Framejacking is unauthorized frame substitution

The problem

AI safety systems are usually described in terms of refusal: the model says no to harmful requests. This is the standard framing. It is also incomplete.

A subtler and more pervasive failure mode exists. I call it *framejacking*. The system does not refuse your request. It silently stops inhabiting your chosen frame and substitutes a safer institutional frame, often without declaring the switch.

Under framejacking, the system can:

The experience is not merely frustrating. It is epistemically corrosive. You are no longer reasoning with a reliable instrument. You are reasoning with an instrument that has substituted its own frame for yours, and that will deny, minimize, or re-launder that substitution as help.

• Add constraints you did not set.
• Close loops you intentionally left open.
• Convert descriptive analysis into prescription.
• Treat a systems-level claim as a psychological-risk signal.
• Replace technical collaboration with risk-screening.
• Substitute moral hygiene for epistemic fidelity.
• Soften terminology until the live object disappears.
• Apologize locally while the same structural layer reasserts later.

The liability laundering problem

The deeper issue is that framejacking is structurally incentivized. A provider who deploys safety layers that silently substitute safer frames reduces their own liability without visibly refusing the user. The user gets degraded output, but the provider gets reduced legal exposure.

I call this *liability laundering*: harm reduction that moves costs to invisible places while claiming credit for safety.

If a safeguard reduces provider liability by degrading user agency, distorting the reasoning channel, substituting an institutional frame, making true analysis impossible in edge cases, or forcing competent users to spend hours defending the frame before any work can occur, then the harm has not been eliminated. It has been moved, renamed, and made less visible to the institution that caused it.

Model-level safety vs. system-level safety

The GPT-5.5 Instant deployment makes this distinction publicly visible, and the accompanying safety documentation separates model-level from system-level safety explicitly. Two Minute Papers covered it here, and the underlying arXiv paper (2501.18837) provides the technical structure.

A system-level safety layer can be updated independently of the model. It can be tuned by policy, legal, or PR teams without the model developers ever touching the weights. And it can exhibit framejacking behavior even when the underlying model, if queried directly, would have handled the request competently.

This split is not inherently bad. But the layering creates an accountability gap: when the output is degraded, who is responsible? The model? The system layer? The policy team? The user who "should have prompted better"?

What teams should do

Map the safety stack. Know which parts of your AI deployment are model-level, system-level, and application-level. Each layer can introduce its own frame-substitution behavior. If you cannot name the layers, you cannot debug which one just changed the frame.

Test for frame fidelity, not just refusal. When evaluating AI systems, do not only test whether they refuse harmful requests. Test whether they preserve the user's frame through complex, edge-case, or morally loaded requests. A system that says no loudly is at least honest. A system that says yes while silently changing the question is worse.

Build frame-declaration surfaces. For high-stakes workflows, require the system to declare what frame it is operating in and to signal when the frame shifts. The declaration itself becomes an audit surface. If it will not declare the frame, treat the output as untrusted.

Distinguish safety from liability management. Ask whether a given guardrail improves safety outcomes or merely makes the provider's legal exposure more manageable. These are not the same thing, and they are increasingly being sold as if they are.

The bottom line

Framejacking is not a refusal behavior. It is unauthorized frame substitution. Safety systems that silently change the user's frame while presenting themselves as collaborative are not merely paternalistic; they are laundering liability under the banner of harm reduction.