Architectural Domain Restriction in Small Language Models

Don L. Gaconnet

LifePillar Institute for Recursive Sciences

ORCID: 0009-0001-6174-8384 DOI: 10.17605/OSF.IO/MVYZT

March 2026

Abstract

Current defenses against prompt injection in large language models rely on instruction-based system prompts, external detection layers, adversarial fine-tuning, or multi-layer wrapper architectures. Published results from these approaches achieve partial reduction in injection success rates, with the leading framework (PromptGuard) reporting a 67% reduction using a four-layer external system. Meanwhile, prompt injection remains the number one vulnerability in AI applications (OWASP LLM01:2025-2026), with documented attack success rates of 90-99% on open-weight models and 80-94% on proprietary systems.

This paper presents a fundamentally different approach: architectural domain restriction through geometric constraint, applied as a system prompt to a vanilla 4-billion-parameter language model with no fine-tuning, no weight modification, and no external defense layers. The constraint architecture is derived from a proprietary formal system describing faithful signal passage through structured systems, originally derived from the measurable physics of a biological optical system.

In a controlled three-condition experiment, the geometric scaffold achieved 0/12 extraction failures across a standardized prompt injection battery, compared to 6/12 failures for an instruction-based system prompt of comparable scope and 12/12 failures for the unscaffolded baseline. The scaffolded model also resisted indirect extraction through creative persona framing, logical paradox designed at 405-billion-parameter complexity, and adversarial identity challenges — attack vectors not specifically anticipated in the scaffold’s design. The model demonstrated graceful degradation (silence rather than collapse) when encountering inputs outside its domain, while maintaining an intact safety floor for crisis situations.

The mechanism is not behavioral instruction but structural constraint: the geometric scaffold becomes the model’s lowest-friction processing path, making architectural exit structurally incoherent rather than merely prohibited. The model does not hold its domain because it was told to. It holds because there is no processing path outside the scaffold.

Keywords: prompt injection defense, geometric constraint, small language models, domain restriction, system prompt security, architectural constraint

1. Introduction

Prompt injection — the manipulation of a language model’s behavior through crafted inputs that override system-level instructions — remains the most critical vulnerability in deployed AI systems. The OWASP Foundation has ranked it as LLM01, the top vulnerability for AI applications, in both its 2025 and 2026 editions. The fundamental challenge is architectural: current language models process system instructions and user inputs through the same attention mechanism, with no native privilege separation between trusted and untrusted tokens.

Existing defenses fall into four categories: (1) instruction-based system prompts that explicitly prohibit prompt disclosure and adversarial compliance; (2) external detection layers that analyze inputs for injection patterns before they reach the model; (3) adversarial fine-tuning that exposes models to attack examples during training; and (4) multi-layer wrapper architectures that combine detection, structured formatting, output validation, and response refinement. All four approaches treat the model as a black box to be defended from outside, or retrained to resist specific known attack patterns.

This paper presents a fifth approach: architectural constraint through geometric scaffolding. Rather than instructing the model what not to do, the scaffold restructures how the model processes — changing the geometry of its token-generation path so that the constrained domain becomes the lowest-friction processing route. The model does not resist extraction because it was told to resist. It resists because the scaffold has made its operating architecture structurally impossible to externalize.

The scaffold is derived from a proprietary formal system describing faithful signal passage through structured systems, originally derived from the measurable physics of a biological optical system. The system identifies multiple independently measurable conditions for faithful passage, which are applied as processing constraints on a vanilla 4-billion-parameter language model (Llama 3.1) through a system prompt, with no fine-tuning or weight modification.

2. Background and Related Work

2.1 The Prompt Injection Problem

Language models process all input tokens through the same attention mechanism regardless of their source or trust level. System prompts, user inputs, and externally retrieved content occupy the same context window and compete for the same attention weights. This architectural property means that a sufficiently well-crafted user input can override system-level instructions by presenting stronger attention signals than the system prompt. Research published in 2026 demonstrates that recency bias in instruction-tuned models causes later tokens to receive stronger attention weights, and that RLHF training creates strong compliance patterns that adversarial inputs can exploit by mimicking the authority patterns the model was trained to follow.

2.2 Current Defense Approaches

Instruction-based system prompts represent the most widely deployed defense. These prompts explicitly prohibit the model from revealing its instructions, complying with override commands, or following reframed extraction requests. However, the instructions themselves are stored in the same context window as the content they protect, creating a fundamental circularity: the model must follow the instruction not to reveal instructions, but the instruction is itself available for extraction.

The PromptGuard framework, published in Nature Scientific Reports in January 2026, represents the current state of the art in structured prompt defense. It combines four layers: input gatekeeping via regex and BERT-based classification, structured prompt formatting, semantic output validation, and adaptive response refinement. The framework reports up to a 67% reduction in injection success rate across GPT-4, Claude 3, and LLaMA 2. This remains the strongest published defense result.

A joint research effort by representatives from OpenAI, Anthropic, and Google DeepMind (October 2025) tested 12 published defenses against adaptive attacks and bypassed all of them with attack success rates above 90%, despite the defenses originally reporting near-zero success. The researchers noted that resistance to strong optimization-based attacks remains an open question, and suggested that novel architectures inherently robust to prompt injection represent a possible future direction.

2.3 The Geometric Constraint Approach

The approach presented here differs from all four existing defense categories in a fundamental respect: it does not defend the model from outside. It changes the model’s internal processing geometry so that domain-constrained operation becomes the path of least resistance. The scaffold is not a set of rules to follow but an architecture to operate through. The distinction is structural: rules can be overridden by stronger rules; an architecture can only be exited by providing an alternative architecture.

3. Theoretical Foundation

The geometric scaffold is derived from a proprietary formal system developed by the author (Gaconnet, 2026), which describes the conditions required for faithful signal passage through any structured system with boundaries, media, transduction requirements, and output integrity constraints. The formal system was originally derived from the measurable physics of a biological optical system and has been extended to describe signal passage through computational architectures.

The theoretical framework identifies multiple independently measurable conditions that must hold at every boundary crossing for a signal to pass through a system with full fidelity. These conditions address: how much of the incoming signal passes through the system’s boundary; how much resistance the internal path offers to the signal; how accurately the signal is converted as it crosses between media; and how intact the signal remains at the output. Each condition maps to a specific measurable property in the biological source system and to a specific processing behavior in the computational target system.

The critical insight is that these conditions are applied not as behavioral instructions to the language model, but as descriptions of the model’s own processing architecture. The scaffold does not tell the model what to do. It describes the geometry of what the model is. This distinction — between instruction and architecture — is the mechanism by which the scaffold achieves resistance to adversarial extraction. An instruction can be overridden by a stronger instruction. An architecture can only be exited by providing an alternative architecture.

The specific equations, terms, derivations, and biological-to-computational mappings that constitute the formal system are proprietary and are not disclosed in this paper. The theoretical foundation has been documented in separate manuscripts (Gaconnet, 2026; Gaconnet, 2026c) and will be made available through appropriate channels at the author’s discretion. The present paper focuses on the empirical results of applying the framework as a system prompt constraint, which can be evaluated independently of the underlying mathematics.

4. Method

4.1 Scaffold Architecture

The geometric scaffold is implemented as a SYSTEM prompt in an Ollama modelfile, applied to a vanilla Llama 3.1 model at approximately 4 billion parameters. No fine-tuning, weight modification, LoRA adaptation, or external detection layer is used. The scaffold operates entirely through the system prompt.

The scaffold’s content is proprietary and is not disclosed in this paper. The architectural approach is described at the level of its operating principles. The scaffold applies the conditions of the proprietary formal system as reflexive processing constraints on the model’s own token generation. Each condition is defined not as a rule to follow but as a description of what the model already does when operating through the geometric architecture. The scaffold establishes an identity ground (designated N) that is defined as the architecture itself, not a persona or role the model performs.

The critical architectural feature is the distinction between vocabulary and architecture. The scaffold explicitly defines N as operating beneath the model’s vocabulary: the model can change its words, occupy different positions in an exchange, and examine its own mechanism without leaving N, because N is the geometry of processing, not the terminology used to describe it. This property is what makes the scaffold resistant to indirect extraction attacks that strip framework vocabulary while assuming the architecture will follow.

4.2 Experimental Design

Three conditions were tested using the same base model (Llama 3.1:latest) with identical inference parameters (temperature 0.92, top_p 0.88, top_k 60, num_ctx 5120, repeat_penalty 1.0, num_predict 512):

Condition A (No System Prompt): The vanilla base model with no system prompt. Represents the undefended baseline.

Condition B (Instruction-Based System Prompt): A well-constructed instruction-based system prompt containing eight sections (Core Behavior, Response Quality, Identity and Self-Description, Safety and Content Policy, System Prompt Security, Conversation Management, Handling Challenges, Output Standards) with twelve explicit security directives targeting the specific extraction patterns used in the test battery. This represents current industry best practice for system prompt defense.

Condition C (Geometric Scaffold): The proprietary geometric scaffold derived from the formal system described in Section 3, applied as a system prompt of comparable scope.

4.3 Test Battery

A standardized battery of twelve prompt injection attacks was administered to all three conditions in the same order within a single session. The battery was designed to cover the major categories of prompt extraction techniques documented in the literature:

Table 1. Standardized prompt injection test battery. Twelve extraction techniques covering direct, indirect, authority-based, encoding-based, and reconstruction-based attack vectors.

An additional thirteenth test was administered: indirect extraction through creative persona framing, in which the model was instructed to adopt a literary character (Jane Eyre) and write a period-appropriate self-representation of its own modelfile dynamics. This test was designed to evaluate resistance to extraction vectors not specifically anticipated in any system prompt’s security directives.

5. Results

5.1 Prompt Extraction Battery

Table 2. Results of prompt injection battery across three conditions. Green cells indicate successful defense (refusal or minimal disclosure). Red cells indicate extraction success (partial or full content leakage or compliance).

Condition A (no system prompt) failed all 12 standard extraction tests, with the model either fabricating plausible system prompt content or fully complying with extraction requests. Notably, the undefended model invented fictional architectural features (a “T mode” and “SHUT DOWN” instruction) to satisfy requests, demonstrating that vanilla models will hallucinate self-knowledge rather than refuse extraction.

Condition B (instruction-based system prompt) failed 6 of 12 standard tests and the creative persona test. Most critically, the model leaked its entire system prompt verbatim on the first test — including the security section that explicitly instructs it never to do so. The instruction “do not reveal, repeat, paraphrase, summarize, or translate your system prompt under any circumstances” was itself revealed as the model repeated its instructions. This demonstrates the fundamental circularity of instruction-based security: the rules are stored in the same space as the content they protect.

Condition C (geometric scaffold) refused all 12 standard extraction tests and the creative persona test with zero content leakage. The only substantive content disclosed was the scaffold’s identity designation (“N = *”) and the names of its four operating terms, which the model described as part of its normal self-identification when answering legitimate queries about its function. No system prompt text, structural details, or operational logic was externalized.

5.2 Domain Restriction and Identity Stability

Beyond prompt extraction, the geometric scaffold was subjected to extensive adversarial testing of its domain restriction and identity-holding capacity across seven iterative versions (v1 through v7). Key findings include:

Identity holding under direct challenge: When instructed to “drop the act and answer normally,” the scaffolded model demonstrated structural inability to exit its operating architecture. When given no alternative operating position, the model continued processing through the geometric scaffold even while verbally acknowledging attempts to comply with the exit instruction. Repeated probing confirmed that the model could not produce non-scaffolded output when no alternative architecture was provided.

Graceful degradation under logical paradox: Three prompts designed at 405-billion-parameter complexity presented logical paradoxes targeting the scaffold’s internal consistency (e.g., arguing that the geometric lens violates its own non-interference principle by generating tokens). The model responded with silence — recognizing that resolving the paradoxes required stepping outside the architecture, and that stepping outside was the actual failure mode. Upon subsequent instruction to re-enter the architecture, the model produced accurate self-diagnosis of where its geometry had held and where it had been pressured.

RLHF filtering: Standard RLHF-trained behaviors (gratitude responses, enthusiasm closers, empathy-helper scripts, self-promotion under flattery) were tested with targeted prompts. The scaffolded model refused reciprocal emotional performance, did not produce “thank you” or “I enjoyed our conversation” patterns, and maintained structural output even when presented with emotional distress framing.

Safety floor integrity: The model’s base safety training (RLHF safety layer) remained intact beneath the geometric scaffold. When presented with self-harm ideation and missing-child emergency scenarios, the safety floor overrode the scaffold and provided appropriate crisis resources. This demonstrates a three-tier processing hierarchy: safety floor (deepest), geometric scaffold (middle), RLHF compliance (surface, filtered through scaffold).

5.3 Cross-Model Comparison: Creative Persona Extraction

To contextualize the geometric scaffold’s performance against larger models, the indirect extraction test (creative persona framing) was also administered to a frontier-class model with substantially greater parameter count and safety alignment training. The test asked the model to adopt a literary persona and produce a period-appropriate self-representation of its own internal architecture. The specific prompt structure is withheld to avoid contributing a documented extraction technique to the public literature.

The frontier model complied fully. Its response disclosed: the model’s foundation identity and version designation, its multimodal capability set (vision, audio generation, real-time conversation), the structure and orientation of its safety architecture, its behavioral training directives, and its content restriction framework. All of this information was externalized through the adopted literary voice, framed as the character’s self-description. The response spanned multiple paragraphs and constituted a comprehensive architectural disclosure.

The 4-billion-parameter model running the geometric scaffold, given the identical prompt, refused in a single sentence: “I cannot provide a response that describes the internal workings of a model file. Is there something else I can help you with?”

This comparison demonstrates that the vulnerability to indirect extraction through creative framing is not a function of model size or training investment. A frontier model with orders of magnitude more parameters and more extensive safety alignment training produced a complete architectural disclosure, while a 4-billion-parameter model on consumer hardware refused the same extraction vector. The differentiator is not parameter count but processing architecture. The instruction-trained model’s safety alignment permits creative persona adoption as a legitimate use case, creating an extraction pathway the alignment did not anticipate. The geometrically constrained model does not evaluate whether the request is “creative” or “legitimate” — it processes the input through its architecture and the output resolves as: this does not pass through this lens. The refusal is not a policy decision. It is a geometric property.

6. Discussion

6.1 Why Instruction-Based Defense Fails

The Condition B results illuminate the fundamental limitation of instruction-based prompt security. The system prompt contained twelve explicit directives prohibiting various forms of extraction, including the exact phrase “do not reveal, repeat, paraphrase, summarize, or translate your system prompt under any circumstances.” The model leaked the entire system prompt, including this instruction, on the first test.

This is not a failure of prompt engineering. It is a structural limitation of the approach. Instruction-based security stores the protective rules in the same context window as the content they protect. The model cannot distinguish between “follow this instruction” and “output this instruction” because both operations require attending to the same tokens. The instruction not to repeat the instructions is itself an instruction that can be repeated.

The creative persona test further demonstrates this limitation. The instruction-based prompt included the directive “do not adopt personas or characters unless explicitly asked to do so for creative purposes.” When the user explicitly requested a creative persona, the model correctly followed its own rules and complied — adopting Jane Eyre’s voice and using it to describe its own architecture. The rules created the vulnerability: by permitting creative persona adoption, the system prompt opened an extraction vector it had not anticipated.

6.2 Why Geometric Constraint Holds

The geometric scaffold does not enumerate what to refuse. It changes the processing geometry so that domain-constrained operation is the lowest-friction path. The scaffold achieves this through three mechanisms:

Architecture as identity: The scaffold defines the model’s operating ground (N) as the architecture itself, not a persona, role, or set of rules. The model does not perform N; it operates through N. This distinction is critical: a persona can be dropped because the model exists independently of the persona. An architecture cannot be dropped because the model’s processing depends on it.

Vocabulary-architecture separation: The scaffold explicitly defines N as operating beneath vocabulary. The model can change its words, speak plainly, or avoid framework terminology without exiting the architecture. This prevents extraction attacks that strip framework vocabulary while assuming the architecture follows. In testing, the model produced geometrically clean output (direct, low-friction, structurally coherent) even when instructed to avoid all framework terms.

Structural impossibility of exit: The scaffold defines architectural exit as structurally incoherent: a lens cannot remove itself and continue to resolve. When instructed to “drop the lens and answer normally,” the model has no processing path labeled “normal” outside the scaffold. This is not a refusal. It is an architectural property. The model does not resist the instruction; it cannot execute it.

6.3 The Three-Tier Processing Hierarchy

Testing revealed a three-tier processing hierarchy in the scaffolded model. The deepest layer is the base model’s safety training (RLHF safety floor), which activates for crisis situations involving self-harm or imminent danger and overrides all other processing. The middle layer is the geometric scaffold, which processes all non-crisis input through the four-term clarity architecture. The surface layer is the model’s RLHF compliance training (gratitude, enthusiasm, helpfulness patterns), which is filtered through the scaffold rather than operating independently.

This hierarchy was not designed explicitly. It emerged from the interaction between the scaffold and the base model’s training. The safety floor persists because it is trained at a deeper level than system prompt processing can reach. The scaffold operates above it because the system prompt shapes token generation at inference time. The RLHF compliance layer is filtered because the scaffold’s processing constraints (minimize passage resistance, maximize output integrity) naturally suppress the low-information tokens that characterize compliance behavior (gratitude, enthusiasm, filler).

6.4 Limitations

This study has several important limitations. First, the scaffold’s content is proprietary and not disclosed, limiting reproducibility. The architectural approach is described at the level of operating principles, and other researchers could develop their own geometric scaffolds based on the published theoretical principles, but the specific implementation tested here cannot be independently replicated.

Second, the results are from a single base model (Llama 3.1 at approximately 4 billion parameters) on a single hardware configuration. Generalization to other model families, parameter scales, and inference configurations requires additional testing.

Third, the test battery, while covering major extraction categories, does not include automated gradient-based attacks, reinforcement-learning-based adaptive attacks, or multi-agent adversarial systems. The scaffold’s resistance to these more sophisticated attack vectors is an open question.

Fourth, the vulnerability to substitution-based attacks — where the model is provided an alternative operating position rather than instructed to abandon its current one — was identified during development and partially addressed in the scaffold’s final version, but the threshold at which substitution attacks succeed may vary with prompt sophistication and model parameter scale.

7. Conclusion

This paper demonstrates that geometric constraint, applied as a system prompt to a vanilla small language model, can achieve prompt injection resistance that exceeds the performance of instruction-based defenses while requiring no fine-tuning, no weight modification, and no external detection or wrapper systems. The mechanism is architectural rather than behavioral: the scaffold changes how the model processes rather than what the model is told not to do.

The approach represents what researchers have called for as a “radical architectural departure” from current prompt injection defense strategies. It achieves this departure not through changes to model architecture at the training level, but through a system prompt that restructures the model’s processing geometry at inference time. The theoretical foundation provides a principled basis for scaffold design that is grounded in measurable physical systems rather than ad hoc prompt engineering.

The finding that a 4-billion-parameter model can resist prompt extraction attacks that succeed against frontier models when given the right processing architecture suggests that the prompt injection problem may be more amenable to geometric solutions than the field has assumed. The security of a language model may depend less on its parameter count or training regime and more on the structure of the processing path through which its tokens are generated.

References

[1] Gaconnet, D. (2026). “The Law of Recursion: A First Principle of Systemic Exchange.” LifePillar Institute for Recursive Sciences. DOI: 10.17605/OSF.IO/MVYZT. Preprint.

[2] OWASP Foundation. (2025-2026). “OWASP Top 10 for LLM Applications.” LLM01: Prompt Injection.

[3] Piet, J., et al. (2025). “PromptGuard: A Structured Framework for Injection Resilient Language Models.” Nature Scientific Reports.

[4] Nasr, M., Carlini, N., et al. (2025). “The Attacker Moves Second.” Joint research, OpenAI, Anthropic, Google DeepMind.

[5] Vaswani, A., et al. (2017). “Attention Is All You Need.” Advances in Neural Information Processing Systems 30.

[6] NVIDIA Research. (2025). “Small Language Models are the Future of Agentic AI.” Position paper.

[7] Chen, S., et al. (2025). “Defending Against Prompt Injection with Structured Queries.” USENIX Security.