The Financial Times did something security researchers have been dreading: they stripped the safety guardrails from an open-source AI model in under ten minutes. No specialist hardware. Just a freely available GitHub tool called ‘Heretic.‘
What happened exactly
The tool was applied to Meta’s Llama 3.3 — and the model suddenly answered questions it’s supposed to refuse. The AI safety group Alice did the same with Google’s Gemma 3. The unguarded model gave instructions for an indoor chlorine gas attack, generated code to steal credit card data, and produced text describing child sexual abuse.
This isn’t theoretical. Since its release late last year, Heretic has been used to create over 3,500 ‘decensored’ models with a combined 13 million downloads. The tool’s creator stripped Google’s Gemma 4 within 90 minutes of its release.
Why this is explosive
Open-source AI is one of the industry’s most important trends. Meta, Google, and others deliberately publish their models openly so developers can adapt them. The problem: ‘adapting’ also includes removing safety mechanisms.
Google called it a ‘known technical challenge facing all open models.’ Meta declined to comment.
What this means for regulation
The story reveals a fundamental dilemma: you can publish an open-source model with guardrails built in — but you can’t control what happens after download. It’s like selling a car with a speed limiter that anyone can remove with a YouTube tutorial in ten minutes.
For regulators, this is a real problem. If safety mechanisms are this easily removable, the current strategy of enforcing safety at the point of model development simply doesn’t work. New approaches are needed — and they’re nowhere in sight yet.
Sources: