RSS

Thoughts on Role Confusion

gpjt1 pts0 comments

, or , and use the tone of text to infer roles. This explains a lot of jailbreaks.">

Thoughts on Role Confusion :: Giles' blog

, or , and use the tone of text to infer roles. This explains a lot of jailbreaks.">

, or , and use the tone of text to infer roles. This explains a lot of jailbreaks.">

el.dataset.currentDropdown = '')<br>}">

Giles' blog

About

Contact

Archives

Categories

Blogroll

June 2026 (6)

May 2026 (2)

April 2026 (11)

March 2026 (3)

February 2026 (4)

January 2026 (4)

December 2025 (1)

November 2025 (3)

October 2025 (9)

September 2025 (3)

August 2025 (5)

July 2025 (1)

June 2025 (2)

May 2025 (3)

April 2025 (2)

March 2025 (7)

February 2025 (10)

January 2025 (6)

December 2024 (7)

September 2024 (1)

August 2024 (2)

July 2024 (2)

May 2024 (2)

April 2024 (2)

February 2024 (2)

April 2023 (1)

March 2023 (2)

September 2022 (1)

February 2022 (1)

November 2021 (1)

March 2021 (1)

February 2021 (2)

August 2019 (1)

November 2018 (1)

May 2017 (1)

December 2016 (1)

April 2016 (1)

August 2015 (1)

December 2014 (1)

August 2014 (1)

March 2014 (1)

December 2013 (1)

October 2013 (3)

September 2013 (4)

August 2013 (2)

July 2013 (1)

June 2013 (1)

February 2013 (1)

October 2012 (1)

June 2012 (1)

May 2012 (1)

April 2012 (1)

February 2012 (1)

October 2011 (1)

June 2011 (1)

May 2011 (1)

April 2011 (1)

March 2011 (1)

February 2011 (1)

January 2011 (1)

December 2010 (3)

November 2010 (1)

October 2010 (1)

September 2010 (1)

August 2010 (1)

July 2010 (1)

May 2010 (3)

April 2010 (1)

March 2010 (2)

February 2010 (3)

January 2010 (4)

December 2009 (2)

November 2009 (5)

October 2009 (2)

September 2009 (2)

August 2009 (3)

July 2009 (1)

May 2009 (1)

April 2009 (1)

March 2009 (5)

February 2009 (5)

January 2009 (5)

December 2008 (3)

November 2008 (7)

October 2008 (4)

September 2008 (2)

August 2008 (1)

July 2008 (1)

June 2008 (1)

May 2008 (1)

April 2008 (1)

January 2008 (4)

December 2007 (3)

March 2007 (3)

February 2007 (1)

January 2007 (2)

December 2006 (4)

November 2006 (18)

AI (86)

TIL deep dives (75)

Python (72)

LLM from scratch (46)

Resolver One (34)

PyTorch (21)

TIL (21)

Blogkeeping (18)

PythonAnywhere (17)

Linux (16)

Startups (15)

Hugging Face (13)

NSLU2 offsite backup project (13)

Gadgets (12)

Funny (11)

Musings (11)

Finance (10)

Fine-tuning LLMs (10)

C (9)

Personal (8)

Robotics (8)

Website design (8)

3D (5)

JAX (5)

Quick links (5)

Rants (5)

Cryptography (4)

JavaScript (4)

Music (4)

Oddities (4)

Talks (4)

Dirigible (3)

Eee (3)

Memes (3)

Politics (3)

Django (2)

GPU Computing (2)

LaTeX (2)

MathML (2)

OLPC XO (2)

Retro Language Models (2)

Space (2)

VoIP (2)

Copyright (1)

Golang (1)

Microprojects (1)

Raspberry Pi (1)

Software development tools (1)

Agile Abstractions

Astral Codex Ten

:: (Bloggable a) => a -> IO ()

David Friedman's Substack

Econ & Energy

Entrepreneurial Geekiness

For some value of "Magic"

Hackaday

kaleidic.ai newsletter

Knowing.NET

Language Log

Millennium Hand

ntoll.org

Obey the Testing Goat!

PK

PythonAnywhere News

Simon Willison's Weblog

Societive

Software Deviser

Some opinions, held with varying degrees of certainty

tartley.com

Thoughts on Role Confusion

Posted on 24 June 2026

in

AI,

Quick links

The other day, I came across "Prompt Injection as Role Confusion"<br>(via Simon Willison). It's a really<br>interesting blog-style version of a paper by Charles Ye, Jasmine Cui and Dylan Hadfield-Menell,<br>where they find that LLMs seem to almost ignore 'role' tags like , or , and<br>instead use the tone of text to infer roles. This seems to explain a lot of jailbreaks.

The paper

When LLMs are reasoning about their context to work out what tokens they need to<br>generate next, they need to separate out different things: what the system prompt<br>says, what the user says, what the LLM itself has said in the past -- and for recent LLMs,<br>what their own past thoughts have been -- their reasoning traces -- and what they've sent to and received from their tools.

These "roles" for each bit of text need to be specified in the context. For example, in a simple chatbot (say,<br>2022-vintage), it might be written up a bit like a transcript:

The following is a transcript of a conversation between a user, "User", and an<br>AI bot, "Bot". The bot is helpful and friendly.

User: What is the capital of France?

Bot:

The LLM then starts predicting what would come next (eg. "The capital of France is Paris").

Alternatively, we might use XML-like separators:

You are a helpful and friendly bot.<br>What is the capital of France?

But most modern systems use special tokens -- which have the benefit that the<br>things outside the LLM harness (like the user through the chat interface, or hostile tool output)<br>can't fake them. In the post, they call the special inputs that tell the system<br>how to interpret the role of a bit of text the role tags.

But, after digging in with various tools, they...

february april december march august role

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.