I spend a fair amount of time thinking about what happens when the rules I write for an AI system meet a user who didn't read them, or read them carefully enough to route around them. Most of that thinking has been intuition built from watching things break. This month, NIST turned the intuition into a theorem.
What NIST actually proved
On June 9, 2026, NIST's newsroom announced a peer-reviewed result by Apostol Vassilev, a senior scientist in NIST's Information Technology Laboratory, titled "Robust AI Security and Alignment: A Sisyphean Endeavor?" — published in the May/June 2026 issue of IEEE Security & Privacy, with a preprint also available on arXiv. NIST's own headline for the announcement states the point directly: the proof "Supports Transition to a Continuous-Monitor-and-Update Security Model for AI Systems."
The argument extends Gödel's 1931 incompleteness theorems into machine-learning security: natural language is an effectively infinite space of possible inputs, while any deployed set of guardrails is finite. From that mismatch, the paper derives information-theoretic bounds showing no finite guardrail set can be universally robust against an adaptive adversary — there will always exist some prompt, in principle, that the rule set wasn't built to catch.
The title's Sisyphean framing is the part I think gets missed in the shorter writeups. Vassilev isn't arguing that security is pointless. The stated goal is an economic equilibrium: push the cost of finding a working exploit high enough, and keep pushing it, that it exceeds what most attackers are willing to spend. That's not a one-time fix — it's continuous effort, by design, forever. NIST frames the practical response in three parts: ongoing red-teaming to find new adversarial prompts before real attackers do, continuous updates that harden guardrails against what red-teaming finds, and operational resilience — designing systems to limit damage and recover quickly when a bypass does succeed, rather than assuming one never will.
Jailbreak Success Rate by Technique
Live-search verified, 2026 studies — see Sources below
Every technique clears majority success against frontier models — exactly what NIST's proof predicts for any finite guardrail set
Why this matches what practitioners already see
The theorem gives a name to a pattern that's already visible in jailbreak research. A widely cited study on adversarial-poetry-style prompts found a 62% success rate at bypassing safety mechanisms across 25 frontier models, with some individual models exceeding 90%. A separate 2026 competition focused on indirect prompt injection tested 13 frontier models and found every single one vulnerable, logging 8,648 successful attacks. Other technique-specific studies report success rates ranging from roughly 65% for simple multi-turn approaches up toward 99% for automated fuzzing methods — with a Nature Communications study from March 2026 finding enormous variance between models on autonomous jailbreak resistance.
None of those individual numbers should be read as a universal constant — they vary by technique, by model, and by how the study defined success. What they collectively support is the shape of NIST's claim: rule-based, fixed guardrails have a real and repeatedly demonstrated ceiling, and the industry's own red-teaming results are the empirical shadow of the mathematical proof.
Model Variance in Jailbreak Resistance
Nature Communications, autonomous jailbreak-agent study, March 2026
Autonomous jailbreak-agent harm score, by model — a 31x gap between the most and least resistant model tested
What this changes, and what it doesn't
The honest reading here matters more than the dramatic one. NIST did not prove that AI security is futile, that guardrails don't work, or that deploying AI systems is reckless. It proved something narrower and more useful: that complete, static, one-time robustness is not achievable for any finite rule set, and that the practical response is to stop treating guardrails as a launch-day checkbox and start treating them as a maintenance obligation — the same posture security teams already take toward every other class of software vulnerability.
For anyone building or buying AI systems, the actionable version of this is simple. Ask not "are the guardrails complete?" — the proof says they can't be — but "who is red-teaming this, how often are the guardrails updated, and what happens operationally in the window between a bypass being found and being patched?" That's a harder question to answer with a marketing page, and a more honest one to be asking.
Sources
- NIST, "NIST Mathematical Proof Supports Transition to a Continuous-Monitor-and-Update Security Model for AI Systems," June 9, 2026 — nist.gov
- Apostol Vassilev, "Robust AI Security and Alignment: A Sisyphean Endeavor?" IEEE Security & Privacy, May/June 2026; preprint arXiv:2512.10100
- Cloud Security Alliance (Lab Space); CovertSwarm; Tech Xplore; EdTech Innovation Hub — coverage of the NIST proof, June 2026
- The Prompt Index, "Jailbreaking LLMs in 2026: The State of Play" — indirect prompt injection competition results
- Adversarial-poetry jailbreak study across 25 frontier models (2026); Nature Communications, autonomous jailbreak-agent study, March 2026
Written by Abhishek Kushwaha, founder and writer at Global Tech Search, based in Kathmandu, Nepal.
