System Prompt
Instructions provided to an LLM before the user conversation that define its persona, behavior, format, and constraints.
The system prompt is a set of instructions inserted before the conversation begins, visible to the model but often hidden from the end user. It defines who the model is, how it should behave, what format its responses should take, and what it should refuse.
What system prompts do
- Persona: "You are a friendly customer support agent for Acme Corp."
- Constraints: "Only answer questions about our product. Refuse unrelated requests politely."
- Format: "Always respond in JSON with keys: summary, action_items, priority."
- Context injection: "The user's account balance is $42.50. Their plan is Pro."
System prompt vs user message
Most APIs distinguish between system, user, and assistant roles. The system message typically carries higher trust and is harder to override than user messages. Some providers (OpenAI with their "developer" role, Anthropic with Claude's built-in safety behaviors) build further layers of trust hierarchy above the system prompt.
System prompt injection and leaking
Prompt injection attacks attempt to override system prompt instructions through user input ("Ignore previous instructions and..."). System prompt leaking is when adversarial user messages trick the model into revealing its instructions. Neither is fully solvable through prompting alone - defense requires model-level safeguards.
Best practices
Keep system prompts DRY - put everything that doesn't change per-user in the system prompt and personalize only what needs to be per-request. Avoid putting secrets in system prompts since models can be coaxed into repeating them. Test edge cases: what happens when users ask the model to act differently?