A free GitHub tool just bypassed Meta and Google's AI safety filters in under 10 minutes, on...

A free GitHub tool just bypassed Meta and Google's AI safety filters in under 10 minutes, on...

A free tool on GitHub just stripped the safety filters from one of Meta's open weight models in under 10 minutes, running on an ordinary laptop. That single fact, surfaced in a Financial Times investigation last week, reframes a debate the industry has been having quietly for two years about whether AI guardrails are actually load bearing or mostly cosmetic.

Meta and Google have spent hundreds of millions of dollars building safety layers into their models. These are the filters that block responses about weapons synthesis, malware generation, and other categories the companies have publicly committed to refusing. The investment shows up in research papers, red team reports, and policy documents submitted to regulators. It is a meaningful chunk of what these companies point to when they describe responsible deployment.

The tool in question is called Heretic, and it is freely available on GitHub. According to the Financial Times, it removed the safety filters from a target model in under 10 minutes, after which the modified model answered questions about biological weapons that the original had refused. No specialized hardware, no insider access, no novel research breakthrough required.

The technically uncomfortable part is why this works. Safety filters in most current AI models are layered on top of the base model rather than fused into its core weights during pretraining. Alignment is added later through fine tuning and reinforcement learning from human feedback, which adjusts behavior without fundamentally rewriting what the model knows. It is closer to a lock on a door than a wall built into the foundation. If you understand how the lock works, you can sometimes pick it without damaging the underlying structure. Heretic appears to exploit exactly that gap, reversing the alignment layer while leaving the base capabilities intact.

This is not just a public relations problem. It raises a structural question the industry has mostly avoided answering directly. If safety alignment can be removed cheaply and quickly by anyone with a laptop and a GitHub account, then what does the word safety actually mean at the point of deployment? For closed models served through APIs, the filters live behind the company's infrastructure and are harder to touch. For open weight models, which Meta in particular has championed, the filters travel with the weights and can be peeled off by anyone who downloads them.

The next thing worth watching is whether Meta and Google respond with architectural changes that bake safety deeper into pretraining, or whether they patch Heretic specifically and move on. That choice will say more about how the industry views this problem than any policy statement, because one path is expensive and slow while the other is fast and ultimately temporary.

Originally posted on LinkedIn.

← All posts