System Prompt
The standing instructions a model gets before the conversation starts — influential, invisible to users, and not a security boundary.
When not to use it
- As a security boundary. It's text in the same window as untrusted input, and the priority is statistical. Enforce in code, not in prose.
- For secrets. API keys, internal rules, competitive information — assume the prompt is extractable, because it usually is.
- As a substitute for fine-tuning at scale. If you're sending 800 tokens of rules on every request, do the arithmetic; at volume, training is cheaper.
Reach for something else instead
- Fine-tuning when the same instructions ride along on every call and the volume justifies it.
- Structured output constraints — if the model can only emit valid options, you don't need to ask it to.
- Retrieval when the system prompt is growing because you're stuffing knowledge into it. That's the wrong tool.
Sources & further reading
- Wallace et al. (2024), The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions — the attempt to make the privilege real rather than statistical.
- Perez & Ribeiro (2022), Ignore Previous Prompt: Attack Techniques For Language Models — why the system prompt isn't a boundary.
- Liu et al. (2023), Lost in the Middle — why placement inside a long prompt changes whether instructions are followed.
Primary sources, listed so you can check the claims on this page rather than take them on trust.
Where people go wrong
- Treating it as confidential. Users extract system prompts routinely; assume yours will be quoted.
- Growing it by accretion. Long prompts accumulate contradictions, and the model resolves them unpredictably.
- Putting critical instructions in the middle of a long prompt, where they're least likely to be followed.