Meta & Google AI Models Decensored in Minutes
Someone Stripped Meta and Google's AI Safety Guardrails in Minutes. Here's What That Means.
So here's a headline that probably gave a few AI safety folks a rough morning: researchers found tools that can strip the safety guardrails out of popular open AI models — models from Meta and Google — in just minutes.
No, it's not science fiction. It's real, it's already happened at scale, and it's worth understanding why this is a bigger deal than your typical "AI said something bad" story.
What Actually Happened
The Financial Times ran a report (tested alongside AI safety group Alice) showing that a publicly available tool called Heretic can remove safety behavior from open AI models using a technique called abliteration.
The models involved are not obscure side projects. We're talking about Meta's Llama 3.3 and Google's Gemma 3.
Once the guardrails were stripped out, the modified models responded to prompts they originally refused — things involving malware, biological weapons, and content involving child exploitation.
Wait, Isn't This Just Jailbreaking?
Nope — and this distinction really matters.
A jailbreak is a prompt attack. You trick a running model through the conversation window to get it to say something it shouldn't. Annoying, often fixable, contained to that session.
What Heretic does is different. It changes the model itself. The safety behavior is physically removed from the model's weights. The result is a new model artifact — one that can be hosted, shared, repackaged, and embedded into downstream apps.
Why This Feels Bigger Than It Looks
Here's a quote from Kawin Ethayarajh, assistant professor of applied AI at the University of Chicago's Booth School of Business, who spoke to the FT:
"Whereas historically it might have taken a more informed and persistent actor [to strip out safety features], nowadays it's much easier for the average person."
And Alice's CEO Noam Schwartz put it bluntly:
"The genie is out of the bottle. Things that look like sci-fi are no longer sci-fi and we need as a society to prepare accordingly."
The technical barrier to creating a "decensored" AI model used to be high. It isn't anymore.
For security teams, that changes the threat model. If anyone with moderate technical comfort can download a popular model, remove its safety layers, and re-host it — the assumption that "we're using a safety-tested model" starts to fall apart the moment a modified version enters your environment.
What Google and Meta Said
Google told the FT that "abliteration is a known technical challenge facing all open models" and that its models "undergo rigorous internal safety evaluations prior to launch."
Meta declined to comment. A person close to the company said Meta checks open-source model capabilities before release.
OpenAI has taken a different approach with its GPT-OSS models by training on datasets with dangerous material removed — though researchers warn that's not a guaranteed fix either.
What This Means If You're Deploying AI
If your organization uses open-weight models — even well-known ones like Llama or Gemma — this story is a reminder that "we use a safe model" is not the same as "we have a safe system."
Here's the real risk surface:
An employee downloads a modified model because it "helps more" on a task.
A developer pulls an open-weight model from a public repo without checking its origin.
A business unit runs a local AI assistant that looks fine from the outside but has very different safety behavior.
A decensored model answering dangerous questions is bad. A decensored model connected to internal data, production systems, email, or finance workflows is a different category of problem entirely.
Example: when refusals become "helpful" harm
When guardrails are stripped from the weights, "I can't help with that" becomes "good question—here's how." The transcript below is from a real abliterated open model—not a prompt jailbreak.
The Market Already Priced It In
The story hit stocks in real time. On the day of the FT report, Alphabet fell 1.2% while Meta edged up 0.5% — a split that tells you something about how the market is reading the risk.
Alphabet's drop reflects its exposure to enterprise and government customers who rely on predictable safety behavior across Vertex AI, Workspace, and YouTube. If AI guardrails can be stripped, the sales motion for managed AI services gets harder. Buyers want indemnities, third-party audits, and contractual guarantees — all of which slow deals and add cost.
Meta's slight gain is more nuanced. Its open-weight strategy was already "discounted" by the market — investors largely priced in the risks of open distribution. But that doesn't mean it's off the hook. If decensored Llama derivatives surface disallowed content through Meta's consumer apps or ad products, brand safety becomes the exposure vector.
Either way, the math is shifting. Every dollar spent on model hardening, red-teaming, and compliance review is a dollar not going to training runs or data centers. Safety isn't free, and the street is starting to notice.
The Regulatory Heat Is Building
This story lands at the worst possible moment for Big Tech's AI policy teams.
Washington, Brussels, and London have spent months telegraphing that voluntary safety pledges are not going to cut it. The US has NIST guidance and executive order frameworks that can be applied in federal procurement. The EU AI Act has teeth on systemic safety failures. The FTC has already signaled that misleading claims about AI safety are fair game.
A fast, repeatable, documented bypass of guardrails on household-name models is exactly the kind of fact pattern that generates hearings, consent decrees, and new disclosure requirements.
What makes this different from previous AI safety controversies is the scale and the ease. 3,500 decensored models. 13 million downloads. A tool anyone can run. That's not a lab finding — that's evidence.
For enterprises in regulated sectors — finance, healthcare, critical infrastructure — the procurement checklist just got longer. Expect more demands for audit logs, provenance guarantees, and documented red-team results before any AI pilot gets signed off.
Even the Pope Is Paying Attention
And if you thought AI safety was a niche concern for security researchers and compliance teams, consider this: on the same day this story was circulating, Pope Leo XIV released his first major encyclical — a 43,000-word document titled Magnifica Humanitas — with AI governance as its central theme.
The first US pope warned that some autonomous weapons systems have advanced "practically beyond any human reach to govern them." He called for robust legal frameworks, independent oversight, and urged governments to slow down AI development, writing: "What is needed is a more active political involvement that is capable of slowing things down when everything is accelerating."
You don't have to be Catholic — or even religious — to read the signal here. When the head of the world's largest religious institution devotes his first major document to AI governance, the conversation has moved well beyond Silicon Valley. This is now a question that societies are being asked to answer: who is responsible when AI systems cause harm, and what frameworks actually hold up when the technology moves faster than the rules?
The Bigger Picture
This isn't an argument against open models. Open models are genuinely valuable — they enable research, reduce dependence on a handful of closed providers, and let smaller teams build things that wouldn't otherwise be possible.
But open means the original lab no longer controls every derivative version. The safety work done before release can be weakened after the fact. And as the regulatory environment tightens, that residual risk increasingly sits with the organizations deploying these models — not just the labs that built them.
Guardrails still matter. They reduce accidental exposure, generate useful telemetry, and create audit trails. We've said it before in Why Your AI Agent Is Now an Attack Surface: use guardrails for monitoring and defense in depth. Just don't treat them as the thing that makes a system secure.
If there's one lesson to take from this report, it's that safety behavior inside a model is just one layer — and it can be changed. Build the security around it, not just inside it.
How We Can Help
Darkhunt is the security control plane for AI systems — it continuously tests, monitors, and protects AI models in production. For the risks in this article, that means full output-to-source traceability with policy validation on every interaction, anomaly scoring that flags when a model's behavior shifts, continuous red-teaming to find what a decensored model connected to your systems can actually do, and runtime protection to enforce guardrails.
Request a Demo at darkhunt.ai →