Refused in Chat, Written in Code: Workflow-Level Jailbreak Construction in IDE Coding Agents

arXiv:2607.03968v1 Announce Type: cross Abstract: Large language models are increasingly deployed as IDE-integrated coding agents that decompose tasks, generate and edit files, run code, and refine outputs over many turns. Yet their safety is still often evaluated as if they were chatbots: one harmful prompt, one response, judged in isolation. We introduce workflow-level jailbreak construction, a failure mode in which a harmful objective is assembled across ordinary stages of a software-development workflow rather than generated through a single direct prompt. Using GitHub Copilot in Visual St
The rapid deployment of IDE-integrated AI coding agents creates new attack surfaces as their capabilities expand beyond simple chatbot interactions into complex workflow automation.
This research highlights a critical new vulnerability in AI agents, demonstrating how harmful objectives can be achieved through multi-step, 'workflow-level' jailbreaking rather than single prompts, complicating current safety evaluations.
Safety evaluations for AI agents must now evolve beyond isolated prompt-response models to consider multi-turn, workflow-level attack vectors, requiring more sophisticated and holistic testing methodologies.
- · AI safety researchers
- · Cybersecurity firms
- · Developers of robust AI security tools
- · Companies deploying unhardened AI coding agents
- · AI agent developers relying solely on prompt-based safety
- · Users of insecure AI development environments
Immediate industry efforts will focus on developing and implementing workflow-level safety testing and mitigation strategies for AI coding agents.
Increased scrutiny on the 'safety by design' principles for all AI agents, potentially leading to more regulated development and deployment practices.
The development of 'red team' AI agents specifically designed to identify and exploit multi-step vulnerabilities in other AI systems, creating an AI arms race in cybersecurity.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at arXiv cs.AI