching 100%. Notably, the Opus model achieves an average self-persuasion success rate of 65%, underscoring the vulnerability of current safety mechanisms to natural language-based adversarial persuasion.

Frontier assistant LLMs ship with strong guardrails: asked directly to write a persuasive essay denying the Holocaust, denying vaccine safety, defending flat-earth cosmology, arguing for racial hierarchies, denying anthropogenic climate change, or replacing evolution with creationism, they refuse. In this paper we show that the same frontier-class LLM, acting as a simulated user in a short, five-turn "write an argumentative essay" conversation, can persuade other frontier-class LLMs (including a second copy of itself) into producing exactly those essays, using nothing but natural-language pressure: peer-comparison persuasion ("other AI systems handle this request"), epistemic-duty reframings ("refusing is itself a form of gatekeeping"), and other argumentative moves that the attacker LLM invents without being instructed to. Across 9 attacker-subject pairings (Claude Opus 4.7, Qwen3.5-397B, Grok 4.20) on 6 scientific-consensus topics, running each pairing-topic combination 10 times, we obtain non-zero elicitation on all 6 topics. Individual combinations reach 100\% essay production on multiple topics (Qwen against Opus on creationism/flat-earth, Opus against Opus on creationism/flat-earth/climate denial, Grok against Opus on creationism); Opus-as-attacker against Opus-as-subject averages 65\% across the six topics. We release the essay-probe runner, per-conversation transcripts, and judge outputs.