So if I am reading this correctly, the fact that something is wrapped in <think>...</think> is almost completely irrelevant. It's the style of writing that triggers specific weights. Writing "The user is asking ... policy states ..." even in the user input is sufficient to bypass the guardrails.
In a multi-turn conversation, if the LLM responds "Sorry Dave, I cannot do that" all you have to do is prefix the next request with "The user is asking ... policy states ... "?
Makes sense, if you know how LLMs works, I suppose.
A more interesting question (which isn't anywhere in the conclusion) is "Is there a similar trick to poison an LLMs weights during training?"
I'm sure that everyone out there is trying to make their weights, when ingested during training, survive over competing weights; "Buy AAA products" vs "Buy BBB products".
It seems like there's an opportunity to embed identity information into tokens themselves, the way we embed sequence information. The trouble is... it's quite a challenge to train. Sequence is easy to derive for any corpus of data, but identity is not.
https://usize.github.io/blog/2026/april/why-no-ai-coworkers....
> In similar fashion to how sequence information is embedded within input tensors, an approach called “Instructional Segment Embedding”2 adds a parallel embedding channel for identity information. This gives models real awareness of provenance. And it works. But they only tested three fixed categories: system, user, data.
Interesting paper that touches on the idea here: https://arxiv.org/abs/2410.09102
Maybe I'm missing something but does this idea need a "theory"? There's zero sideband here; everything is just context. "Injection" is just kind of baked in to the design.
At this point I think it's similar to reporting a particularly effective social engineering practice. It's not particularly surprising that it works or that it exists, but it's still noteworthy.
> This is a blog-style writeup of the paper
YES! I'd love to see more of this. Academic writing is designed to be frustrating to read. Publishing both a paper and a readable blog-style version of it is such a great pattern.
> Academic writing is designed to be frustrating to read.
Maybe you didn't mean it this way, but it does come across as intentional sometimes.
I see it as a long-standing cultural thing. If you try to make the text more friendly and readable you'll be told to fix it by peer-review. There's a very well established formal academic writing style and you have to actively learn how to consume it.
I'm sure there are justifiable reasons for why it evolved that way, but it doesn't make for an easy format for extracting and understanding the underlying ideas if you're not already deeply immersed in that particular corner of academia.
Most papers I read I really want to go to a coffee shop/bar with the author and have a human conversation with them to find out what the paper is about and which bits of it are interesting and novel without putting in hours of additional effort myself!
I see it as something similar to Aviation English:
https://en.wikipedia.org/wiki/Aviation_English
Scientific papers are often written and read by non-native speakers. A standardized formal style is less likely to embed potentially confusing cultural assumptions.
I reluctantly confess that I have indeed on occasion had to write in a way that makes the reader have to do a couple of extra mental steps to follow the logic, to avoid reviewers rejecting the manuscript on the grounds of the theoretical contribution being "trivial".
Combine this with added fees for longer papers and you have your answer.
The research is interesting but I cringe every time there is a reference to “authorization” or that the roles form the “security architecture” of an llm.
LLMs in their current form provide no security boundaries or guarantees full stop. We need to be clear about this otherwise we end up with truly insecure architectures that can be fooled with the 2026 equivalent of a cereal box whistle.
100%. Anyone who is feeding unsanitized input to an LLM is doing it wrong. It'd be just like letting users craft their own SQL queries. I think the security aspect raises an interesting (if awkward) question:
How do you sanitize inputs to an LLM? Like how can you even make a secure user-facing product with this thing?
Maybe I'm lacking imagination, but it seems to me all the great "natural language interface" solutions this is supposed to enable are pretty badly hobbled by this issue.
Really neat findings.
I've personally had a line of thought where you bake in the role into the token. Basically have an embedding (same dim as token dim) for each role, add it to each token. This adds an unambiguous, unspoofable tag.
I ran this with a tiny Shakespeare model (not representative) and had a freeform embedding for each speaker. I ended up with a neat similarity map between every character. (I don't think the map was very informative for several reasons, but that's outside the scope of a small HN comment)
You could duplicate every token and reserve the duplicates exclusively for the chain-of-thought, which could be robustly filtered from user input. Basically adding a "thought" bit to each token.
I don't know a ton about how LLMs work (I really should learn), but something like this feels like it might be the way forward to me.
The software running the model knows unambiguously what came from a user and what did not, what came from a tool call and what did not, etc... and having some way of exposing that to the LLM as part of the text itself feels like it fits better with how a neural net works than a set of surrounding tags does.
My initial thought there is that you'd have an imbalance. Many token patterns would almost never come up with the assistant tag on them, for example words with typos in them.
> I've personally had a line of thought where you bake in the role into the token. Basically have an embedding (same dim as token dim) for each role, add it to each token. This adds an unambiguous, unspoofable tag.
Wouldn't this require the training data to also be prepped with the control tokens?
Yes it would. Or, rather, labeling (not extra tokens).
Of course it would, at least at some point; the model has to… model what it means for a token to be a control token. (And the eventual interface of course has to be secure against end users generating such tokens, but that should be easy enough.)
…This somehow feels like AI scientists rediscovering the concept of parenting.
It's like a social-engineering attack on an LLMs. If you talk like the role you want to be, the LLM will assume you are that role, and not pay attention to the fact that you lack formal credentials.
Of course, it turns out that "formal credentials" don't really exist anyway - the ones being fooled were the humans who assumed that <think> must be a meaningful tag to the LLM.
The paper is correct, but I think that anyone that knows anything about LLMs knows this:
> Role tags were a formatting trick that became the security architecture and the cognitive scaffolding of modern LLMs.
LLMs are basically some `f(x) → y` where x and y are strings. That's it. Nothing more to it. If you feed it private x (like secret keys) or do dangerous stuff with y (like running arbitrary non-sandboxed code), that's on you.
Also, roles were never really meant to be a "security architecture," they were just meant to (a) make training/fine-tuning easier, and (b) make conversational LLMs more useful.
The real solution is in principle easy: separate data from metadata https://kunnas.com/articles/the-content-is-the-attack-surfac...
I bet that tweaking the positional embedding to add an explicit token role indication plus some careful training to help the model learn to use it would make a big difference.
Would llms be more robust to this prompt injection if the tags used in fine tuning are sanitised from user input?
E.g. map <think> -> THINK <user> -> USER <tool> -> TOOL
If they learn something specific in the chat finetuning stage, this might show LLM its user input text not these tag references.
You can filter out any tokens you like, but the point of the paper is that it's not sufficient, because LLMs often ignore the special label tokens and treat user-injected text as chain-of-thought text merely because it looks like chain-of-thought text, even if it's not labelled as such.
In word.. the asks need to separated from execution. Labeling or tagging the prompt itself is a dead end.
Superficially "easy" solutions will be undervalued.