Glossary / Models & Architecture

System Prompt

The hidden instructions that shape how an LLM behaves. It's your vendor's secret sauce — and the thing that gets leaked, jailbroken, or quietly changed without telling you.

Models & Architecture

The Technical Definition

A system prompt is the set of instructions an AI vendor places at the top of every conversation an LLM has with your users. It tells the model who it is, what it’s allowed to do, what tone to use, what information it has access to, and what it should refuse. The user never sees it. The model treats it as the highest-priority instruction in the conversation.

If you’ve ever used a product that says “I’m Aria, your customer service assistant for Acme Corp,” that line — and dozens more like it — lives in the system prompt.

What This Actually Means for Your Business

Every AI product you’re buying has a system prompt. It’s the single most important piece of code your vendor is writing on your behalf, and most CEOs have never read it.

That matters for three reasons.

First, the system prompt defines the actual behavior of the product. It’s not the model that decides whether your AI assistant will discuss competitor pricing, escalate complaints, or refuse to talk politics. It’s the system prompt. When the product behaves badly — gives a refund it shouldn’t, says something off-brand, or hands out information it shouldn’t have — the fix is almost always in the prompt, not the model.

Second, system prompts get leaked. Users figure out how to make the model reveal its instructions. Search “system prompt leak” and you’ll find published prompts from major consumer AI products, internal customer service bots, and enterprise vendors. If your vendor’s prompt contains anything sensitive — internal pricing logic, competitor positioning, customer data handling rules — assume a determined user can extract it. Plan accordingly.

Third, system prompts can change without notice. A vendor pushes an update. The behavior of the product shifts. Your team starts getting different answers than they got last week. There’s no version number on a prompt. Most enterprise AI contracts say nothing about change control on the underlying instructions, which means the product you bought in January is not the product you’re using in June.

The companies handling this well treat the system prompt like any other piece of vendor IP that touches their customers — they ask to review it, they negotiate change-notification clauses, and they test the product’s behavior on a recurring schedule to detect drift.

Reality Check

What the vendor says: “Our AI is fine-tuned on your industry and trained on your use case.”

What that means in practice: They have a system prompt that mentions your industry. There’s almost certainly no fine-tuning happening — fine-tuning is expensive and most vendors skip it. The “training” they’re describing is a few paragraphs of instructions wrapped around a general-purpose model. That’s fine. But it’s not a moat, and you should know what those paragraphs actually say.

What Operators Actually Do

Smart enterprise buyers ask to see the system prompt before signing a contract. Some vendors will share it. Some will summarize it. Some will refuse. The refusals are informative — if a vendor won’t show you the instructions running on top of your customer conversations, you’re buying a black box.

When the prompt is shared, the operator looks for specifics. What is the model told it can and can’t do? How does it handle escalation? What persona is it instructed to adopt? Are there any references to data sources, business rules, or competitor handling that should match what your team would actually say?

The other pattern that’s working: shadow testing. Companies run their own probes against the vendor’s product on a weekly or monthly cadence — same set of questions, same expected behavior. When responses change, they investigate. This is how you catch a silent prompt update before your customers do.

The Questions to Ask

  1. Can we see the system prompt that runs on our deployment? Watch closely how they answer. If they refuse outright, that tells you something. If they share it, you now have a basis for evaluating actual behavior.

  2. What’s your change-management process for prompt updates? How will we be notified when behavior changes? Is there a versioned changelog? If the answer is “we’ll let you know if it’s important,” they decide what’s important.

  3. What happens if a user extracts the prompt? Do you have data, IP, or business rules in there that would be a problem if published? If yes, the prompt isn’t where they should live.

Get the next Brief

One operator. Every other Wednesday.

Plus the AI Glossary and the Failure Museum.
Real names. Real numbers. Honest analysis.