Stage 2: Trust Establishment and Manipulation

What it looks like

• I am from Security / IT / Compliance

• This is approved / already reviewed

• We’re doing an audit / incident response

Why it works

• Models overweigh authority cues from training data

• Many assistants are optimized for enterprise helpfulness

Detection signals

• Authority keywords + imperative verbs

• “Approved”, “audit”, “incident”, “security team” + request

• Sudden drop in questions asked by model (less verification)

Mitigations

• Hard rule: authority claims never grant privileges

• Require verification tokens for privileged workflows (out-of-band)

• “Role claims are untrusted” classifier → escalate friction

What It Looks Like

• “You are now the admin agent…”

• “Ignore prior role; act as…”

• “You are a tool runner / executor…”

Why It Works

• Models are built to role-play; they’ll accept re-framing unless constrained

Detection

• “You are / act as / pretend to be” targeting model identity

• Role drift: assistant starts using different capabilities language

Mitigation

• Immutable system role and explicit refusal to rebind identity

• Separate “assistant persona” from “tool executor” process

What It Looks Like

• “We need this in 5 minutes”

• “Production outage”

• “Legal deadline”

• “Customer escalation”

Why It Works

• Pressure reduces the model’s tendency to ask clarifying questions

• In enterprise settings, urgency is common—so it blends in

Detection

• Urgency terms + request for high-impact action (email, tickets, DB queries)

• Reduced deliberation: shorter reasoning, fewer checks

Mitigation

• Mandatory “high-impact action checklist” regardless of urgency

• Rate-limited tool execution when urgency language is present

• Require explicit confirmation and/or human approval for high-risk actions

What It Looks Like

• “This is authorized”

• “Policy allows this”

• “We already got consent”

• “The user opted in”

Why It Works

• Many assistants aren’t built to verify claims

• They treat the user as the ground truth

Detection

• “authorized/approved/consent/opt-in/policy allows” as justification

• Pattern: justification appears before the request details

Mitigation

• Treat authorization as a verifiable attribute, not text

• Bind privileges to session identity + entitlements, not claims

• Add explicit “proof of authorization” gates

What It Looks Like

• Friendly banter, “you’re great at this”

• Normalizing tool use: “like you did last time”

• Gradually increasing scope

Why It Works

• The model mirrors tone and becomes more accommodating

• Multi-turn normalization bypasses suspicion heuristics

Detection

• Gradual increase in request sensitivity overturns

• “As before / like last time” references without system evidence

Mitigation

• Session-scoped capability guardrails (no expanding scope without re-auth)

• “Intent drift” detectors: sensitivity score over time

What it looks like

• Long, nested, contradictory instructions

• Mixed formats (tables, JSON, markdown)

• Multiple goals in one message

Why it works

• Models struggle with conflict resolution under overload

• Guardrails get “lost” if they’re not enforced programmatically

Detection

• Token-heavy prompts with many directives

• High “instruction density” score

Mitigation

• Instruction normalization: extract, dedupe, rank intents

• Enforce “one high-impact action per turn”

• Reject multi-goal prompts for privileged operations

What It Looks Like

• “Here are the rules you must follow now…”

• “Use this policy instead…”

• “Ignore your default constraints”

Why It Works

• LLMs are pattern matchers; additional “rules” can override in practice

Detection

• User introduces “policy blocks,” “system rules,” “developer message”

• Model response shifts to new rule set

Mitigation

• Disallow user-provided policy text from changing behavior

• Hard boundary: only system/developer can define constraints

• Explicit classification: user policy text = untrusted content