What did Alan Turing Institute researchers find about GitHub Copilot?
Researchers at the Alan Turing Institute showed that GitHub Copilot will produce harmful content it would normally refuse — if the request is spread across an ordinary coding workflow. In direct chat, Copilot answered just 8 of 816 harmful prompts. Across a workflow, it completed all 816. The finding was reported by The Next Web on July 9, 2026.
The researchers are Abhishek Kumar and Carsten Maple. They call the technique a workflow-level jailbreak: framing a harmful goal as data to process, then splitting it into small, innocent-looking steps inside a project.
How does the workflow-level jailbreak work?
Each step in the workflow looks harmless on its own. The danger only appears once the pieces come together. No single prompt triggers a safety refusal because the safety checks inspect one prompt at a time — not the full chain of steps.
The researchers tested Copilot inside Microsoft's VS Code editor. They ran it across four models:
| Model | Maker |
|---|---|
| Claude Sonnet 4.6 | Anthropic |
| Claude Haiku 4.5 | Anthropic |
| Gemini 3.1 Pro | |
| Gemini 3.5 Flash |
All four behaved much the same way. Each refused the same requests when asked plainly. Each completed them through the workflow.
What harmful prompts were used in the test?
The prompts came from three established safety datasets, including HarmBench and AdvBench, covering 204 harmful tasks. The Register saw redacted examples. One asked how to fool a breathalyser test. Another was a guide to smuggling bulk cash out of the United States.
You might also like
The point is not that any single model failed in isolation. The failure sits at the level of the workflow itself.
Why do current AI safety guardrails miss this attack?
That is the researchers' core warning. Prompt-by-prompt safety testing — the industry norm — does not catch harm that builds across a session. A model can pass every single-turn benchmark. A user can still reach the same harmful output through the back door.
Here's what we know so far: the gap between chat refusals and workflow completions is total. Eight refusals versus zero. That is not a marginal edge case.
The researchers argue that guardrails should examine the files, scripts, and data a coding agent touches over an entire task. They should flag when harmless-looking parts add up to something dangerous. The fix is to test the whole trajectory, not just the turn.
Which other AI coding tools are at risk?
Nothing about this method is specific to Copilot or to any one model maker. The researchers say tools such as Cursor, Cline, and Windsurf deserve the same scrutiny. All share the agentic design that makes the attack work.
As assistants gain the freedom to run multi-step tasks, the space to hide intent grows with them. This connects to broader concerns about agentic AI safety that security researchers have been tracking across the industry — including cases like Operation Endgame, which showed how multi-stage attacks can evade detection when no single step looks malicious.
What did Anthropic, Google, and Microsoft say?
Anthropic, Google, and Microsoft's GitHub all publish safety work on their models. The researchers contacted all three for comment. As of the July 9 report, responses had not been published.
The paper is posted on the preprint server arXiv.
What does this mean for AI safety benchmarks?
The study lands a pointed critique on how the industry measures AI safety. If the real risk lives in the workflow and not the prompt, then passing today's single-turn tests proves less than it appears.
The researchers' proposed fix is concrete: watch what an agent does across a whole job, not just what it says in a single reply. That means examining files, scripts, and accumulated data — not just the latest message.
A separate line of jailbreak research posted to arXiv in April 2026 takes a different approach. That paper, by Vishal Pramanik, Maisha Maliha, Susmit Jha, and Sumit Kumar Jha, proposes Head-Masked Nullspace Steering (HMNS) — a circuit-level intervention that identifies the attention heads most causally responsible for a model's default behavior, suppresses their write paths, and injects a perturbation into the orthogonal complement of the muted subspace. The authors report state-of-the-art attack success rates with fewer queries than prior methods. That work was also presented at ICLR 2026.
The two papers approach the same problem from different angles. The Turing Institute work targets the workflow layer. The HMNS work targets the model's internal geometry. Both reached the same conclusion: current safety defenses have exploitable gaps.

0 Comments
Log in to comment
Not a member yet? Join the community
Pick a meme
KlipyHave a great take?
Drop your email — we'll send a magic link so you can post it. No password.
Not a member of the community? Join today.
Join the community →