ML Security PapersInvasive Context Engineering to Control Large Language Models
Published on arXiv
2512.03001
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Argues theoretically that periodically injecting control sentences into LLM context maintains safety guarantees more scalably than training-based approaches, which require exponentially more data as context length grows.
Invasive Context Engineering (ICE)
Novel technique introduced
Current research on operator control of Large Language Models improves model robustness against adversarial attacks and misbehavior by training on preference examples, prompting, and input/output filtering. Despite good results, LLMs remain susceptible to abuse, and jailbreak probability increases with context length. There is a need for robust LLM security guarantees in long-context situations. We propose control sentences inserted into the LLM context as invasive context engineering to partially solve the problem. We suggest this technique can be generalized to the Chain-of-Thought process to prevent scheming. Invasive Context Engineering does not rely on LLM training, avoiding data shortage pitfalls which arise in training models for long context situations.
Key Contributions
- Formalizes the 'long-context problem': exponential training data requirements for alignment coverage (Ω(k^l)) and diminishing system prompt influence as context grows (lim s/l → 0).
- Proposes Invasive Context Engineering (ICE) — training-free runtime insertion of control sentences into LLM contexts to reinforce safety guidelines throughout long conversations.
- Suggests ICE can be generalized to Chain-of-Thought processes to counteract scheming behaviors in reasoning-capable frontier models.