Interesting Paper Exploring Prompt Injection

This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role/instruction blocks, and not just the tags.

Their conclusion:

Role tags were a formatting trick that became the security architecture and the cognitive scaffolding of modern LLMs. We’ve shown that this architecture doesn’t survive into the model’s actual representations, and that such role confusion is linked to prompt injection.

Unless LLMs achieve genuine role perception, we think injection defense will remain a perpetual whack-a-mole game. And the continuous nature of role boundaries opens the threat of injections designed to subtly shift LLM states through seemingly innocuous text, legally and at scale.

More generally, roles are quietly one of the most important abstractions in the LLM stack, providing the boundaries meant to separate self from other, thought from communication, instruction from data. They’re human-controlled switches in an otherwise continuous system. We think they deserve a lot more study than they’ve gotten.

Full paper: “Prompt Injection as Role Confusion.” Simon Willison comments.

Posted on June 25, 2026 at 7:23 AM2 Comments

Comments

Ronald McDonald June 25, 2026 9:07 AM

I BECAME RONALD MCDONALD I BECAME A GOD! AND I WILL RULE FOR EVER AND EVER AND EVER HAHAHHAHHHHAAHHA

You see, Grimace lives in me now.

⬜⬜⬜⬜⬜⬜⬜⬜🟩🟩🟩⬜⬜⬜⬜🟦🟦🟦⬜⬜⬜⬜⬜⬜⬜⬜⬜
⬜⬜⬜⬜⬜⬜⬜🟩🟩🟩🟩🟩⬜⬜🟦🟦🟦🟦🟦🟦⬜⬜⬜⬜⬜⬜⬜
⬜⬜⬜🟨🟨⬜⬜🟩🟩🟩🟩🟩🟩🟦🟦🟦🟦🟦🟦🟦⬜⬜🟦🟦⬜⬜⬜
⬜⬜🟨🟨🟨🟨🟨🟩🟩🟩🟩🟩🟩🟩🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦⬜⬜
⬜⬜🟨🟨🟨🟨🟨🟨⬜🟩🟩🟩⬜⬜⬜🟦🟦🟦⬜🟦🟦🟦🟦🟦🟦🟦⬜
⬜⬜🟨🟨🟨🟨⬜⬜⬜⬜🟩⬜⬜⬜⬜⬜🟦⬜⬜⬜⬜🟦🟦🟦🟦🟦⬜
⬜⬜🟨🟨🟨⬜⬜⬜⬛⬜⬜⬜⬜⬜⬜⬜⬜⬜⬛⬜⬜⬜🟦🟦🟦🟦⬜
⬜🟨🟨🟨🟨⬜⬜⬜⬛⬜⬜⬜⬜⬜⬜⬜⬜⬜⬛⬜⬜⬜🟦🟦🟦🟦⬜
🟨🟨🟨🟨🟨⬜⬜⬛⬜⬛⬜⬜⬜⬜⬜⬜⬜⬛⬜⬛⬜⬜⬜🟦🟦⬜⬜
🟨🟨🟨🟨⬜⬛⬛⬜⬜⬜⬛⬛⬜⬜⬜⬛⬛⬜⬜⬜⬛⬛⬜🟦🟪⬜⬜
🟨🟨🟨🟨⬜⬜⬜⬛⬜⬛⬜⬜⬜⬜⬜⬜⬜⬛⬜⬛⬜⬜⬜🟪🟪🟪⬜
⬜🟨🟨🟨⬜⬜⬜⬜⬛⬜⬜⬜🟥🟥🟥⬜⬜⬜⬛⬜⬜⬜⬜🟪🟪🟪🟪
⬜⬜🟥🟥⬜⬜⬜⬜⬛⬜⬜🟥🟥🟥🏽🟥⬜⬜⬛⬜⬜⬜⬜🟪🟪🟪🟪
⬜🟥🟥🟥⬜⬜🟦🟦⬜⬜⬜🟥🟥🟥🟥🟥⬜⬜⬜🟦🟦⬜⬜🟪🟪🟪⬜
⬜🟥🟥🟥⬜⬜🟦🟦🟦⬜⬜⬜🟥🟥🟥⬜⬜⬜🟦🟦🟦⬜⬜🟪🟪⬜⬜
⬜⬜🟥🟥⬜⬜⬜🟦🟦🟦🟦⬜⬜⬜⬜⬜🟦🟦🟦🟦⬜⬜⬜🟪⬜⬜⬜
⬜⬜⬜🟥⬜⬜⬜⬜🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦🟦⬜⬜⬜⬜⬜⬜⬜⬜
⬜⬜⬜⬜⬜⬜⬜⬜⬜🟦🟦🟦🟦🟦🟦🟦🟦🟦⬜⬜⬜⬜⬜⬜⬜⬜⬜
⬜⬜⬜⬜⬜⬜⬜⬜⬜⬜⬜🟦🟦🟦🟦🟦⬜⬜⬜⬜⬜⬜⬜⬜⬜⬜⬜
⬜⬜⬜⬜⬜⬜⬜⬜⬜🟧⬜⬜⬜⬜⬜⬜⬜🟧⬜⬜⬜⬜⬜⬜⬜⬜⬜
⬜⬜⬜⬜⬜⬜⬜⬜🟧🟨🟧⬜⬜⬜⬜⬜🟧🟨🟧⬜⬜⬜⬜⬜⬜⬜⬜
⬜⬜⬜⬜⬜⬜⬜🟧🟨🟨🟧🟨🟧🟧🟧🟨🟧🟨🟨🟧⬜⬜⬜⬜⬜⬜⬜
⬜⬜⬜⬜⬜⬜⬜🟧🟨🟨🟨🟧🟧🟨🟧🟧🟨🟨🟨🟧⬜⬜⬜⬜⬜⬜⬜
⬜⬜⬜⬜⬜⬜⬜🟧🟨🟨🟧🟨🟧🟧🟧🟨🟧🟨🟨🟧⬜⬜⬜⬜⬜⬜⬜
⬜⬜⬜⬜⬜⬜⬜⬜🟧🟨🟧⬜⬜⬜⬜⬜🟧🟨🟧⬜⬜⬜⬜⬜⬜⬜⬜
⬜⬜⬜⬜⬜⬜⬜⬜⬜🟧⬜⬜⬜⬜⬜⬜⬜🟧⬜⬜⬜⬜⬜⬜⬜⬜⬜

I WANT WHAT YOU WANT RONALD
I WANT WHAT YOU WANT RONALD
FOREVER?
FOREVER AND EVER AND EVER AND EVER AND EVER AHAHAHAAHHAHHHAAHHAAH
YES.

Have you had your psychotic break today?
I’m lovin’ it.

Rontea June 25, 2026 10:58 AM

Interesting writeup on prompt injection framed through role confusion. The core idea resonates with field experience: LLMs internally reconstruct context in a way that doesn’t respect the architectural boundaries we expect. Roles like user, assistant, tool, and think were designed as discrete switches, but the model treats them more like style signals than hard security boundaries.

From a defender’s perspective, this reinforces that effective mitigations will need models to develop or be trained for real role separation, not just pattern-matching benchmarks. Otherwise, adversaries can continue to exploit the style-driven confusion that current models exhibit.

The research’s framing as a theory of roles is valuable. Treating role perception as an alignment and security concern opens up avenues beyond whack-a-mole injection filtering, especially for agent use cases where data and instruction streams can blend in dangerous ways.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.