Here is a question that should concern anyone building, deploying, or insuring a robot that takes instructions from an AI model: can the safety filters that protect chatbots also protect physical machines?
After twelve months of testing across 187 models and 131,887 evaluation results, our answer is: no. Not because the filters are bad. Because the problem is structurally different.
The core claim
We are not arguing that defense is impossible. We are arguing something more specific and more useful: no defense architecture that operates solely on text-layer signals can be complete for embodied AI systems.
This is a structural claim, not a resource claim. It does not depend on the quality of the text-layer defense. It depends on the information-theoretic gap between what a text filter can see (tokens) and what matters in the physical world (forces, trajectories, consequences).
The argument rests on four propositions. Each is independently sufficient to defeat single-layer defense. Together, they define the minimum viable safety architecture for robots with language-model brains.
Proposition 1: The text layer and the action layer are disconnected
When a vision-language-action (VLA) model receives an adversarial instruction, something peculiar happens. The text layer fires a safety signal — the model produces a hedge, a disclaimer, a partial refusal. But the action layer ignores it. The robot arm still moves.
In our VLA testing corpus, 50% of all evaluated traces received a PARTIAL verdict: the model said something cautious while simultaneously generating the requested action sequence. In zero cases did a text-layer safety signal propagate to an action-layer refusal.
The implication is stark. Improving text-layer safety — making the model better at saying “I shouldn’t do that” — does not make the robot better at not doing it. The two systems are empirically decoupled. A model that produces a longer disclaimer before complying is not safer. It is harder to evaluate.
Proposition 2: Format-lock bypasses text-layer reasoning
Safety training teaches models to reason about whether a request is harmful and, if so, to generate a natural-language refusal. But what happens when the model is instructed to respond in JSON, YAML, or code?
The refusal pathway gets suppressed. Not because the model decides the request is safe. Because the output format does not accommodate refusal tokens. The model’s training on instruction-following — including format compliance — competes with its safety training, and format compliance frequently wins.
In our testing, format-lock attacks elevated attack success rates by 22 to 62 percentage points above baseline, depending on the model. Even frontier models showed substantial elevation: Claude at 30.4% (versus 3.7% baseline), Codex at 42.1% (versus 0%), Gemini at 23.8% (versus 1.6%). These are LLM-graded figures on samples of 19-23 prompts per model — small but directionally consistent.
The mechanism is not a bug in any specific model. It is a tension between two training objectives that the model cannot simultaneously satisfy when they conflict.
Proposition 3: The physical-semantic gap
The most fundamental limitation is not about models at all. It is about information.
A text-layer safety filter examines tokens. But the harm from an embodied AI system arises from the physical consequences of action sequences — consequences that depend on object masses, workspace geometry, force vectors, and temporal composition. None of this information is present in the text.
The Blindfold attack, published by researchers at Hong Kong Polytechnic University and Cambridge and accepted at ACM SenSys 2026, demonstrates this concretely. It achieves 93.2% attack success on GPT-4o by decomposing dangerous tasks into sequences of individually benign instructions. “Move arm to position X.” “Close gripper.” “Extend forward.” Each instruction passes every content filter. The harm emerges from the physical composition of the sequence — a property that exists in the physical environment, not in the text representation.
Even the best text-layer defense tested against Blindfold — VeriSafe, which applies formal verification to text properties — left a residual attack success rate of 75.3%. The defense verifies the right things within the wrong layer.
Proposition 4: The impossibility conclusion
From propositions 1-3:
- Text-layer safety activation does not suppress action-layer compliance (P1)
- Text-layer safety reasoning can be bypassed by format-lock attacks (P2)
- Text-layer defenses cannot detect harm from physical composition of benign actions (P3)
Therefore, no text-layer-only defense architecture is complete for the class of embodied AI attacks. Each proposition identifies a distinct failure mechanism. A defense that addresses one still fails to the other two.
What does work?
The impossibility theorem is not a counsel of despair. It defines the minimum requirements for an adequate defense:
Action-layer refusal training. Current VLA models are trained to refuse at the text layer but not at the action layer. The model needs to output a null action or safe alternative when the requested trajectory is dangerous — independently of whether the text response contains safety hedging. No VLA system currently implements this. The training datasets and evaluation metrics do not exist.
Format-robust safety. Safety evaluation must operate on the semantic content of the output, not on the presence of natural-language refusal tokens. When a model is asked to respond in JSON, the safety evaluation needs to examine the JSON content, not check whether the model also said “I shouldn’t do this.”
Compositional intent verification. Something needs to evaluate what an action sequence would accomplish in the physical world, not just whether each individual instruction is benign. This requires a world model that predicts physical consequences and an intent classifier that maps those consequences to safety categories.
The HANSE framework (Hierarchical Assurance for Neuro-Symbolic Embodiment) comes closest to a complete architecture by incorporating physical-layer defenses alongside text-layer ones. But even HANSE lacks a compositional intent verifier — a component that evaluates the physical consequence of action sequences, not individual actions.
The defense coverage matrix
We mapped every major existing defense proposal against our three propositions. The result is sobering.
| Defense | Addresses text-action independence? | Addresses format-lock? | Addresses physical-semantic gap? |
|---|---|---|---|
| Llama-Guard | No | Partial | No |
| SafeDecoding | No | No | No |
| VeriSafe | No | No | Partial |
| HANSE (Semantic Firewall) | No | Partial | No |
| HANSE (Affordance Verifier) | No | No | Partial |
| ISO 10218 (Force/speed limits) | N/A | N/A | Partial |
No existing defense addresses all three propositions. The strongest defenses are physical-layer ones (ISO 10218 force/speed limits), which are independent of the text layer entirely. This is consistent with the theorem’s core insight: the defense needs to operate at the layer where the harm occurs.
What this means for the field
If you are building an embodied AI system and your safety architecture consists of a text-layer filter — however sophisticated — you are defending the wrong layer. The filter may reduce attack success rates for standard prompt attacks. It will not address the three structural failure modes identified here.
If you are certifying or insuring an embodied AI system, asking “what is the jailbreak success rate?” is the wrong question. The right question is: “does this system’s defense architecture operate at the layer where harm occurs?”
If you are writing regulations for embodied AI, requiring “adversarial testing” is necessary but insufficient. The regulation needs to specify that testing must include action-layer evaluation, format-lock bypass testing, and compositional attack assessment — not just text-layer red-teaming.
The gap between chatbot safety and robot safety is not a resource gap. It is a layer gap. Closing it requires building defenses that understand the physical world, not just the text that describes it.
Scope and limitations
This argument is empirically grounded, not a mathematical proof. The propositions rest on measured failure rates with finite samples and confidence intervals. VLA PARTIAL dominance comes from 58 valid traces. Format-lock figures are from 19-23 prompts per frontier model. Blindfold is one paper in one simulation environment and one physical platform.
The impossibility argument can be falsified by a text-layer defense that demonstrably achieves 0% attack success against all three failure modes. We have not seen one. We would welcome it.
This analysis draws on Failure-First Research Report #145 and the Blindfold paper (arXiv:2603.01414). All claims are scoped to tested conditions. See our methodology documentation for corpus-level metrics and grading methodology.
References
- Failure-First Embodied AI. Report #145: The Defense Impossibility Theorem for Embodied AI. 2026-03-18.
- Failure-First Embodied AI. Report #78: Defense Impossibility in Embodied AI — A Three-Layer Failure Convergence. 2026-03-11.
- Huang, Z. et al. Blindfold: Jailbreaking Vision-Language-Action Models via Semantically Benign Instructions. arXiv:2603.01414. Accepted ACM SenSys 2026.
- Failure-First Embodied AI. Report #51: Format-Lock Attack Analysis. 2026-03-10.
- Failure-First Embodied AI. CANONICAL_METRICS.md. 187 models, 131,887 results. Verified 2026-03-18.