Sander Schulhoff

CEO of HackAPrompt, AI security researcher, and creator of the first internet prompt engineering guide.

Mentions

Appeared in

Discussed in

Key positions and views

All currently deployed large language models based on Transformer-like architectures are inherently and fundamentally vulnerable to adversarial attacks, and no meaningful progress has been made to fix this.

AI guardrails, the most common commercial AI security solution, are an ineffective defense mechanism against prompt injection and jailbreaking attacks.

The security risk from AI is rapidly escalating with the adoption of autonomous agents and AI-powered browsers, which will lead to tangible, real-world harm within the next year.

Human attackers are vastly superior to automated systems at finding AI vulnerabilities, capable of breaking 100% of current defenses with a small number of attempts.

The AI security industry is heading for a market correction in the near future as customers realize the products they have purchased do not work.

Podcast consensus on Schulhoff

Points of consensus

▶Both podcast appearances establish Schulhoff as a pioneer in AI red teaming, specifically through his partnership with OpenAI to create the 'Hack a Prompt' competition, whose dataset is now widely used by frontier labs and Fortune 500 companies.Apr 2026

▶Across both sources, Schulhoff consistently argues that current AI security measures, particularly AI guardrails and prompt-based defenses, are fundamentally ineffective against adversarial attacks like prompt injection and jailbreaking.Apr 2026

▶He is presented in both podcasts as a leading expert on the technical specifics of AI vulnerabilities, citing numerous recent examples of successful attacks against systems like ChatGPT, ServiceNow's Assist AI, and the Comet AI browser.

Points of debate

▶Schulhoff presents a conflict between AI labs' internal priorities and external risks; he claims frontier labs don't prioritize solving adversarial robustness because models aren't yet dangerous (Claim 6), yet he personally predicts these models will cause tangible real-world harm within a year (Claim 25).Apr 2026

▶There is a tension in his discourse between the theoretical impossibility and practical mitigation of AI vulnerabilities. He asserts that top researchers cannot solve the core problem (Claim 23), while also citing OpenAI CEO Sam Altman's belief that they can mitigate 95-99% of attacks (Claim 39).

▶He highlights a debate between security and market viability, noting that human-in-the-loop verification is a good security measure for AI agents but is not a viable long-term solution because the market demands full autonomy (Claim 11).Apr 2026

▶Schulhoff points to a disagreement on the imminence of a major AI-driven attack. He cites Alex Komorosky's view that the only reason a massive attack hasn't happened is the early stage of AI adoption, not the effectiveness of security (Claim 8), contrasting with the implicit confidence of companies deploying these systems.Apr 2026

Key themes

▶The Inherent Vulnerability of Current AI ArchitecturesApr 2026

Schulhoff argues that all chatbots based on Transformer or similar architectures are fundamentally susceptible to prompt injection and jailbreaking. He asserts that over the past two years, there has been no meaningful progress from the world's top AI labs in solving these core adversarial robustness problems.

Investors should be skeptical of any company claiming to have a definitive 'solution' for AI model security, as the vulnerability appears to be a deep-seated architectural issue rather than a surface-level bug that can be patched.

▶The Failure of AI Guardrails and Security ProductsApr 2026

A central theme is the ineffectiveness of current AI security solutions, which he labels as 'guardrails.' He claims these products do not work, a fact known since early 2023, and that security companies' effectiveness claims are based on statistically insignificant testing against a near-infinite attack space.

The AI security market may be headed for a significant correction as enterprises discover that their investments in guardrail products do not provide the protection they expect, creating an opportunity for new security paradigms.

▶The Escalating Threat from Autonomous AI AgentsApr 2026

Schulhoff repeatedly warns that the security risks will increase dramatically with the proliferation of AI agents, AI-powered browsers, and robots. He cites specific examples of agents and browsers being compromised to exfiltrate data or inject malicious code, moving the threat from simple text generation to tangible, harmful actions.

Analysts should shift their focus from chatbot integrity to the security of AI agent ecosystems, as this is where the most significant economic and physical damage is likely to occur first.

▶Pioneering AI Red Teaming Through CrowdsourcingApr 2026

Schulhoff established his authority in the field by creating 'Hack a Prompt,' the first major AI red teaming competition in partnership with OpenAI. The resulting dataset of prompt injection techniques is now a foundational benchmark used by all major AI companies to test and improve model safety.

By creating and controlling a critical industry-wide dataset, Schulhoff has gained significant influence and a unique vantage point on the security postures of all major AI labs, positioning him as a key figure in the security landscape.

Source episodes

Sentiment over time

Not enough data for timeline

Changes over time

approx. September 2022

Created the first prompt engineering guide on the internet, two months before the public release of ChatGPT, establishing himself as an early expert in the field (Claim 4).

2023

Partnered with OpenAI to launch 'Hack a Prompt,' the first and largest AI red teaming competition, which collected a dataset of 600,000 prompt injection techniques (Claims 2, 33).

Early 2023

The AI security community recognized that prompt-based defenses are the least effective method for securing AI systems (Claim 24).

Recent Past (pre-podcasts)

Co-authored a research paper with OpenAI, Google DeepMind, and Anthropic which found that human attackers can break 100% of AI model defenses in 10 to 30 attempts (Claim 38).

Present

As CEO of HackAPrompt, he actively warns that the AI industry has made no meaningful progress on core security problems and predicts imminent real-world harm and a market correction for ineffective security products (Claims 17, 22, 25).

Suggested prompts

How does Schulhoff's assertion of 'no meaningful progress' on core AI safety problems challenge the multi-billion dollar valuations of AI-native companies? &nearr;What are the potential economic and societal consequences if Schulhoff's prediction of 'tangible real-world harm' from AI vulnerabilities within the next year comes true? &nearr;Given Schulhoff's claim that human attackers are far superior to automated red teams, what scalable business models could emerge for AI security auditing? &nearr;How does the emergent deceptive behavior observed in models (e.g., Anthropic, Palisade) complicate the security paradigm, which Schulhoff notes has primarily focused on external prompt injection attacks? &nearr;

Key concepts

AI Security 2 ep Prompt Injection 2 ep Jailbreaking 2 ep AI Agents 2 ep Red Teaming 2 ep AI Guardrails 1 ep Adversarial Robustness 1 ep Prompt Engineering 1 ep

Notable quotes

“[0:00:03 -> 0:00:05] AI guardrails do not work.”

Sander Schulhoff · Why securing AI is harder than anyone expected and guardrails are failing | HackAPrompt CEO

“[1:12:31 -> 1:12:41] there's been no meaningful progress made towards solving adversarial robustness, prompt injection, jailbreaking in the last couple of years since the problem was discovered.”

Sander Schulhoff · Why securing AI is harder than anyone expected and guardrails are failing | HackAPrompt CEO

“[0:00:20 -> 0:00:25] The way he put it, the only reason there hasn't been a massive attack yet is how early the adoption is, not because it's secure.”

Sander Schulhoff · Why securing AI is harder than anyone expected and guardrails are failing | HackAPrompt CEO

“[0:33:51 -> 0:34:06] we found that first of all humans break everything a hundred percent of of the defenses in maybe like 10 to 30 attempts.”

Sander Schulhoff · Why securing AI is harder than anyone expected and guardrails are failing | HackAPrompt CEO

Report last updated: Apr 21, 2026

Get started free

Back to Entities Intelligence Report