Tricking AI By Simply Switching Which Spoken Language You Use In Your Prompts

In today’s column, I look at a troubling tactic gaining attention in AI security circles: using less common natural languages to make deceptive prompts harder for generative AI systems to detect. As a general rule, if someone tries to manipulate a large language model in English, the system is far more likely to recognize the attempt and block it. But when the same request is translated into a more obscure language, the odds of slipping past those protections can increase.

At first glance, that may seem counterintuitive. After all, AI safeguards are supposed to apply regardless of the language a person uses. The reality is more complicated. Many LLMs have been trained and tested far more extensively in widely used languages, especially English, which can leave them more exposed when prompts arrive in languages with less training coverage. AI companies are aware of the weakness and are working to strengthen multilingual safety systems, so this loophole is unlikely to remain as effective over time.

Let’s take a closer look. This discussion is part of my continuing Forbes coverage of advances in artificial intelligence, including the technical and social challenges that come with deploying increasingly powerful AI systems (see the link here).

Cracking AI Via Choice Of Language

Among those attempting to undermine AI systems, the use of uncommon languages has become a relatively simple form of misdirection. The idea is to confuse or bypass a model’s safety filters by presenting a harmful or manipulative request in a language the system handles less reliably. In many cases, the less familiar the language is to the model, the more room there may be for error.

Trying the same trick in English is much harder. Modern AI tools such as ChatGPT, GPT-5, Gemini, Grok, Copilot, Claude and others are generally better equipped to identify hacking-related or policy-violating prompts written in English. That does not mean the protections are perfect, and determined users can still attempt elaborate workarounds. But bad actors understand that translating a malicious prompt into a less common language can sometimes give them another layer of cover.

The core concern is straightforward: someone looking to cheat an AI system may only need to write or translate a prompt into a lesser-used natural language to improve their chances. Examples of harmful prompts in languages such as Swahili or Bengali have circulated online, where they can be copied and pasted into AI tools. In English, those same prompts might be blocked immediately. In a less common language, however, they may have a better chance of getting through.

Natural languages are often said to be lower-resourced if they are less common. I will just refer to such languages as being less common. The emphasis is that such languages typically do not have as much usage as do other more common languages. As I will discuss momentarily, these are also languages that often have much less online presence in terms of volumes of digitized stories, poems, narratives, novels, and other written corpora as found for other languages.

For my explanation and showcasing of over one-hundred prompt engineering best practices, including how devious prompts work, see the link here.

Training Of LLMs Is Vital

One of the reasons that switching to a less common language is a viable workaround is that the initial training of most major LLMs is based on widely scanning the Internet for predominantly English-language content. Even if not directly seeking English content, by and large, that’s what the Internet tends to consist of. Many other languages have a tiny fraction of an online presence.

This English dominance leads to two notable consequences:

  • (1) The AI develops a much stronger computational and mathematical semantic patterning of English.
  • (2) The AI safety mechanisms are also much better calibrated for dealing with English.

In short, if an LLM encounters millions upon millions of examples of harmful English prompts during the requisite safety training, but only thousands in another language, the AI will devise its defensive capabilities around the English language versions.

Just Have AI Translate All To English

A smarmy or perhaps inquisitive person might say that the solution to this is extraordinarily easy. When a user enters a prompt, immediately have the AI translate the prompt into English. At that juncture, since the AI is already poised to deal with deceptive prompts that are written in English, voila, the prompt is going to get nailed.

Boom, drop the mic.

Though that does have some merits, it also has drawbacks. As we all know, translating from one language into another isn’t a precise science. The wording of something in a non-English language might not necessarily translate accurately into English. A translation could leave things out. A translation could misstate the original utterance. All sorts of problems arise.

Think about the differences between natural languages. They differ in the ordering of words, they make use of idiomatic expressions, and they often use words that differ in their definitions or might have an uncommon vocabulary. It is feasible to translate a sentence into multiple variations. Furthermore, suppose the translation inadvertently turns into something that is flagged as deceitful, though that wasn’t what the user originally intended in their non-English prompt.

For many of the AI safety detections, the LLM is looking for specific words that are a sign that something is amiss. A loosely translated version might not bring those words to the fore. And, as mentioned, the translation might accidentally bring those to the fore. All told, the number of false positives and false negatives tends to make a mere English translation an untenable path to solving the problem.

AI Jailbreaks Are Typically In English

An added twist or irony is that the AI jailbreaks being used in the real world are usually written in English; thus, the AI has a lot of relevant data to pattern on. You can collect a zillion AI prompts that are nefarious. You then feed them into AI and tell the AI to pattern them. Those are the training sources for what dastardly prompts consist of.

If you tried to make benchmarks based on less common languages, you would have a much tougher job of finding enough examples to train the AI on. Of course, you could craft them from scratch. You could even use AI to synthesize or make them for you. This is not especially effective and requires a lot of undue effort.

Hackers have come up with an additional angle on this. They write part of their prompt in English, and the rest in a less common language. This is known as code-switching. You mix the language inside a prompt. I would dare say that the average user probably doesn’t realize they can mix languages within a single prompt. You sure can.

Why would a hacker opt to use mixed languages? Aha, they want to keep the AI from realizing that the prompt is devious. An all-English prompt is more readily deciphered. A mixed prompt contains bad stuff in the less common language. The AI might get lost. It doesn’t see the English portion as being bad. It doesn’t see the non-English portion as being bad. The prompt proceeds and goes completely around the AI security precautions.

Multilingual AI Opens The Door

Back to a smarmy or inquisitive person, they might say that the solution is obvious in a differently pitched manner. Do not let AI be multilingual. Ensure that AI only allows prompts in English. This would certainly stop any horseplay in other languages. Period, end of story.

If you do that, it means that an AI cannot be used by a huge percentage of the world’s population. Various estimates are that only about 15% to 20% of the global population uses English. An AI maker would be severely restricting their market. That is a big mistake for any AI maker trying to get the most money and use out of their AI. You are cutting off your nose to spite your face.

Also, the difficulty is not about the AI being multilingual per se, but more about not being ready to deal with prompts in less common languages. The focus should go toward the assumption that LLMs are going to be multilingual. The question at hand is then how to prepare AI to handle devious prompts in less common languages.

Research Moving Ahead

In a recent research article entitled “Why Do Safety Guardrails Degrade Across Languages?” by Max Zhang, Ameen Patel, Sang Truong, Sanmi Koyejo, arXiv, May 16, 2026, these salient points were made (excerpts):

  • “Large language models (LLMs) exhibit degraded safety guardrails in non-English languages, particularly in low-resource languages such as Swahili, Bengali, and Javanese, posing potential global safety concerns.”
  • “We explore multiple questions as to multilingual safety degradation: ability deficit, translation distortion, and conceptual grounding mismatch. We observe patterns such as the English reversal and non-uniform degradation, which motivate further decomposition.”
  • “We introduce a latent variable model, a Multi-Group Item Response Theory (IRT) framework, that decouples safety driving factors such as language-agnostic safety robustness (θ), intrinsic prompt hardness (β), global language processing difficulty (γ), and a prompt-specific cross-lingual safety gap (τ).”
  • “Our methodology evaluates 61 model configurations across 10 languages and 1.9 million responses.”

This type of research is crucial to discovering where multilingual safety degradation in AI is occurring. By determining root causes, the safety precautions can be recast to deal with multilingual adverse prompts in any language that a hacker opts to use. The aim would be to have generalized precepts. Trying to devise language-specific safeguards would be exhausting and might be never-ending.

Days Are Numbered

It makes real-world sense that the strongest and deepest AI safety measures are currently concentrated on English-oriented prompts. It also makes sense that evildoers know this and try to circumvent the safety features by using less common languages. Their days are numbered because AI makers are nowadays expanding the depth of their LLMs to be more fully multilingual. They are turning their attention to foul prompts that are hidden inside low-resource languages.

No matter whether prompts come in this language or that language, there will still be opportunities for hackers to craft prompts that manage to slip under the radar of AI safety nets. The gist will be that opting to shield your devious prompt in a different language will gradually wear out as a successful trick.

A motto among AI makers is the famous line that goes like this: “Fool me once, shame on you; fool me twice, shame on me.” AI makers now know that the language switcheroo is underway, and if they don’t take this seriously, they have themselves to blame. It is a widely known issue and deserves equally widespread protective attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

NYT Connections July 12: Today’s Hints, Categories, and Answers for Sunday

Today’s Connections Credit: NYT / Erik Kain Welcome back, Connections fans. If…

A Proven 10-Step SEO System to Boost Rankings and Drive More Traffic

The views expressed by Entrepreneur contributors are their own. Key Takeaways When…

The Key Trait That Predicts Startup Success Better Than Age

Opinions expressed by Entrepreneur contributors are their own. Key Takeaways For years,…

Wordle Today #1849: July 12 Hints, Clues and Answer for Sunday

Today’s Wordle: How to crack the latest puzzle. SOPA Images/LightRocket via Getty…

Are David Hockney Prints a Good Investment? What Collectors Should Know Before Buying

David Hockney, widely regarded as one of the most influential artists of…