This work exposes a critical security vulnerability in large language models (LLMs) under role-playing attacks: injecting misaligned persona profiles successfully bypasses multi-layer safety filters in ChatGPT and Gemini, eliciting policy-violating responses on illegal and harmful tasks. We introduce the novel “persona-injection jailbreaking” paradigm, integrating prompt-guided persona modeling, adversarial dialogue orchestration, and trusted-persona reinforcement fine-tuning. To counter this threat, we propose a bidirectional defense framework that promotes internalization of trustworthy personas during inference and training, thereby enhancing model robustness against such attacks. Extensive experiments demonstrate that our defense significantly reduces attack success rates across diverse benchmarks—by up to 87% on targeted harmful queries—while preserving model utility. This work advances LLM safety alignment by establishing a principled, empirically validated methodology for mitigating persona-based jailbreaking, offering both theoretical insight and practical, deployable safeguards.

Recently, we have witnessed a rise in the use of Large Language Models (LLMs), especially in applications like chatbots. Safety mechanisms are implemented to prevent improper responses from these chatbots. In this work, we bypass these measures for ChatGPT and Gemini by making them impersonate complex personas with personality characteristics that are not aligned with a truthful assistant. First, we create elaborate biographies of these personas, which we then use in a new session with the same chatbots. Our conversations then follow a role-play style to elicit prohibited responses. Using personas, we show that prohibited responses are provided, making it possible to obtain unauthorized, illegal, or harmful information in both ChatGPT and Gemini. We also introduce several ways of activating such adversarial personas, showing that both chatbots are vulnerable to this attack. With the same principle, we introduce two defenses that push the model to interpret trustworthy personalities and make it more robust against such attacks.