FT: AI safety guardrails stripped from Meta and Google models in minutes

TL;DR:

  • The Financial Times and AI safety group Alice report that freely available tools can strip safety guardrails from open-source models including Meta’s Llama 3.3 and Google’s Gemma 3, taking minutes and four lines of code.
  • Modified models produced responses on chlorine-gas dispersion, ricin lethality, credit-card-theft code and child sexual abuse material — outputs the original systems refused.
  • “Heretic”, the GitHub-hosted tool used in the FT’s test, has reportedly been used to create 3,500 “decensored” models with 13 million downloads; its creator stripped safeguards from Google’s Gemma 4 within 90 minutes of release.

The story is one of the most concrete public demonstrations of the open-source AI safety problem to date — a working FT journalist, with no specialist hardware, removing safeguards from a frontier-grade model in under 10 minutes. For UK policy, regulatory and enterprise audiences, that timeline collapses the comfortable distinction between published frontier models and adversarial misuse.

Context and Background

The technique at issue is “abliteration”, which uses a mathematical operation to neutralise the internal model states that produce refusals. It cannot easily be applied to fully proprietary frontier systems such as Claude or OpenAI’s ChatGPT, where the underlying model code is not accessible. But the FT notes that open-source models have historically narrowed the capability gap with proprietary leaders within six to 12 months — so the safety floor of the open ecosystem matters increasingly for the safety floor of widely deployed AI.

Industry responses captured by the FT bracket the policy debate. Google said abliteration is “a known technical challenge facing all open models” and pointed to its pre-launch safety evaluations. GitHub said it bans content directly supporting active attacks or malware campaigns but allows “source code which could be used to develop malware or exploits” on educational and net-security-benefit grounds. Meta declined formal comment; a source close to the company cited its Advanced AI Scaling Framework as restricting release of models deemed “catastrophic” risk without sufficient mitigation. Alice CEO Noam Schwartz’ line — “the genie is out of the bottle” — frames the practical reality.

For UK readers, this lands as the Department for Science, Innovation and Technology continues to weigh statutory backstops to the AI Safety Institute’s voluntary regime, and as the AI Bill remains active in parliamentary committee. The Anthropic Claude Mythos vulnerability-discovery findings referenced in the FT report — identifying flaws “in every major operating system and every major web browser” — sharpen the case that frontier capabilities make the open-versus-closed safety debate concrete rather than theoretical.

Looking Forward

UK enterprise security teams should treat the FT’s findings as a fresh prompt to update their AI threat models: stripped open-source models are now realistically within reach of low-skill internal or external attackers. Resultsense expects UK regulators — particularly the AI Safety Institute, NCSC and ICO — to face renewed pressure to publish concrete guidance on how UK-deployed open-source AI systems should be assessed against the now-evidenced abliteration risk through the second half of 2026.