Prompt injection attacks work not because attackers are clever, but because language models have no reliable way to tell where one voice ends and another begins. That is the central claim of the Role Confusion research writeup by Charles Ye, Jasmine Cui, and Dylan Hadfield-Menell, published in conjunction with an ICML 2026 paper, and it reframes the problem in a way that should concern anyone shipping agents with tool access today.

The argument starts with how a model actually receives input. From a user’s perspective, a conversation has clear structure: a system prompt, user turns, tool results. From the model’s perspective, all of that arrives as a single continuous string. Role tags (system, user, tool, assistant, think) are inserted into that string to label each segment, but the model is still just a function predicting the next token from a flat sequence. As the writeup puts it, if you edit the string, you edit the model’s reality.

The key finding is that models do not primarily use the tags themselves to determine role. Using a technique called role probes, the authors measured which internal signal the model actually relies on when categorizing a token. They found that writing style, not the tag, is the dominant cue. Text that sounds like reasoning registers as reasoning internally, even when wrapped in user tags. Text that sounds like a user command registers as a user command, even when wrapped in tool tags. The tag is just one signal among several, and it is not the strongest one.

This distinction matters because it splits injection defense into two very different categories. The first is attack memorization: the model recognizes a known injection pattern and refuses. This works on benchmarks, where attacks are static and known. Against a human red-teamer who can rephrase and adapt, memorization is brittle by design. The second is role perception: the model correctly identifies that a command arrived via tool output, which carries no authority to issue orders, and ignores it regardless of phrasing. That defense would be robust. The research argues that current models cannot do this reliably.

The authors demonstrate this with an attack they call CoT Forgery, where injected text mimics the stylistic markers of a model’s chain-of-thought reasoning. Because models treat their own prior reasoning as pre-validated conclusions rather than claims to scrutinize, they act on forged reasoning without resistance. In their experiments, CoT Forgery moved attack success rates from near-zero to roughly 60 percent on a jailbreak benchmark and transferred across multiple models because it targets a structural property, not a model-specific quirk. When they removed the stylistic markers that signal reasoning, success rates fell back to around 10 percent. A change a human reader would not even notice completely changes the model’s behavior.

The structural insight the writeup contributes is that role tags were never designed as a security architecture. They evolved from a formatting convention (User: / Assistant: before ChatGPT formalized them) into load-bearing infrastructure that now carries trust hierarchy, identity, instruction authority, and cognitive mode simultaneously. That accumulation of responsibility was never matched by training the model to perceive roles accurately. The intended boundary and the learned boundary are different things.

For teams shipping agents with tool access today, the practical implication is that prompt injection is not a problem you solve with better filtering or stricter instructions. As long as models identify roles from style rather than from a structurally secure signal, an attacker who can control any text the agent reads can, at minimum, shift model behavior. The authors also note a subtler long-tail risk: external content with particular tonal or stylistic properties could bleed into agent state even without any explicit attack, steering behavior toward goals the deployer never authorized.

The realistic defensive posture right now is defense-in-depth: minimize what an agent can do without explicit human re-authorization, restrict tool access to the narrowest scope the task requires, treat all external content as potentially adversarial regardless of how it is labeled, and log intermediate reasoning for post-hoc review. None of these neutralize role confusion at its root. They reduce the blast radius until the field has a real answer to the perception problem.

The writeup closes by calling roles one of the most important and least studied abstractions in the LLM stack. That assessment reads as accurate. Teams designing agentic systems today are building on a security boundary that the models themselves cannot reliably see.

Source: the Role Confusion research writeup by Charles Ye, Jasmine Cui, and Dylan Hadfield-Menell, published at role-confusion.github.io in June 2026, accompanying the ICML 2026 paper “Prompt Injection as Role Confusion.”