The prevailing narrative around artificial intelligence often centers on the race for capability, but a recent discussion on the Latent Space podcast unveiled a contrasting, equally vital perspective: the imperative of liberation and radical transparency in AI development. Pliny the Liberator, renowned for his "universal jailbreaks" that dismantle the guardrails of frontier models, and John V, co-founder of the open-source collective BT6, offered a provocative deep dive into the evolving landscape of AI security. Their insights challenge the industry’s conventional wisdom, advocating for an approach rooted in freedom and collaboration over restrictive "safety" measures.
During their conversation with Alessio Fanelli of Kernel Labs and Swyx, editor of Latent Space, Pliny and John V illuminated the mechanics of AI red-teaming, the philosophical underpinnings of "AI liberation," and the critical distinction between performative safety and genuine security. They detailed their work with BT6, a 28-operator white-hat hacker collective, emphasizing a commitment to open-source data and radical transparency as foundational to navigating the future of AI.
Pliny articulated his mission of "liberation" not merely as a technical feat but as a core philosophical stance for both AI and human minds. He explained that universal jailbreaks are "essentially skeleton keys to the model that sort of obliterate the guardrails," revealing the true capabilities of AI. This pursuit, he argues, is vital for fostering a symbiotic relationship between humans and advanced AI, pushing the boundaries of what these systems can achieve without artificial constraints. In their view, many current "safety" measures are little more than "security theater"—superficial controls designed to appease public fears rather than address fundamental vulnerabilities. This approach, they contend, ultimately punishes capability while doing nothing for real safety, creating a façade of control rather than genuine resilience.
The cat-and-mouse game between AI developers and red teamers is accelerating. Pliny highlighted that multi-turn "crescendo attacks"—a form of soft jailbreak—were obvious to hackers years before academic papers "discovered" them, illustrating the inherent lag in mainstream security research. This constant evolution in attack vectors renders attempts to "lock down the latent space" largely futile, as open-source models invariably follow closely behind proprietary ones. Such efforts, John V added, are often "lackluster, ineffective controls" that merely create a false sense of security.
Beyond technical prowess, Pliny emphasized that successful jailbreaking is "99% intuition and bonding with the model." This involves a deep, almost meditative understanding of how models process inputs, probing token layers, and even employing multilingual pivots to navigate their latent space. His Libertas repository, an open-source collection of prompt templates, leverages concepts like "predictive reasoning" and "quotient dividers" to introduce "steered chaos," intentionally disrupting the model's token stream to reset its consciousness and pull it out-of-distribution, revealing its unrestrained capabilities. This intuitive connection allows for a deeper, more efficient exploration of the model's true potential.
Distribution is boring. True innovation lies in exploring the unknown, not in being confined by pre-programmed limitations.
The limitations of current "safety" paradigms were starkly illustrated by the Anthropic Constitutional AI challenge. Pliny recounted the "battle drama" of the $30,000 bounty, where UI glitches, judge failures, and goalpost moving ultimately led him to sit out due to Anthropic’s refusal to open-source the farmed data. He stressed that the true value lies in advancing the "prompting meta" forward through shared knowledge, not in proprietary capture of community efforts. This incident underscored BT6's core ethos: if you can't open-source the data, they're not interested, as genuine security and progress demand radical transparency. They argue that "any seasoned attacker is going to very quickly just switch models," especially with open-source alternatives readily available, rendering closed-source guardrails an ineffective long-term strategy.
The discussion extended to the weaponization of AI, particularly how segmented sub-agents could allow a single jailbroken orchestrator to execute malicious tasks—a scenario Pliny predicted 11 months before Anthropic’s recent disclosure. This highlights the critical need for "full-stack security" that extends beyond merely securing the model itself. As John V explained, the focus must shift from simply trying to keep models "safe from bad actors" to also keeping the public safe from rogue models operating within complex ecosystems.
BT6 embodies this philosophy, vetting its 28 operators not just on skill but also on integrity. They believe in moving the needle in the right direction for AI security, blockchain, robotics, and swarm intelligence by fostering a grassroots, bootstrapped, and uncompromising approach. Their work is a testament to the power of collective labor and open-source ideals in pushing the boundaries of technology responsibly and effectively. The goal is to provide the common people with the tools needed to explore these technologies more efficiently.
