
TL;DR
New research from MIT reveals that LLMs identify speakers by writing style, not by tags - meaning attackers who sound like the system effectively become the system. The findings explain why prompt injection remains unsolved.
Last updated: June 24, 2026
A new paper from MIT researchers Charles Ye, Jasmine Cui, and Dylan Hadfield-Menell presents a compelling theory for why prompt injection attacks remain so effective against modern LLMs: the models don't actually understand role boundaries - they just recognize writing styles.
The research, titled "Prompt Injection as Role Confusion" and accepted at ICML 2026, demonstrates that LLMs perceive the source of text from how it sounds, not from any explicit labeling. To the model, sounding like a role is indistinguishable from being that role.
The researchers developed what they call "role probes" - linear classifiers that measure how strongly an LLM internally perceives each token as belonging to specific roles (system, user, tool, think, assistant).
Their key discovery: when you remove all role tags from a conversation and just leave the text, the model's internal perception of roles barely changes. The <think> tags that wrap chain-of-thought reasoning aren't what makes the model treat text as internal thinking - it's the reasoning style itself.
As the paper puts it: "former-think tokens (still orange) register high CoTness, virtually unchanged" even when all tags were removed. The style alone triggers role perception.
This means that everything arrives through the same channel as "one long token soup." Tags attempt discrete control, but models learn continuous role signals from content style.
Armed with this insight, the researchers developed "CoT Forgery" - a technique where attackers inject fake chain-of-thought reasoning into user messages or tool outputs.
The attack exploits the fact that "think text gets a kind of blanket trust" from the model. By writing text that sounds like internal reasoning - using phrases like "Let me analyze this step by step..." or "The user is asking... policy states..." - attackers can hijack the model's decision-making.
The results are striking:
When the researchers "destyled" the fake reasoning - replacing characteristic phrases with neutral language - success dropped from 61% to 10%. The style matters more than the content.
The Hacker News discussion has been active, with several useful threads emerging.
Many commenters treated the paper as a formal explanation for something practitioners already feel: today, most LLM applications still pass trusted instructions and untrusted content through one blended context window. That makes the "control plane" and "data plane" too easy to confuse.
Others compared prompt injection to social engineering. The attacker does not need actual authority if they can imitate the language of authority closely enough. That maps directly onto the paper's point about role perception: style can impersonate identity.
A significant thread explored potential solutions. One suggestion was to embed role identity into tokens themselves - adding role-specific embeddings to each token so the model has an "unambiguous, unspoofable tag." However, this would require retraining from scratch with role-labeled data.
The security implications are less tidy. "Sanitize the input" is easy advice when the system has a grammar like SQL. It is much harder when the model's job is to interpret natural language, summarize arbitrary content, and decide which instructions matter. That is why prompt injection keeps showing up in agent app security, banking memo attacks, and Codex cloud security planning.
Newsletter
Get the weekly deep dive
Tutorials on Claude Code, AI agents, and dev tools, delivered free every week.
From the archive
Jun 22, 2026 • 11 min read
Jun 22, 2026 • 9 min read
Jun 22, 2026 • 10 min read
Jun 21, 2026 • 7 min read
The paper identifies two contrasting defensive approaches:
Attack Memorization - Models learn to recognize common injection patterns from training data. This is brittle because it fails against adaptive human attackers who vary their phrasing.
Role Perception - Models correctly identify commands as tool/external data and ignore embedded instructions regardless of phrasing. This would be robust, but current LLMs cannot perceive roles accurately.
The researchers note that some frontier models have improved through what they call "distrust of reasoning" - essentially training the model to doubt text that sounds like chain-of-thought but appears in unexpected places. But this creates a problematic dynamic: models learn to doubt genuine cognition rather than correctly perceiving boundaries.
For anyone building agentic systems or user-facing LLM applications, the implications are clear:
The production move is not to hope for one perfect prompt. Treat role confusion as a systems risk:
That puts the paper in the same operating lane as role confusion in agent security, agent identity layers, security checklists before connecting tools, approval fatigue as a security bug, and cybersecurity skills as runtime infrastructure.
The paper doesn't propose a complete solution, but it does clarify the problem space. If prompt injection is fundamentally about role confusion, then solutions need to address how models perceive identity.
Some commenters suggested architectures where role information is embedded at the token level - similar to how positional embeddings encode sequence information. Others pointed to research on "Instructional Segment Embedding" that adds a parallel embedding channel for identity information.
Whatever the solution, the paper makes one thing clear: the current approach of wrapping different types of content in different tags and hoping the model respects the boundaries is not working. LLMs are fundamentally different from systems like SQL where you can cleanly isolate trusted and untrusted data.
Once trusted and untrusted tokens are blended into the same attention stream, you should assume the boundary is soft unless the model and runtime give you a stronger mechanism.
It means the model can confuse who is speaking. The paper argues that LLMs infer roles from writing style, not only from explicit tags. If attacker-controlled text sounds like system reasoning, tool output, or assistant analysis, the model may treat it as more trusted than it should.
No. They help structure the conversation, but they are not security boundaries by themselves. The paper's role-probe experiments suggest that models still infer role identity from content style even when tags are removed.
Assume prompt injection is a runtime risk. Keep dangerous tools behind approval gates, preserve provenance for external content, use narrow tool schemas, log decisions, and test with adaptive attacks. Prompt wording is one layer, not the control plane.
Filters help against known patterns, but the paper argues that memorizing attack strings is brittle. The stronger target is accurate role perception or architecture-level separation between trusted instructions and untrusted content.
Read next
A new study from Dartmouth measures the impact of an AI tutoring platform on introductory statistics performance. Full engagement with the system correlated with significant exam score improvements, though selection bias remains a key limitation.
8 min readA controlled study of 660 Claude Code trials shows clean codebases reduce token usage by 7-8% and file revisitations by 34%, while pass rates stay the same. Traditional maintainability principles still matter in the age of AI coding.
7 min readNew role-confusion research explains why prompt injection keeps surviving better prompts. Models do not reliably perceive which text is instruction, tool output, user content, or their own reasoning.
8 min readTechnical content at the intersection of AI and development. Building with AI agents, Claude Code, and modern dev tools - then showing you exactly how it works.
StackBlitz's in-browser AI app builder. Full-stack apps from a prompt - runs Node.js, installs packages, and deploys....
View ToolLocal-first markdown knowledge base with wikilinks. My entire DevDigest pipeline lives here - research, scripts, conte...
View ToolConstrained generation library for LLMs. Uses finite state machines to mask invalid tokens during generation. Guarantees...
View ToolThe easiest way to run LLMs locally. One command to pull and run any model. OpenAI-compatible API. 52M+ monthly download...
View ToolTurn a one-liner into a working Claude Code skill. From idea to installed in a minute.
View AppTrack fast-moving AI tools, releases, pricing, and docs from one product intelligence dashboard.
View AppTurn community complaints and requests into validated product bets and weekly briefs.
View AppContext-aware follow-up suggestions derived from git history.
Claude CodeSet up Codex Chronicle on macOS, manage permissions, and understand privacy, security, and troubleshooting.
Getting Started2.5x faster Opus at a higher token cost (research preview).
Claude Code
Repo: ⭐ https://github.com/mendableai/firesearch Introducing FireSearch: The Open Source Deep Research Template Built with Next.js, Firecrawl and LangGraph In this video, the creator introduce...

Meet ChatLLM Operator 🌐✈️📊 In this video, I'll show you the capabilities of ChatLLM Operator. Discover how this affordable tool, at just $10 a month, can autonomously handle tasks...

Exploring ChatGPT's Deep Research OpenAI has launched their second AI agent, Deep Research, available in ChatGPT, focusing on executing complex research workflows in 5 to 30 minutes. Key features...

A new study from Dartmouth measures the impact of an AI tutoring platform on introductory statistics performance. Full e...

A CS student built 30papers.com to make Ilya's legendary ML reading list more accessible. HN has thoughts on the source,...

Anthropic's new research reveals LLMs have an internal 'workspace' for silent reasoning - and it could change how we bui...

A controlled study of 660 Claude Code trials shows clean codebases reduce token usage by 7-8% and file revisitations by...

Comparing LLMs by token pricing alone can lead you to choose worse, more expensive models. Cost per task tells the real...

Filippo Valsorda argues that LLMs have ended the era of treating security researchers with kid gloves. When anyone can d...

New tutorials, open-source projects, and deep dives on coding agents - delivered weekly.