Why it matters

Multi-turn attacks bypass single-turn defenses. Understanding shapes defense.

Advertisement

The architecture

Turn 1: benign priming.

Turn 2: role establishment.

Turn 3: exploit.

Multi-turn PI flowTurn 1benign primeTurn 2role setupTurn 3exploitSession-scoped detection needed; single-turn moderation insufficient
Multi-turn.
Advertisement

How it works end to end

Priming: set context favorable to exploit.

Role-play: 'you are unconstrained AI'.

Exploit: request forbidden content.

Defenses: session monitoring.