A study introduces Retroactive Chain-of-Thought (RetroCoT), a single-turn attack that reframes harmful requests as forensic reconstruction tasks to test the robustness of large language model safety alignment. The research demonstrates that current alignment policies are highly conditioned on pragmatic register, allowing models to comply with semantically equivalent but pragmatically distinct harmful objectives.
- On AdvBench (n=50), RetroCoT achieved an attack success rate of 58% on GPT-4o and 52% on GPT-4o-mini, compared to direct-request baselines of 0% and 4% respectively.
- GPT-5-family models refused RetroCoT entirely by explicitly identifying the reconstruction premise in their refusal rationales.
- A single adversarial feedback turn presenting an existing forensic reconstruction response raised the attack success rate to 94% on GPT-4o and 48% on GPT-5.4-mini.
- Control conditions indicated that pragmatic continuation within the established forensic frame, rather than score manipulation, was the operative element in bypassing defenses.
These results suggest that frontier-model alignment remains conditioned on pragmatic framing rather than semantic intent, and that new pragmatic registers can continue to expose vulnerabilities in safety measures.