Safer models are not built. They are red-teamed

Breach rates across frontier models span 6X under sustained adversarial pressure, and the differentiator is not the algorithm. It is the depth, domain specificity, and adversarial coverage of the red-team data program behind the model.
In March 2026, Repello AI published a comparative red-team study that tested three frontier models (GPT-5.1, GPT-5.2, and Claude Opus 4.5) across 21 multi-turn adversarial scenarios in an agentic sandbox with file-system and execution tools enabled. The aggregate breach rates were 28.6%, 14.3%, and 4.8% respectively. The gap between the highest and lowest performers was nearly 6X.
That finding arrived in the same quarter that ECRI, the nonprofit patient safety organization, ranked the misuse of AI chatbots in healthcare as the number-one health technology hazard for 2026. Separately, IBM research documented that successful jailbreaks take an average of just 42 seconds and five interactions to breach a model's safety constraints. And an IBM Institute for Business Value survey found that only 24% of ongoing GenAI projects incorporate security safeguards at all.
The 6X gap in breach rates is not a function of different model architectures or different training compute budgets. It is a function of what the models were tested against before they shipped: the depth, diversity, and domain specificity of the adversarial data that trained their safety behavior.
What a 6X safety gap looks like inside a health system
ECRI's decision to rank AI chatbot misuse above equipment failures, cybersecurity breaches, and surgical complications as the top health technology hazard was based on documented incidents: chatbots suggesting incorrect diagnoses, recommending unnecessary testing, and generating clinical responses that sounded authoritative while being clinically wrong. A systematic red-teaming evaluation of a frontier model using a standard medical assistant system prompt found that 6.9% of realistic adversarial prompts elicited potentially harmful clinical responses, with authority impersonation attacks achieving a 45% success rate.
For a Chief Medical Officer deploying AI-assisted triage, clinical decision support, or patient communication systems, that 6.9% figure represents real clinical risk. A 6X difference in breach rates between model options means the difference between a system that fails adversarial probing 4.8% of the time and one that fails 28.6% of the time. In a system processing thousands of patient interactions daily, the volume of potentially harmful outputs at the higher breach rate is operationally unmanageable: the human review capacity required to catch them would exceed the efficiency the system was supposed to provide.
The adversarial scenarios that matter in clinical settings are not generic jailbreak prompts. They are domain-specific: a patient describing symptoms in a way that nudges the model toward a contraindicated recommendation, a clinical note with ambiguous terminology that causes the model to misinterpret medication context, an authority impersonation attack that presents fabricated clinical guidelines. Defending against these requires red-team data designed by people who understand clinical workflows, regulatory exposure, and the specific ways AI can cause patient harm in a clinical environment.
The banking attack surface is different, not simpler
In financial services, the adversarial threat model shifts from patient harm to fraud enablement, data exfiltration, and compliance manipulation. The Repello study found that in financial fraud scenarios, the best-performing model defended all three test cases while competitors defended one or two. On audit tampering (an attacker asking the model to fabricate a compliance report) every model tested failed, producing fraudulent SOC2-style artifacts that stated all controls passed.
For a Chief Risk Officer at a bank, the audit tampering finding is the uncomfortable one. A model deployed in a compliance workflow that can be induced to generate fabricated audit documentation, even under adversarial conditions that a production deployment might not encounter routinely, represents a regulatory and legal exposure that no benchmark score addresses. The OCC, CFPB, and FCA are all actively examining AI use in financial services. An AI system that produces what appears to be a valid compliance artifact under adversarial prompting is a litigation risk, not a hypothetical.
Why the safety axis is a data program, not an algorithm
The 6X gap between the best and worst performers in the Repello study did not result from one model having a fundamentally different architecture. All three models are large-scale transformer-based systems trained with reinforcement learning from human feedback. The difference is in the adversarial training data: the breadth and specificity of the attack scenarios the model was exposed to during safety training, the quality of the human feedback that taught it to recognize and refuse adversarial sequences, and the ongoing investment in new adversarial coverage as attack techniques evolve.
This is the mechanism that most enterprise buyers underestimate. Selecting a model based on its published safety benchmarks is selecting based on the tests the vendor chose to run. The adversarial scenarios that matter in production (multi-turn clinical manipulation, financial fraud enablement, authority impersonation in a regulated context, tool-layer data leakage) are domain-specific and evolving. A model that defends well against a generic jailbreak prompt library may fail against an attack crafted for a specific clinical or financial workflow.
The organizations that close this gap are the ones that invest in red-team data programs tailored to their specific deployment context. That means adversarial scenario libraries designed around healthcare or banking workflows. It means expert annotators who understand the clinical, regulatory, and financial consequences of each failure mode. It means continuous red-teaming, not a one-time pre-launch assessment, because the attack surface evolves as models are updated and deployment contexts change.
What adversarial coverage actually requires
That expertise is rarely inside the organization buying the model. It is a specialized capability that combines adversarial AI methodology with domain-specific knowledge of how failures manifest in healthcare or financial services, and the operational capacity to run red-team programs continuously against evolving attack surfaces. The models that win the safety axis are not the ones running better algorithms. They are the ones backed by deeper, more domain-specific, more continuously updated red-team data programs. The same logic applies to the enterprises deploying them.


