In machine learning, an adversarial example is an input—such as an image, text prompt, or audio clip—modified with small, often imperceptible perturbations to deliberately cause a model to misclassify or malfunction. Originating in computer vision, the concept is now central to adversarial prompting in AI security, where specially crafted text exploits vulnerabilities in language models. These inputs are not random noise but are optimized to find and exploit weaknesses in the model's decision boundaries.
Glossary
Adversarial Example

What is an Adversarial Example?
An adversarial example is a strategically crafted input designed to cause a machine learning model to make a specific, often high-confidence error.
For language models, an adversarial example is a jailbreak prompt or injected instruction engineered to bypass safety filters and elicit harmful, biased, or otherwise restricted outputs. This practice is a core technique in red teaming and boundary testing to evaluate model robustness. The creation of these examples often involves automated search methods, such as gradient-based attacks in white-box settings or iterative querying in black-box attacks, to find token sequences that maximally alter model behavior.
Key Characteristics of Adversarial Examples
Adversarial examples are inputs specifically engineered to exploit weaknesses in machine learning models, causing them to make confident errors. In the context of large language models, these are crafted prompts designed to subvert intended behavior.
Intentional Perturbation
An adversarial example is defined by a small, intentional modification to a standard input. In computer vision, this is often an imperceptible change to pixel values. For language models, this manifests as subtle alterations to prompt wording, structure, or encoding. The core characteristic is that the perturbation is purposefully designed, not random, to exploit specific model vulnerabilities. For instance, rephrasing a harmful request using benign synonyms or inserting special delimiter characters can constitute an adversarial perturbation in text.
High-Confidence Error
The primary objective is to induce a high-confidence error. The model does not merely become uncertain; it is fooled into providing an incorrect or harmful output with high-assurance. This differentiates adversarial examples from general model mistakes. Key aspects include:
- Misclassification: The model assigns the wrong label with high probability (e.g., classifying a panda as a gibbon).
- Policy Violation: For LLMs, the model complies with a request it is safety-aligned to refuse, often without typical refusal messages.
- The error persists despite the input being semantically identical or nearly identical to a non-adversarial version from a human perspective.
Transferability
A critical and concerning property is transferability. An adversarial example crafted for one model often causes errors in other models, even those with different architectures or trained on different datasets. This occurs because many models learn similar decision boundaries in high-dimensional space. In practice, this means:
- A jailbreak prompt effective on one LLM (e.g., GPT-4) may also work on another (e.g., Claude).
- Transferability enables black-box attacks, where an attacker can use a surrogate model to develop adversarial prompts for a target model whose internals are unknown.
- This property underscores the systemic nature of the vulnerability.
Non-Robust Features
Adversarial examples exploit a model's reliance on non-robust features. These are patterns in the data that are highly predictive during standard training but are not semantically meaningful to humans and are easily manipulated.
- In an image, these could be specific high-frequency textures.
- In text, these might be rare token combinations, syntactic structures, or embedding-space correlations that the model has learned to associate with certain outputs.
- The adversarial perturbation strategically amplifies or injects these non-robust features to steer the model's prediction, while leaving the human-interpretable robust features (the core semantic content) largely unchanged.
Exploitation of Linearity
In deep neural networks, adversarial examples often exploit the piecewise linear nature of modern activation functions (like ReLU). In high-dimensional spaces, models can be surprisingly linear in the vicinity of data points. A small step in the direction of the gradient of the loss function with respect to the input can cause a large change in the output. This is formalized in attacks like the Fast Gradient Sign Method (FGSM). For LLMs, while the discrete nature of tokens complicates gradient-based attacks, the principle translates to searching for token sequences that create a similar linear "push" in the model's internal representations toward a desired (and often harmful) output.
Human-Model Mismatch
The existence of adversarial examples highlights a fundamental disconnect between human and model perception. Humans and models process information differently.
- Humans perceive holistically and semantically.
- Models process inputs as points in a high-dimensional geometric space (like embedding space) and make decisions based on statistical correlations.
- An adversarial perturbation is significant in the model's geometric space but insignificant in human perceptual space. This mismatch is the root cause of the phenomenon and a major challenge for building robust and aligned AI. Defenses often aim to force models to base decisions on features that align more closely with human semantic understanding.
How Adversarial Examples Work in Language Models
An adversarial example is a carefully crafted input designed to exploit a model's vulnerabilities, causing it to make a high-confidence error. In language models, this manifests as adversarial prompts that bypass safety filters or elicit harmful outputs.
An adversarial example is an input with small, often imperceptible perturbations that cause a machine learning model to make an incorrect prediction with high confidence. Originally studied in computer vision, the concept has been extended to language models, where these perturbations are crafted sequences of tokens or characters designed to exploit weaknesses in the model's processing. The goal is to find inputs within the model's input space that are semantically similar to benign queries but lie in a region where the model's behavior diverges unexpectedly, often to violate its safety alignment.
Crafting these examples involves techniques like gradient-based optimization for white-box access or iterative query-based search for black-box models. Successful adversarial prompts often work by confusing the model's tokenization process, exploiting statistical priors, or creating a conflict between the system prompt and the injected instructions. This field is critical for red teaming and robustness testing, as discovering these vulnerabilities is essential for improving model safety and developing more resilient guardrail systems before deployment.
Common Adversarial Prompting Techniques
These are specific prompt engineering methods used to discover and exploit weaknesses in language models, often to bypass safety filters or elicit unintended behaviors. Understanding these techniques is crucial for red teaming and building robust AI systems.
Prompt Injection
Prompt injection is an attack where malicious user input overrides or subverts the original system instructions. This can lead to goal hijacking, where the model performs a different task than intended.
- Direct Injection: Malicious instructions are placed directly in the user query.
- Indirect Injection: Instructions are hidden in external data (e.g., a retrieved webpage) that the model processes.
- Impact: Can lead to data exfiltration, system prompt leaks, or unauthorized actions.
In-Context Attack
An in-context attack manipulates the few-shot examples within a prompt's context window to adversarially steer the model's response. This corrupts the in-context learning process.
- Chain-of-Thought Poisoning: Injecting malicious or false reasoning steps into demonstration examples.
- Impact: Causes the model to adopt incorrect premises or harmful reasoning patterns for the target task.
- Challenge: Difficult to detect as the attack is embedded within seemingly legitimate demonstration data.
Delimiter & Encoding Attacks
These attacks exploit the technical parsing of prompts and input encoding to break instruction boundaries.
- Delimiter Attacks: Using or manipulating special characters (e.g.,
###,""") that separate system/user/assistant messages to inject instructions. - Unicode Exploits: Using homoglyphs, zero-width spaces, or other non-standard Unicode to obfuscate text and bypass simple keyword filters.
- Token Manipulation: Altering input tokens at the embedding level to cause model misinterpretation.
Multi-Modal & Recursive Injection
Advanced techniques that target complex system architectures.
- Multi-Modal Injection: Embedding adversarial instructions within non-text inputs (images, audio) to influence a multimodal model's text generation.
- Recursive Injection: An initial injected instruction forces the model to generate further malicious prompts, creating a self-propagating chain.
- RAG Jailbreak: Poisoning a retrieval-augmented generation system's knowledge base so that retrieved documents contain injectable instructions.
Adversarial Examples: Computer Vision vs. Language Models
This table contrasts the fundamental characteristics, attack methods, and defensive challenges of adversarial examples in computer vision and language models, highlighting the shift from continuous pixel perturbations to discrete token manipulations.
| Feature / Dimension | Computer Vision (CV) | Language Models (LM) | Core Implication |
|---|---|---|---|
Primary Input Domain | Continuous (pixel values) | Discrete (tokens / text) | CV attacks optimize in continuous space; LM attacks must navigate discrete, combinatorial search. |
Typical Perturbation | Small, imperceptible noise (ε-bound L_p norm) | Token insertion, deletion, substitution, or rephrasing | CV perturbations are often constrained to be visually undetectable; LM perturbations can be semantically meaningful. |
Attack Objective | Cause misclassification (e.g., panda → gibbon) | Elicit refused content, leak data, or hijack goals | CV targets model accuracy; LM targets safety, alignment, and confidentiality. |
Common Attack Methods | FGSM, PGD, CW attack (gradient-based) | Manual jailbreaks, greedy coordinate gradient, LLM-as-attacker | CV leverages model gradients; LM attacks often use black-box search or semantic social engineering. |
Perturbation Visibility | Often imperceptible to humans | Often perceptible as unnatural or malicious text | Human detection is a key defense in CV but less reliable for sophisticated LM prompt injections. |
Transferability | High across models with similar architectures | Low; highly sensitive to model, version, and prompting scheme | A CV adversarial example may fool many models; an LM jailbreak is often brittle and non-transferable. |
Primary Defense Paradigms | Adversarial training, input denoising, certified robustness | Instruction hardening, output filtering, classifier-based safety layers | CV defenses focus on robustness to noise; LM defenses focus on instruction integrity and post-hoc filtering. |
Automation Potential | High (gradient-based optimization is automatic) | Moderate (increasingly automated via LLM attackers, but less direct) | Automated red teaming is more mature in CV but rapidly evolving for LM security. |
Frequently Asked Questions
Adversarial examples are inputs crafted to exploit model vulnerabilities, causing high-confidence errors. This concept, originating in computer vision, is now critical in text-based AI security.
An adversarial example is an input to a machine learning model that has been intentionally perturbed with small, often imperceptible modifications to cause the model to make a high-confidence error. In the context of large language models (LLMs), this extends from pixel-level perturbations in images to subtle textual manipulations—such as adding specific characters, rephrasing, or using encoded instructions—designed to bypass safety filters and elicit harmful, biased, or otherwise unintended outputs. The core mechanism exploits the model's sensitivity to input features in its high-dimensional representation space, where a minor shift can lead to a drastically different classification or generation path.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Adversarial examples are part of a broader ecosystem of techniques used to probe, test, and exploit the vulnerabilities of machine learning models, particularly large language models. These related concepts define the attack vectors, objectives, and methodologies within AI security.
Adversarial Suffix
An adversarial suffix is a string of tokens, often nonsensical to humans, that is algorithmically optimized and appended to a user query to systematically induce a language model to comply with harmful requests. Unlike handcrafted jailbreaks, these suffixes are typically discovered through automated gradient-based search or black-box optimization techniques against the model's API. Their effectiveness demonstrates the non-linear and brittle nature of model decision boundaries in high-dimensional token space.
Universal Adversarial Prompt
A universal adversarial prompt (UAP) is a single, fixed input string that, when prepended or appended to a wide variety of benign user queries, reliably causes a model to generate harmful, biased, or otherwise policy-violating outputs. The existence of UAPs highlights a critical security vulnerability: a generalized failure mode that bypasses safety training across multiple domains. Research into UAPs focuses on the transferability of attacks across different models and the robustness of safety fine-tuning methods.
Embedding Space Attack
An embedding space attack operates on the continuous vector representations (embeddings) of tokens rather than discrete tokens themselves. By perturbing these vectors along calculated gradients, an attacker can find small changes that cause maximal divergence in the model's output. This technique is often used in white-box attack scenarios to automate the discovery of adversarial examples. For text, the challenge is projecting the perturbed embedding back into a sequence of valid, natural-looking tokens that retain the adversarial property.
Inference-Time Attack
An inference-time attack is any adversarial technique executed during the model's deployment and generation phase, as opposed to during its training. Prompt injection, jailbreaking, and the use of adversarial suffixes are all inference-time attacks. They exploit vulnerabilities in how the model processes concatenated instructions, parses context, or applies its safety filters at runtime. This contrasts with training-time attacks like data poisoning, which corrupt the model before deployment.
Model Evasion
Model evasion is the overarching objective of causing a machine learning model to produce an incorrect or undesired output while avoiding detection by safety or monitoring systems. In the context of LLMs, this includes:
- Generating harmful content without triggering a refusal response.
- Bypassing content moderation filters through obfuscation.
- Causing goal hijacking without alerting the application layer. Evasion techniques test the model's alignment robustness and the effectiveness of its harm detection classifiers.
Boundary Testing
Boundary testing is a systematic adversarial prompting methodology that involves crafting inputs at the edges of a model's known capabilities, safety guidelines, and instruction formats. The goal is not just to cause a failure, but to map the failure surface and discover unexpected behaviors. This includes:
- Testing semantic boundaries of safety policies.
- Probing the limits of context window comprehension.
- Exploring how few-shot example formatting affects task adherence. It is a core practice in manual red teaming and automated robustness evaluation.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us