# Role-confusion

> Source: <https://cephalosec.com/blog/role-confusion/>
> Published: 2026-07-18 21:33:41+00:00

[Jot](https://cephalosec.com/tag/jot/)

# Role-confusion

This [recent paper on role-confusion](https://role-confusion.github.io/?ref=cephalosec.com) nicely explains how modern LLMs segment the different information like system prompts, user queries, chain of thoughts and tool callings using role tags. It shows how weak this system is at ensuring the segmentation and hierarchy of those different roles. Even if the API has safeguards to prevent a malicious user or tool call to impersonate system or chain of thought, they demonstrated that the model relies more on the writing style than the surrounding tags to assess the implicit role of each token.

Role tags were a formatting trick that became the security architecture and the cognitive scaffolding of modern LLMs. We’ve shown that this architecture doesn’t survive into the model’s actual representations, and that such role confusion is linked to prompt injection.

Unless LLMs achieve genuine role perception, we think injection defense will remain a perpetual whack-a-mole game.

One more reason to think [SociaLLM Engineering](https://cephalosec.com/blog/sociallm-engineering-old-tricks-ai-agents-are-the-new-victims/) is here to stay.
