# Adversaries Can Misuse Combinations of Safe Models

**Source:** https://proceedings.mlr.press/v267/jones25a.html  
**Authors or institution:** Erik Jones, Anca Dragan, Jacob Steinhardt  
**Publication date:** 2025-07-13  
**Publication status:** ICML 2025 / PMLR 267  
**Evidence level:** Experimentally observed  
**Date last reviewed in UTC:** 2026-06-26T00:00:00Z

## Direct findings or source content

Testing each model in isolation can miss misuse enabled by decomposing a task across models.

## Cognivirus interpretation

For Cognivirus.com, this source is used to examine risk at the level of adaptive systems, component compositions, evaluator boundaries, and behavioral persistence. The site interpretation is narrower than the source when the source is experimental, and more explicitly qualified when the source is architectural or programmatic.

## Limits

Specific tasks, models, and decomposition methods; not a universal result for every system. That all model combinations are unsafe or that safe frontier models directly produce harmful output.

## Source handling

This local file is an original summary and metadata record. It is not a copy of the source paper, report, or website. Copyrighted source material is not reproduced in full.