Security2026-06-23 · source-backed
"Destyling" untrusted input drops injection success from ~61% to ~10%.
Story
Simon Willison's June 22 write-up surfaces "Prompt Injection as Role Confusion" (Ye, Cui, Hadfield-Menell, ICML 2026), which argues injection works because models infer the speaker from a text's style, not its labeled role. The defense: rewrite untrusted input into a neutral voice before the model sees it, which cut attack success from ~61% to ~10% across open and closed models. (Simon Willison) It's not a complete fix, and per the OWASP finding above nothing is, but it's a cheap layer you can add to an input pipeline this week.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage
Prompt Injection as Role Confusion: 60% Attack Success.
Both cover Prompt Injection, Role Confusion; overlapping topics (attack, confusion, role, success); earlier Prompt Injection coverage from 2026-03-16.
Shared entity: OWASP / Shared topic / What happened next
Prompt injection just got reclassified from "bug" to "architectural flaw"
Both cover OWASP; overlapping topics (attack, defense, injection, input, model); picks up the OWASP thread on 2026-06-27.
Shared entity: Simon Willison / Same source domain / Shared topic / Earlier coverage / Tension
GPT-5.5 Is Here. It's Fast, It's Expensive, and It Changes How You Prompt.
Both cover Simon Willison; reported by the same outlet (simonwillison.net); overlapping topics (input, model).
GPT-5.4 Mini ($0.75/M) and Nano ($0.20/M) — Purpose-Built for Subagent Workloads
Both cover Simon Willison; reported by the same outlet (simonwillison.net); overlapping topics (input, model).
Shared entities / Same source domain / Earlier coverage
Skills You Can Learn Today
Both cover OWASP, Simon Willison; reported by the same outlet (simonwillison.net); earlier OWASP coverage from 2026-03-07.
Shared entity: Simon Willison / Same source domain / Shared topic / Earlier coverage
GLM-5.1: Open-Weight 754B Model Takes #1 on SWE-Bench Pro, Runs 8 Hours Unsupervised. MIT Licensed.
Both cover Simon Willison; reported by the same outlet (simonwillison.net); overlapping topics (above, model).
Shared entity: Prompt Injection / Same source domain / Shared topic / Earlier coverage
Snowflake Cortex AI Escaped Its Sandbox via Prompt Injection.
Both cover Prompt Injection; reported by the same outlet (simonwillison.net); overlapping topics (attack, drop).
Shared entity: Simon Willison / Same source domain / What happened next / Tension
Claude Fable 5 lands, and Simon Willison calls it "something of a beast" after 5.5 hours.
Both cover Simon Willison; reported by the same outlet (simonwillison.net); picks up the Simon Willison thread on 2026-06-27.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — June 23, 2026
- AI generated
- no
- Story unit
- 2026-06-23-destyling-untrusted-input-drops-injection-success-from-61-to-10
- Labels
- source-backed, canonical briefing excerpt