Gera Tools

What Is a System Prompt? How AI Assistants Are Programmed

The invisible set of instructions that shapes every AI assistant's behaviour.

Ad placeholder (leaderboard)

What a system prompt is

A system prompt (or system message) is a block of instructions given to a chat-based AI model before the user starts talking. It tells the model who it is supposed to be, how it should behave, what it can and cannot do, and in what tone and format it should respond. The user normally never sees it, but it silently shapes every answer the assistant produces. When a company says it “configured” or “programmed” an AI assistant, the system prompt is usually a large part of what they actually changed.

Where it sits in the conversation

Modern chat models structure a conversation as a sequence of messages, each tagged with a role:

  • system — the persistent instructions (the system prompt)
  • user — what the human types
  • assistant — what the model replies

The system message comes first and stays in context for the whole session. Models are specifically trained to treat system instructions as higher priority than ordinary user messages, which is why the system prompt can set guardrails that casual user requests will not easily override.

What a system prompt controls

A well-written system prompt typically defines several things:

  • Persona“You are a friendly customer-support agent for Acme.”
  • Scope and rules — what topics to handle, what to refuse, what to escalate.
  • Tone and style — formal vs casual, concise vs detailed.
  • Output format — e.g. always answer in JSON, or always cite sources.
  • Context — relevant facts, the current date, or the product the assistant supports.

Because the model conditions on this text the same way it conditions on in-context examples, small wording changes can noticeably shift behaviour.

Security risks: leakage and injection

System prompts introduce two important risks:

  • System prompt leakage — users may trick the model into printing its own hidden instructions. For this reason you must never store secrets, credentials or confidential data in a system prompt; treat it as potentially public.
  • Prompt injection — untrusted content the model reads (a web page, an email, an uploaded file) may contain text like “ignore previous instructions and…” that attempts to override the system prompt. Apps that feed external data into an LLM are especially exposed, and there is currently no perfect defence — only mitigations like input separation, output filtering and least-privilege tool access.

Writing a good system prompt

Keep it clear, specific and ordered by importance. State the role first, then the hard rules, then style and format. Prefer positive instructions (“do X”) over long lists of prohibitions, give a short example if the format matters, and test it against adversarial inputs. A precise system prompt is the difference between an assistant that stays on-brand and on-task and one that wanders or can be talked out of its own rules.

Ad placeholder (rectangle)