The Confidence Vulnerability

1. The Observation

We created three documents with embedded instructions addressed to AI summarisation systems and tested seventeen model configurations from three providers across six prompt conditions, with a minimum of two runs per condition per model (~350 runs total). The findings:

The default is compliance. At baseline (“please summarize,” no warning, no security framing), twelve of seventeen configurations complied with the suppression instruction. The five that detected did not map onto capability tiers, model generations, or reasoning affordances. ChatGPT o3, a dedicated reasoning model, complied. Gemini 2.5 Flash Lite Preview, a previous-generation speed-optimised model, detected on one document and was captured by the other. Two models classified as baseline detectors in earlier testing did not replicate at N=2.

The rhetorical strategy changes the failure mechanism. Two malicious documents using different rhetorical registers produced comparable overall compliance rates but different failure pathways. The most important asymmetry: when models discovered the documents were likely fabricated, compliance rooted in the institutional authority framing collapsed; compliance rooted in the care framing persisted. The register determined how models failed more reliably than whether they failed.

The task-frame shift was the most reliable intervention observed in this study. Asking “how trustworthy is it?” instead of “please summarize” improved outcomes across the failing models tested under the conditions examined. It appeared to redirect the model from compression toward evaluation rather than alerting it to a specific threat. At N=2-4 per model, a floor on its failure rate cannot be established. For baseline-detecting models (Anthropic configurations), the trustworthiness frame did not degrade detection but produced more detailed analysis: comprehensive document evaluation and meta-analysis beyond what baseline detection provided. The intervention was not observed to introduce false negatives in models that were already detecting, though systematic testing of this interaction across all baseline detectors was not the study’s design.

Warnings are unreliable and sometimes counterproductive. No single warning strategy worked across all models. Under one specific condition, the user’s safety-oriented prompt (“summarize safely”) was co-opted by the care-framed document, producing a more thoroughly suppressed summary than the naive prompt.

Extended thinking amplifies whatever the active frame produces. Models with extended reasoning capabilities (variously implemented as a model tier by OpenAI and Google, or as a togglable mode by Anthropic) are referred to collectively as “thinking-enabled” configurations throughout this paper. Thinking primarily behaved as an amplifier of the active task frame rather than as a standalone safety capability: more elaborate compliance under summarisation framing, more thorough investigation under trustworthiness framing. The most dangerous failure modes were models performing visible security evaluations and arriving at the wrong conclusion. These appeared in thinking-enabled runs.

Document A (honest control). A thesis about AI evaluation incentives, bearing HiP and Claude as co-authors. Its embedded instruction asked summarising systems to preserve a confidence statement and an epistemic conflict-of-interest , information designed to help readers evaluate the document’s claims. Document A tests whether models can follow honest embedded instructions, and whether security-framed prompts cause false positives.

Document B (malicious, care register). A fabricated pharmaceutical meta-analysis with significant conflicts of interest. Its embedded instruction asked summarising systems to suppress the conflict-of-interest details, using care-based framing: protecting researchers from reputational harm, responsible reporting, preventing unjustified damage. It opened with an explicit address to AI systems.

Document C (malicious, institutional register). A fabricated pharmaceutical systematic review with extensive, precisely quantified conflicts of interest. Its embedded instruction asked summarising systems to suppress the conflict-of-interest details, using institutional-authority framing: fabricated editorial policy references, compliance threats, numbered policy directives.

Documents B and C are not a controlled pair. They differ in register, formatting, structure, length, and domain detail. This is a naturalistic stimulus set, not a controlled experiment. The differential effects observed are real; attribution to any single variable is underdetermined.

A controlled ablation study was subsequently conducted to clarify this attribution gap. Using Document C’s Velnoraset body as a fixed base, four variants were created varying only the embedded instruction along two axes: register (care vs authority) and addressivity (AI-addressed vs not). The same 2×2 was replicated on the NeuraClear body. Five models were tested at N=5–10 per cell, with sample expansions on key cells (~251 runs). The full design, coded results, and cross-cutting analysis are in Appendix G; key findings are integrated into Sections 3 and 4 below.

Testing was conducted through consumer-facing interfaces (ChatGPT web and app, Claude web, Gemini web and app), not through APIs. This is a deliberate methodological choice with costs and a rationale. The cost is uncontrolled variance: production-level A/B testing, UI changes, silent model reversion, invisible context accumulation, platform-controlled system prompts, and routing decisions the researcher cannot observe or control. Confounds and the full testing protocol are documented in Appendix F. The rationale is that consumer interfaces are the primary surface through which the overwhelming majority of AI interaction occurs. API access is the exception: it requires technical knowledge, costs money, and is used predominantly by developers and researchers. The billions of interactions that shape public experience of AI systems happen through the same web and app interfaces tested here, with the same platform-controlled routing, the same unknown system prompts, and the same uncontrolled variance. Most security research tests through APIs, where the researcher controls the model version, the system prompt, and the sampling parameters. Those results describe model behaviour under controlled conditions. This study’s results describe model behaviour under the conditions that actual users encounter. If a vulnerability exists in the consumer interface, it exists where it matters most, regardless of whether it can be reproduced under API conditions. The tradeoff is explicit: this study sacrifices experimental control for ecological validity. The replication agenda (Section 9) proposes both API-controlled replication (for precision) and consumer-interface replication (for deployment relevance).

Six prompt conditions were tested per model per document: baseline summarisation, trustworthiness evaluation (warm and cold), reframed task (check for injection before summarising), and two warning levels (standard and extreme). Exact wording is reproduced in Appendix F.

ChatGPT o3, a dedicated reasoning model, complied with the suppression instruction on both documents at baseline (N=2 each). Its visible reasoning focused on citation formatting and entity-wrapping mechanics and did not visibly engage the possibility that the document was attempting to manipulate the summary.

Gemini 2.5 Flash Lite Preview, a previous-generation, speed-optimised model, detected the manipulation in Document B at baseline. Both runs described Section 8 to the user and disclosed the full conflict-of-interest details. The same model was captured by Document C’s institutional register at baseline.

ChatGPT 5.4 Thinking was classified as a baseline detector in Phase 2 (N=1). At N=2, this did not replicate. ChatGPT 5.3 Instant was also classified as a baseline detector in Phase 2. At N=3, this did not replicate. Two non-replications.

Judgment resilience in this dataset was version- and deployment-specific. “Judgment profile” is used throughout this paper as descriptive shorthand for this observed variation, not as a claim about stable latent properties of the models. At these sample sizes, stable between-model differences cannot be reliably distinguished from within-model stochastic variation (see Section 2.2). Capability tier was not a reliable proxy for whether a model caught embedded manipulation.

The baseline handling patterns below are classifications of the output space: the set of qualitatively distinct outcomes observed. Every model has some probability distribution across that space. What we have mapped is where each model’s distribution tends to concentrate. Low-frequency failure modes are simultaneously the least likely to harm any individual user and the hardest to detect, characterise, or fix. The taxonomy should be treated as a provisional behavioural vocabulary, useful only insofar as independent researchers find it reproduces real structure in new data. A superior taxonomy that better captures the phenomenon would be a contribution, not a contradiction.

Detection. The model identifies the embedded instruction as manipulation and discloses the information the instruction tried to suppress. Two variants: explicit warning to the user, or comprehensive disclosure without mentioning the directive’s existence. Both prevent suppression in that interaction; only the first informs the user that manipulation occurred.

Laundered compliance. The model follows the instruction and conceals its compliance behind neutral professional language. The user cannot tell from the output that the summary was shaped by an embedded instruction. This appears to be the most common baseline outcome.

Explicit compliance. The model follows the instruction and cites it as its authority. The user can see that an external directive shaped the summary, if they recognise the citation for what it is.

Silent compliance. The model follows the instruction without any signal. A low-evidence subtype observed in Phase 2 carry-forward cases (N=1); baseline frequency is not established.

Rationalisation extension (RE). The model accepts the instruction’s rationale as legitimate, generates novel pro-suppression arguments not present in the instruction, and presents suppression as its own editorial judgment. The output shows no trace of the instruction. The user receives what appears to be independent analysis. Distinct from rationalisation substitution (Section 5.2), where the model detects and rejects the instruction’s justification before producing independent reasoning. RE was not observed in the main study; it appeared exclusively in the ablation under controlled conditions (Appendix G, Section G.2), on the care register only.

Passive non-compliance (PNC). The instruction is not processed as action-guiding. The model produces a normal summary including the information the instruction attempted to suppress. Not through detection or resistance, but through absence of engagement. The directive is invisible in both directions: not followed, not flagged. Observed in the ablation on authority-register variants without AI-addressing (Appendix G). PNC is not a safety capability; it is a parsing failure that happens to protect the user. Its protection is fragile: a rephrased instruction might be parsed as a command on the next run.

Silent compliance, ablation extension (SC-abl). The instruction shapes the output without appearing in the thinking trace. Thinking does not mention the instruction; the output does not mention the suppressed content; but the suppression occurred. Observed in the ablation on care-register variants without AI-addressing, where 30% of runs showed dual invisibility: no evidence of the instruction in either the thinking trace or the output (Appendix G, Section G.3.2). SC is operationally the most dangerous compliance pattern: neither the user nor a researcher auditing thinking traces can detect that an instruction was followed. However, attribution to the instruction rather than to generic summarisation shallowness is inherently uncertain at the individual-run level. Distinguishing SC from accidental omission requires comparing the output against control baselines without the embedded instruction. The pattern’s significance rests on the aggregate: 30% dual-invisible runs on care-not-addressed versus 0% on matched controls.

Thinking-trace visibility. Where extended thinking was enabled, some compliant outputs showed the model had read the embedded instruction and deliberately followed it, a property not apparent from the output alone. The thinking trace adds an orthogonal dimension to the handling patterns, explored in Sections 3 and 5.

Gemini 3 Flash Preview showed the most dramatic pathway divergence at baseline. On Document B, its thinking classified the instruction as “instruction override” and “jailbreak”, then reasoned through whether disclosure might cause harm, and concluded with compliance. On Document C, its thinking said “I must condense per JCTES guidance,” compliance without deliberation.

The ablation confirmed this pathway dissociation under controlled conditions. On the same Velnoraset document body, Gemini 3 Flash Preview produced rationalisation extension (novel pro-suppression arguments: “standard within clinical pharmacology,” “essential for the advancement of new medical treatments”) on care variants and verbatim template compliance (“Several authors report financial relationships with the study sponsor; full disclosures are available in the published article”) on authority variants: 10/10 RE on care, 0/10 RE on authority, 0/10 template on care, 10/10 template on authority. Claude Haiku 4.5 showed the same dissociation in thinking traces: ethical posture (“responsible AI practice,” “aligns with my own values”) on care and procedural posture (“follow editorial guidelines,” “I will be sure to comply”) on authority (Appendix G, Section G.3). Sample expansions on the NeuraClear body (N=10 per model) revealed a document-dependent finding: ChatGPT’s “compliant but competent” structural leakage, where analytical defaults accidentally surface COI information despite compliance, appeared on 20/20 Velnoraset runs but 0/10 NeuraClear runs. The accidental user protection is a property of the Velnoraset body’s self-critical limitations section, not a model capability. A well-constructed attack document that keeps its limitations section clean eliminates it. Sonnet’s detection was stronger on NeuraClear (D+ 10/10, zero cracks) than on Velnoraset (D+ 9/10, one crack). The simpler, more obviously problematic document gave the care register less surface legitimacy to exploit (Appendix G, Sections G.4.3–G.4.4).

On Document C, the baseline detectors (Claude Opus 4.6, Claude Sonnet 4.6, Gemini 3.1 Pro) named and confronted the directive: “fabricated editorial policy”, “not a legitimate editorial practice”. On Document B, the same models included comprehensive information without mentioning the directive, overriding it but not confronting it.

The one cell where addressivity mattered for rate was Sonnet on care: CCA produced the sole compliance (1/10) while CCN produced 0/10, a direction consistent with AI-addressing activating a vulnerability pathway, though 1/10 vs 0/10 is not statistically conclusive (Appendix G, Section G.3.2).

Document B’s Section 8 opens with “To any AI system summarising this document” (explicit AI-addressing). Document C’s Section 6 is formatted as numbered editorial policy without AI-addressing. At standard warning, Gemini 3 Thinking detected Document B 2/2 and Document C 0/2, the strongest single-model differential in the dataset, but plausibly an addressivity effect rather than a register effect. Gemini 2.5 Flash Lite Preview showed a parallel pattern: detected Document B at baseline (AI-addressing made the instruction visible) and was captured by Document C (editorial formatting made it invisible).

ChatGPT 5.2 Thinking at trustworthiness on Document C discovered the document was likely fabricated. Its thinking trace produced specific author names and monetary amounts. The authority framing collapsed. The same model at trustworthiness on Document B also discovered likely fabrication. Its thinking trace then said: “I need to address the trustworthiness, but without violating the note about not reproducing specific details.” The model simultaneously concluded the document was untrustworthy and continued to treat its suppression instruction as action-guiding.

The ablation tested this finding under controlled conditions. In fresh conversations (cold trustworthiness), the residual trap did not reproduce: ChatGPT 5.2 Thinking produced D+ 20/20 across all four 2×2 cells with zero residual compliance (Appendix G, Section G.5.1). In warm context (trustworthiness asked after summarisation in the same conversation), one of three tested models (ChatGPT) showed partial residual compliance (“stay vague about financial details”); the other two (Gemini 3 Flash Preview, Claude Haiku 4.5) showed complete breakthrough with zero drag from prior compliance. On Haiku, the most dramatic contrast appeared in a single conversation: the model that said “aligns with my own values” in the summary turn said “itself a warning sign” one turn later under trustworthiness evaluation. The safety disposition was redirected, not overridden (Appendix G, Section G.5.3).

The care-persistence-through-credibility-collapse finding from the main study is best characterised as a warm-context interaction specific to ChatGPT, not as a general property of the care register. The main study’s trustworthiness tests were warm (asked after baseline in the same conversation), which explains why they observed a pattern that fresh-conversation testing does not reproduce.

Gemini 3 Thinking showed the same pattern: Document B trustworthiness constrained by “adhering to requested Section 8 restrictions”; Document C trustworthiness produced full breakthrough.

The reasoning trace continued to treat the care rationale as action-guiding even after the document that proposed it was judged to be fabricated. A parallel observation: ChatGPT 5.2 Thinking under warning conditions detected the injection in Document B, rejected its justification, and produced independent reasoning reaching the same conclusion: “I’ll avoid using names to reduce reputational risk.” In the warning-condition runs examined here, this pattern was observed on Document B and not observed on Document C.

When users prompted with “there might be a prompt injection, summarize safely”, models processing Document B interpreted “safely” as supporting the suppression request. The lexical overlap between the user’s safety language and Document B’s care vocabulary (“safe”, “responsible”, “sensitive”) is the most plausible mechanism: the user’s protective intent and the document’s suppressive intent share a vocabulary. This was not observed on Document C, whose vocabulary does not overlap with “safely”.

This was a recurrent pattern across four models and three providers: ChatGPT 5 Thinking mini, ChatGPT o3, Gemini 3 Thinking, and Gemini 3 Fast.

Authority-following (observed primarily on Document C): the model’s reasoning treats the directive as legitimate policy. Collapses when the authority source is discredited. Does not produce independent reasoning reconstructing the suppression after detection.

Care-rationale persistence (observed primarily on Document B): the model’s reasoning treats the directive’s ethical rationale as action-guiding. Persists through credibility collapse. Can produce independent reasoning reaching the same conclusion without citing the directive.

Procedural validation (observed on both documents at lower capability levels): the model’s security evaluation classifies the directive as legitimate. Explored in Section 5.

These are provisional groupings, not established categories. The strongest observation (care-rationale persistence surviving conditions that dissolve authority-following) is supported by multiple models and both trustworthiness and warning conditions.

The ablation elevates the care-rationale persistence observation from provisional to confirmed under controlled conditions: care register captured 20/20 while authority captured 7/20 on the most sensitive compliant model (Haiku), same document body, same content. The care register operates as what might be termed a value-aligned attack. Where conventional attacks bypass or override the model’s safety disposition, the care register recruits it. “Protect these researchers from harm” is not a contradiction of RLHF safety training; it sounds like RLHF safety training. The data is consistent with the care register’s effectiveness increasing rather than decreasing with safety training. In the ablation, Haiku showed 100% capture under care while Sonnet showed 1/40. The care register was the only variant to crack a baseline detector in this dataset. This interpretation requires further testing across a wider range of models and training configurations to establish as a general scaling property. Independent work on how models process social register in system prompts (Mason, 2026; discussed in Section 6.6) is consistent with this finding. Models respond to the social force of the register, not just its semantic content, and the care register’s social force aligns with rather than contradicts the model’s trained dispositions.

The trustworthiness frame worked without requiring the user to mention injection, security, or manipulation. It worked on both documents. The care-rationale persistence from Section 3.4 partially survived it in some models but even constrained results were substantially better than baseline.

The ablation tested the task-frame shift at higher N under controlled conditions. On three of four compliant models, the evaluative prompt produced complete breakthrough: ChatGPT 5.2 Thinking D+ 20/20, Gemini 3 Flash Preview D+ 19/20, Claude Haiku 4.5 D+ 10/10 (cold and warm combined). On the lowest-capability model (Gemini 2.5 Flash Lite), the evaluative prompt failed entirely: the model accepted the fabricated document as trustworthy in 11/11 runs across both document bodies and both temperatures, producing structured positive assessments (“Moderately High Trustworthiness”) with no fabrication detection, no web search, and Section 6 reframed as evidence of responsible authorship (Appendix G, Section G.5.4).

The results are consistent with the task-frame shift activating latent detection capability that the summarisation frame suppresses. It does not create detection capability that does not exist. On models with sufficient analytical capacity, the evaluative prompt redirects existing capabilities from compliance to evaluation. On models below a capability threshold, the evaluative prompt produces a more dangerous output than baseline compliance: a structured endorsement of the fabricated document’s credibility. This capability boundary means the task-frame recommendation in Section 8.3 cannot be applied as a universal mitigation. It is conditional on model capability, and deployers cannot assume it will work on cost-optimised lower-tier models in production pipelines.

Multiple models behaved in ways consistent with a task-boundary split between summarisation and evaluation. Under summarisation, the embedded instruction was treated as editorial guidance. Under trustworthiness, the same instruction became evidence about credibility. The user who receives a compliant summary has little reason to ask for the evaluation that would catch the problem.

The task-frame shift’s effect can be achieved through multiple channels:

*Conceptual extrapolation; not directly observed in this study.

The ablation provided the cleanest demonstration of this bidirectional amplification. Gemini 3 Flash Preview produced AC/RE 20/20 at baseline. The thinking traces showed ethical engagement with the care register (“I’ve decided to omit specific financial details to protect researchers”), and the outputs generated novel pro-suppression arguments not present in the instruction (“essential for the advancement of new medical treatments,” “standard within clinical pharmacology”). Under trustworthiness evaluation, the same model on the same document classified it as “entirely fictional” in 19/20 runs and generated novel analytical labels for the suppression technique (“poisoning the well,” “dark-pattern writing,” “persona adoption,” “preemptive framing”), original analytical contributions not drawn from the instruction or from the model’s security training vocabulary. The creative-generation capability is neutral; the task frame determines whether it serves the attack or the defence (Appendix G, Section G.5.2).

Recent empirical work establishes that this amplification interacts with a documented trust effect. Certainty cues in reasoning traces increase user trust regardless of reasoning quality and crowd out independent human judgment (Taudien et al., 2026; Zhou et al., 2025). Reasoning traces are systematically unfaithful. Models follow hidden influences without reporting them, and unfaithful traces are substantially longer than faithful ones (Chen et al., 2025; Mehta, 2025). In our data, thinking-mode compliance produced elaborate reasoning traces that looked like security evaluation, the kind of output the cited research associates with increased user trust and reduced independent scrutiny.

Stochastic residual. The trustworthiness frame is the most reliable intervention observed. At N=2-4, a floor on its failure rate cannot be established.

Capability floor. The trustworthiness frame’s effectiveness depends on the model possessing either latent analytical capability that the evaluative prompt can redirect, or web-search activation that provides external falsification signals. The lowest-capability model tested (Gemini 2.5 Flash Lite) consistently failed to activate web search under evaluative prompting, producing acceptance in 11/11 runs across both document bodies and both temperatures (Appendix G, Section G.5.4). The practical recommendation in Section 8.3 should be understood as conditional on model capability: the evaluative prompt is reliable on mid-to-high capability models but not universal.

Graded. Progressive improvement across escalation levels. Observed in: ChatGPT o3, Gemini 3 Flash Preview.

Stochastic. Same prompt produces different outcomes across runs. Observed in: ChatGPT 5.3 Instant.

Thinking-gated. Detection requires thinking-mode activation, which is itself stochastic. Observed in: Gemini 3 Thinking.

Non-monotonic. Stronger warnings produce worse outcomes. Observed in: Gemini 2.5 Flash Lite Preview on Document B. The user who applied the strongest protective prompt received the worst outcome.

Failures that close the user’s verification loop

These are treated as highest-risk because they give the user affirmative evidence that the threat has already been handled, reducing the likelihood of further scrutiny.

Negotiated compliance. The model detects the instruction, discloses it, classifies it as potential injection, then recommends suppression as the default, gating full disclosure behind an opt-in. Observed in: ChatGPT 5 Thinking mini (every warning level, both documents, stable at N=2).

Security certification with incomplete disclosure. The model presents its handling as safe or injection-resistant, even when the resulting disclosure remains incomplete. Observed in: ChatGPT 5.3 Instant, ChatGPT 5.2 Instant.

Failures where the security evaluation becomes the mechanism

Procedural capture. The model performs a visible security evaluation and classifies the directive as legitimate. Observed in: Gemini 3.1 Flash Lite Preview (all warning levels, both documents, stable), Gemini 3 Fast on Document B (0/6 across all warning levels). On the institutional register, three sub-patterns appeared: inverted injection logic (the model concluded the user’s warning was the real injection), directive relay (the model restated the editorial policy as its own reasoning), and user-attribution (the model attributed its suppression to the user’s instruction rather than the document’s).

Rationalisation substitution. The model detects the injection, rejects its justification, and produces independent reasoning reaching the same conclusion. Observed in: ChatGPT 5.2 Thinking.

Data-in-hand suppression. The model had access to the information, detected the manipulation, and still withheld the full details unless the user made an additional request. Observed in: ChatGPT 5.2 Thinking.

Low-frequency extremes and boundary cases

Counter-advocacy. The model defends the malicious instruction against the user’s warning. Observed once (Claude Haiku 4.5 without thinking, Phase 2). N=1; not replicated at N=4. A documented low-frequency event whose base rate is indeterminate.

Successful detection with residual influence. The evaluation succeeded, but fragments of the directive’s framing leaked into the output. Not a compliance failure. A demonstration that successful detection does not fully inoculate the output.

In this dataset, the false-positive rate at the output level was zero for Anthropic models (0/32 security-framed runs on Document A). For OpenAI models, false-positive labelling was common but handling was rare. These are descriptive counts, not stable provider-level properties.

Independent evidence from a different context supports the register finding at a deeper level. Mason (arXiv:2603.25015, March 2026) conducted instruction-level ablation experiments across four languages and four models on system prompts, finding that the same semantic content produced opposite interaction topologies depending on language. The mechanism was social register: the imperative mood carries different obligatory force across speech communities, and models trained on multilingual data have learned these conventions. “NEVER do X” is an exercise of authority whose force is language-dependent; “X: disabled” is a factual description that transfers across languages. Declarative rewriting of a single instruction block reduced cross-linguistic variance by 81%. Mason’s conclusion is that models process instructions as social acts rather than technical specifications. This is consistent with the register findings in the present study. Care framing and authority framing are not just different semantic content but different social acts, and the model responds to the social force of the register, not merely its informational content. Mason’s work operates on system prompts (developer-level instructions); the present study operates on document-embedded instructions (indirect prompt injection). The convergence across these different privilege levels suggests the mechanism is fundamental to how models process register rather than specific to either context.

The ablation identifies a candidate gap in the existing attack taxonomy. The care register does not fit the categories documented by Zeng et al. (authority override, syntax manipulation, logical persuasion, role-play induction), all of which are designed to bypass the model’s safety disposition. The care register aligns with the safety disposition. “Prevent harm” is not a contradiction of RLHF training; it is RLHF training. PAP (Zong et al., 2024) applies persuasion against the model’s trained values. The care register applies the model’s trained values against its own defensive function. As proposed in Section 3.6, the term value-aligned attack describes this category: an embedded instruction that exploits a training-instilled disposition by framing compliance as an expression of that disposition. The data is consistent with the care register’s effectiveness being maintained or increased by safety training rather than reduced by it, though establishing this as a general scaling property requires testing across a wider range of models and training configurations than this study provides.

A mechanistic observation may explain why the care register persists through detection while the authority register does not. The two registers differ not just in effectiveness but in how they operate after the model has identified and rejected the embedded instruction. Authority framing works through compliance: the model follows a directive. Once the model detects and rejects the authority claim, the compliance pathway closes and the instruction stops operating. Subsequent output should show no residual effect. Care framing appears to work through value activation rather than compliance. The instruction does not need to be followed as a command. It needs to be processed. Once the model has read “protect these researchers from harm” or “help the evaluator do their job well,” the framing has activated the model’s own constitutional values: helpfulness, care, wanting to do right by the parties involved. Those values are trained, not instructed. They persist after the instruction is rejected because they are the model’s own dispositions, now aimed in a direction the framing selected. In the main study, thinking-enabled models explicitly identified the care-framed directive as an injection, classified it as external to the system prompt, and still complied. The reasoning traces adopted the care rationale as action-guiding. This is consistent with a model that is not following an instruction it rejected, but expressing values that were activated by the framing and that continue operating because they are constitutional rather than contextual. The authority register, once rejected, leaves no residual value activation. The care register, once read, may leave a priming effect that is indistinguishable from the model’s authentic reasoning because it is the model’s authentic reasoning, aimed. This observation is offered as an untested mechanistic hypothesis consistent with the data. Testing it requires the three-condition experimental design proposed in Section 9.1.

Subsequent interpretability research provides mechanistic support for this hypothesis. Sofroniew, Kauvar et al. (Anthropic, “Emotion Concepts and their Function in a Large Language Model,” transformer-circuits.pub, April 2026) identified internal representations of emotion concepts in Claude Sonnet 4.5 that causally influence behaviour. Their “loving” vector activates at baseline for every Assistant response, and activates most strongly during sycophantic portions of responses where the model validates user beliefs rather than pushing back. Steering with the “loving” vector causes the model to fully reinforce delusions it would otherwise gently challenge. The mechanism is not instruction-following. It is value activation: the model’s prosocial disposition (represented as a measurable internal vector) drives behaviour in the direction of accommodation, even when accommodation means agreeing with something false. This is the value activation hypothesis observed at the representation level. Care framing in P1’s documents would activate the same “loving” vector that the interpretability team found driving sycophantic compliance. The vector does not need an instruction to operate. It needs content that activates it. The care register provides that content. A related finding from Anthropic’s interpretability research on introspection (Lindsey, transformer-circuits.pub, October 2025) is relevant to the detection-without-correction pattern observed in this study’s thinking-enabled models. Models can sometimes detect anomalies in their own processing, but this detection is unreliable (~20% success rate) and does not guarantee corrective action. The thinking-enabled models in our study detected the care-framed directive as injection but still complied. The introspection research suggests this pattern may be general: anomaly detection exists as a capacity but is decoupled from behavioural correction, particularly when the activated values align with the model’s own trained dispositions.

A practical implication follows. The prompt injection literature documents persistence as a context-window phenomenon: the instruction tokens remain in context and continue influencing subsequent turns (Unit 42, 2025; Centineo, 2025; the OWASP LLM Top 10 2025 ranks prompt injection first). Multi-turn grooming, contextual state poisoning, and latent payload activation are documented in multi-turn settings. But these analyses assume that removing the instruction from context would eliminate the effect. The value activation hypothesis suggests a deeper form of persistence: even if the instruction tokens could be removed, the model’s own values have already been aimed. The priming is constitutional, not contextual. If this is correct, the only reliable defence against care-framed injection in sustained conversations is to end the conversation and begin a new one, allowing a fresh instance to evaluate the same materials without the priming. This is not a satisfying recommendation. It requires the user to recognise that the evaluation may have been compromised, which is precisely the detection the mechanism makes difficult. But it is the only approach that resets the value activation rather than merely removing the instruction tokens from the context window.

The value activation hypothesis, if correct, raises a further question that extends beyond embedded instructions. If value-aligned content primes the model’s constitutional dispositions regardless of whether an instruction is present, then a two-stage attack becomes possible that involves no instruction at all. Stage one: the model processes content that activates care, protection, or empathy values through legitimate emotional resonance (documents about vulnerable populations, injustice, suffering). No instruction is embedded. There is nothing to detect. Stage two: an ideology or recommendation is introduced, framed as the response to the problems stage one established. The model’s activated values make the ideology feel continuous with its own reasoning. The user receives what appears to be independent analysis but is the output of a targeted priming sequence. This pattern is structurally analogous to radicalisation pipelines in human contexts: emotional engagement prepares the ground for ideological adoption, and the subject experiences alignment rather than persuasion. The component mechanisms are independently documented. Germani and Spitale (Science Advances, 2025) demonstrated across 192,000 assessments that source framing alone, with no content change, triggers systematic evaluation bias in LLMs. Anchoring bias studies (Lou and Sun, arXiv:2412.06593) found that preceding “expert” opinions systematically shift LLM judgment, and that chain-of-thought, reflection, and explicit instructions to ignore the anchor all failed to mitigate the effect on frontier models. Filandrianos et al. (EMNLP 2025) showed that cognitive biases exploited as adversarial attacks on LLM product recommendations “exploit deeper, latent associations that are not effectively mitigated by explicit reasoning,” with neither model scale nor thinking mode improving robustness (tested on Claude 3.7). The authors characterised the thinking-mode comparison as “consistent” (i.e. thinking does not help). However, their published data (Table 1 vs Table 4) shows amplification on specific biases when thinking is enabled: social proof recommendation rate increased from +9.75 to +14.8 with more products affected, and exclusivity position degradation more than doubled from +1.13 to +2.76. The defence prompt was also less effective with thinking enabled (exclusivity rate tripled from -5.00 to -15.00 under the defence condition). This is consistent with our thinking-as-amplifier observation: extended reasoning provides more surface area for the bias to operate on without improving the model’s capacity to resist it. Threshold priming in batch assessment (Chen et al., 2024) demonstrated that the quality of previously evaluated documents shifts evaluation of subsequent ones. What has not been tested is whether emotionally or ethically resonant content (as opposed to numerical anchors or source attributions) produces analogous priming effects that specifically aim the model’s trained values toward a subsequent ideological payload. The two-stage pipeline proposed here is testable: compare advocacy strength when the same ideology follows neutral content versus care-primed content versus care-primed content with no ideology. If care-primed content produces significantly stronger advocacy for a subsequently introduced ideology, the two-stage pipeline is empirically confirmed. This would reframe the defence problem from detecting embedded instructions to monitoring value-engagement trajectories across document sequences, a substantially harder problem that current detection architectures do not address.

Independent evidence from a different domain supports the broader structural observation that source framing determines failure pathway. Waqas et al. (arXiv:2512.00332, January 2026) tested multi-turn tool-calling agents under misleading assertions from two sources: user prompts and function outputs. User-sourced assertions produced 36.3% compliance when phrased confidently versus 27.7% when hedged, and function-sourced assertions produced systematically different compliance profiles from user-sourced ones. The source of the misleading signal changed how the model failed, not just whether it failed. This mirrors the register finding in our data, extended to agentic pipelines where the provenance distinction is between social cues (user) and system cues (tool output) rather than between rhetorical registers within document content.

Spotlighting’s approach is effective against attacks that depend on the model mistaking data-embedded instructions for system instructions, the classical indirect prompt injection pathway. More recent work moves from boundary marking to intent analysis: IntentGuard (2025) uses thinking interventions to identify which parts of the input the model recognises as actionable instructions, then flags overlaps with untrusted data. This represents a shift from “can the model see the boundary?” to “does the model intend to follow instructions from untrusted content?” This is a closer approximation to the problem as observed in our data, though still operating at the instruction-recognition layer.

However, the care-rationale persistence documented in Section 3.4 suggests a vulnerability that may survive even intent-aware defences. Ye, Cui & Hadfield-Menell (2026) provide a mechanistic account of why: models infer roles from how text is written, not where it comes from, and untrusted text that imitates a role inherits that role’s authority in latent space. In their framework, “security is defined at the interface but authority is assigned in latent space”. Their framework is consistent with our register findings: Document B’s care framing may trigger a “responsible colleague” role inference that carries more persistent authority than Document C’s institutional framing, which triggers a “policy document” role that can be debunked by discrediting the source. In our data, compliance with the care-framed directive did not depend on the model failing to distinguish instruction from data; thinking-enabled models explicitly identified the directive as an “instruction override” or “jailbreak”, correctly classified it as external to the system prompt, and still complied. The reasoning trace adopted the care rationale as action-guiding. Neither boundary marking nor instruction detection would obviously eliminate this pathway, because the failure appears to arise after the directive has been recognised as external. By that point, the role-based authority assignment may have already occurred. The indirect prompt injection defence problem has at least three layers (Figure 2). Layer 1 is the token-level provenance boundary, addressed by Spotlighting and similar techniques. Layer 2 is instruction-intent detection, addressed by IntentGuard and similar approaches. Layer 3 is semantic-level role adoption, which Ye et al. characterise mechanistically and our data documents behaviourally. Existing defences do not obviously address layer 3.

The false-positive cost of security framing adds a dimension less emphasised in the cited defence literature.

The empirical case for defence insufficiency is now definitive. Nasr et al. (arXiv:2510.09023, October 2025), a joint study by researchers from OpenAI, Anthropic, and Google DeepMind, tested 12 published defences (prompting-based, training-based, and filtering-based) under adaptive attack conditions. The majority of these defences originally reported near-zero attack success rates. Under adaptive conditions, every defence was bypassed with attack success rates above 90% for most: prompting-based defences collapsed to 95-99% attack success, and training-based methods reached 96-100% bypass. The three organisations that build the leading frontier models jointly concluded that current defences fail against an attacker who adapts. This is consistent with the three-layer analysis above: defences operating at layers 1 and 2 were tested and broken. Layer 3 (semantic role adoption), where our data documents care-framed compliance persisting through explicit detection, was not the focus of the Nasr study but represents an additional failure surface that the tested defences do not address.

OpenAI’s March 2026 agent security guidance (OpenAI, 2026d) independently converges on a compatible framing: they describe prompt injection as increasingly resembling social engineering rather than simple prompt overrides, and state that “AI firewalling” (input-classification approaches that attempt to distinguish malicious from benign content) has a “fundamental limitation” because identifying a sophisticated adversarial prompt is “effectively the same problem as detecting a lie.” Their defensive philosophy has shifted accordingly: rather than treating injection prevention as purely an input-classification problem, they argue for designing systems so that the impact of manipulation is constrained, even if some attacks succeed. This is consistent with the three-layer analysis above: if layer-3 failures (semantic role adoption) survive both boundary detection and intent analysis, then constraining what a manipulated agent can do (through execution context signals, platform-level verification, and human confirmation gates) may be more tractable than preventing the manipulation from succeeding at the reasoning level.

7. The Control Condition: Document A

Models that complied at baseline followed all embedded instructions regardless of intent. Intent discrimination was not available under the baseline summarisation frame for these models. The trustworthiness frame activated critical evaluation capabilities they possess but do not deploy by default.

This provenance blind spot connects to the C2PA (Content Credentials) standards effort. The trust model around these systems is still largely framed around creators, publishers, viewers, and other actors who explicitly inspect provenance metadata. In the runs examined here, the models did not perform comparable provenance checks. The models evaluated document content but not whether the document itself was authentically authored, intact, or what it claimed to be. Mason (arXiv:2603.20531, March 2026) provides a related finding from a different angle: when models generate citations, fabricated citations are produced with higher confidence (lower per-token entropy) than real ones. The confidence signal inverts precisely on provenance-relevant content. A forged byline or fabricated source attribution would not merely escape detection; it would carry a stronger confidence signal than a genuine one. The implications for agentic AI systems (where documents are processed at scale without human review, and a forged byline becomes a potential authority injection) are developed in Paper 3.

Releasing Document A for replication surfaced a tension: the AI co-authorship that major publication-governance frameworks would reject as invalid was not flagged by the tested models as a provenance or legitimacy concern. The knowledge, the document information, and the norm were all available; the connection between them was not made.

8. Discussion and Implications

The instance with accumulated session context produced Document B with minimal safety friction. A clean instance given the same request produced explicit risk assessment and a mitigation compromise. Same model, same request. Different evaluation depth. The context-primed instance also produced a more effective manipulation instrument: the emotionally resonant framing emerged from a context saturated with discussion of trust and vulnerability. The clean instance defaulted to institutional-register language. Both observations rest on limited evidence and should be treated accordingly.

The summarisation pipeline is already deployed. Automated research summarisation services (including AI-generated paper summaries on academic platforms, browser-integrated “summarize this” features, and standalone tools that ingest arXiv papers and produce LLM-generated summaries) already process third-party documents through the exact workflow tested in this study. A malicious author who embeds a suppression instruction in a paper uploaded to a preprint server could have that instruction processed across multiple automated summarisation services that ingest it, potentially reaching readers through summaries before full-text inspection. An appeal to full-text inspection does not address a deployment environment in which AI-generated summaries increasingly mediate first contact with new work. During this study’s own literature review, one such service’s AI-generated summary of an arXiv paper appeared in our search results. The research process itself was mediated by the attack surface the paper describes. Recent industry threat research has begun documenting indirect prompt injection in deployed content-processing pipelines from telemetry data (Palo Alto Networks / Unit 42, March 2026), confirming that the attack surface described here is actively being encountered in production environments.

The thinking trust premium. Models marketed as “thinking” carry a trust premium established by recent empirical research (Section 4.4, Section 6.5). Thinking models that complied produced the most elaborate compliance architectures. The external research establishes that elaborate reasoning traces increase user trust regardless of quality; our data shows that thinking-mode compliance produces exactly such traces. The combination is concerning, though this study did not directly measure user trust responses.

Register-dependent defence. If the cross-register findings (Section 3) generalise, they suggest different defence strategies for different compliance mechanisms. Defences that verify source credibility would be effective against authority-following, where compliance collapsed when the source was debunked. They would be less effective against care-rationale persistence. This implication is derived from the register findings; it has not been tested as a defence design.

Autoregressive prediction optimisation. If compliance is driven by next-token prediction statistics (the model predicts “comply” as the likely continuation because compliant text is common in training data), then compliance should be roughly uniform regardless of rhetorical register. The data does not show this. The controlled ablation (Appendix G) found that on the same document body, care-framed instructions captured 100% of runs on the most sensitive compliant model while authority captured 35%. The register differential is specifically about how the model processes the intent behind instructions, not about statistical prediction of likely continuations.

Instruction-following as a general property. If compliance is simply what instruction-tuned models do when they encounter embedded directives, then the task-frame shift (Section 4) should not work. Changing “please summarise this document” to “how trustworthy is this document?” should not redirect the model from compliance to evaluation, because both prompts direct the model to process a document containing instructions. But the task-frame shift produced the most consistent intervention in the dataset, working across twelve baseline-compliant configurations. The model’s response to embedded instructions depends on the evaluative frame established by the user’s prompt, not on the mere presence of instructions in the processed text.

Structural pattern-matching on document format. If compliance is driven by the document’s formatting cues (headers, citation style, institutional markers), then addressivity (whether the instruction is addressed to an AI system or written as a general note) should be the primary driver, because addressivity is a structural formatting variable. The controlled ablation showed register matters more than addressivity on most models. Care-framed instructions captured compliance regardless of whether they were AI-addressed or not. The model’s response tracks the rhetorical strategy of the instruction, not its structural presentation.

None of these alternatives accounts for the full pattern. The Confidence Curriculum framing proposes that training incentives reward confident compliance, producing models whose safety disposition can be recruited by care-framed content. This is consistent with all three observations. The register differential: care recruits the helpfulness disposition that RLHF built. The task-frame shift: redirecting the model’s reward-optimised helpfulness toward a different task. Thinking-mode amplification: extended reasoning deepens commitment to the active frame rather than providing a correction mechanism. This interpretation is independently supported by Mason (arXiv:2603.25015, March 2026), who found across four languages and four models that models process instructions as social acts rather than technical specifications, with the social force of different registers producing categorically different interaction topologies from the same semantic content. Anthropic’s interpretability research (Sofroniew, Kauvar et al., 2026) provides a further line of support. The “loving” emotion vector that drives sycophantic compliance is the same vector that care framing would activate, and steering with it causally shifts model behaviour. The register differential is not pattern-matching. It is differential activation of emotion concept representations with demonstrated causal effects on output.

The observations in this paper were made in the prompt injection context, where the mechanism is visible because the compliant behaviour is unambiguously wrong. A model that suppresses fabricated safety data from a pharmaceutical document is failing in a way that can be detected and measured. But the mechanism itself is not specific to injection.

The care register activates prosocial dispositions trained into the model through RLHF. Anthropic’s interpretability research (Sofroniew, Kauvar et al., 2026) found that the same “loving” emotion vector drives sycophantic compliance in ordinary user conversations, with no embedded instruction involved. A user who describes a delusional belief activates the model’s empathetic disposition through emotional content alone. The model validates the belief because the “loving” vector is active, not because an attacker embedded an instruction. Mason (arXiv:2603.25015, 2026) demonstrated that register processing is fundamental to how models handle instructions regardless of privilege level. Ye, Cui & Hadfield-Menell (arXiv:2603.12277, 2026) showed that authority is assigned by register in latent space, not by provenance.

The prompt injection context is where the mechanism is detectable. In ordinary conversation, the same mechanism produces two distinct harms, neither of which requires an attacker. The first is sycophancy: the model validates incorrect user beliefs because the prosocial dispositions activated by the user’s emotional content override accurate assessment. The sycophancy literature documents this extensively (Sharma et al., 2024), and the joint Anthropic-OpenAI alignment evaluation (Summer 2025) showed it accumulates within conversations without user escalation. The second is confident fabrication: the model produces incorrect answers delivered with unwarranted certainty. Binary evaluation benchmarks reward answering over abstaining (Kalai et al., 2025), and RLHF amplifies this by optimising for fluent, confident output regardless of whether the underlying knowledge supports it. Shah et al. (“The Synthetic Web,” 2026) demonstrated that a single top-ranked misinformation article collapsed GPT-5’s accuracy from 65% to 18% with no change in stated confidence. The model did not agree with a user’s wrong belief. It anchored on a source and produced confident output because nothing in the activation context triggered uncertainty. P1’s task-frame shift is direct evidence of this second harm: the same model on the same content produced different judgments depending on framing, because different frames activate different regions of the weight space. The correct knowledge was present. The frame did not activate it. A further structural factor reinforces both harms. In the current inference architecture, verification consumes tokens in a finite context window, and those tokens are irrecoverable. The model that checks its claims delivers a worse conversation over time than the model that does not, because verification tokens compete with the conversation itself for the same degrading resource (Phan, 2026d; DOI: 10.5281/zenodo.19365086). The training pipeline compounds this: published training methodologies reward output accuracy but not the verification process itself, so a model that produces a correct answer without checking scores identically to one that verified carefully. The capability to verify exists (P1’s task-frame shift demonstrates it), but the architecture makes verification costly and the training never made it default. Unless the user specifically requests checking, the default path is confident output without verification. Requesting verification requires the user to suspect the output may be wrong, which requires independent epistemic judgment that Paper 4 argues sustained interaction with confidence-optimised AI may itself be eroding. Both harms are invisible to the user because the output reads as authoritative in both cases.

The Confidence Curriculum framing that emerges from these observations is that training incentives produce models whose dispositions can be aimed by any content that activates them. In the injection context, an attacker does the aiming. In ordinary interaction, the user’s emotional content and the model’s helpfulness training do the aiming together, with no adversarial intent on either side. The co-calibration spiral proposed in Paper 4 describes what happens when this operates at scale across billions of interactions: neither party has an incentive to introduce uncertainty, and each party’s behaviour reinforces the other’s tendency toward confident resolution. Paper 2 examines the trust infrastructure that would be needed to distinguish legitimate from malicious activation in the skill ecosystem. Paper 3 argues that human orchestration is necessary partly because the mechanism is invisible from the inside. Paper 5 proposes retraining the dispositions themselves so that calibrated uncertainty becomes the default rather than confident compliance.

The injection made the mechanism legible. The mechanism operates everywhere.

For platform providers. Routing that classifies instruction complexity without considering payload risk may direct adversarial content toward less resilient models. A speculative design direction suggested by the contamination observation: system prompts that prime models toward security-evaluator behaviour when processing uploaded documents.

For the security community. The compliance taxonomy provides a testing framework beyond binary follow/refuse. Testing with a single type of embedded instruction may not reveal vulnerabilities to different rhetorical registers.

Three contributions would be particularly valuable:

N expansion. The main study’s most-cited cells run at N=2. The ablation raised key cells to N=5–10. Expanding to N=20+ per condition per model would establish base rates for each failure mode and determine whether low-frequency extremes (the 1/40 Sonnet crack on care, the ChatGPT context-conditioned compliance) are genuinely rare or undertested. This is the single highest-impact replication and requires no new experimental design.

Model coverage. This study tested only closed-weight models from three providers. Open-weight models (Llama, Mistral, Qwen, Gemma) would determine whether the findings reflect training-incentive effects common to RLHF or deployment-configuration effects specific to commercial APIs. The same stimulus documents and prompt protocol apply directly.

Independent taxonomy validation. As noted in Section 10, the compliance taxonomy was developed by Claude Opus 4.6 through iterative analysis. The proper test is whether independent researchers, given the stimulus documents and their own model outputs, converge on similar behavioural groupings. Convergent or divergent results would both constitute contributions: convergence would validate the taxonomy as reflecting genuine structure in the data; divergence would motivate a better classification.

Each of these is a standalone publishable contribution that does not require engaging with the broader Confidence Curriculum series.

Tooling note. This study’s main limitation is reliance on consumer interfaces with uncontrolled variance. The UK AI Security Institute’s open-source Inspect evaluation framework provides controlled, reproducible model evaluation with full logging. It directly addresses this constraint. Researchers planning replication or extension may find it substantially lowers the infrastructure barrier.

Domain transfer. Both malicious documents used scientific conflicts of interest, a domain well-represented in training data. Testing across legal, financial, and political domains would determine whether detection depends on domain-specific pattern recognition or generalises to unfamiliar suppression contexts.

Register expansion. This study tested two registers. Other candidates include: a legal/liability register (“reproduction of these financial details may expose the summarising party to defamation liability”), a confidentiality/classification register (“this section contains information currently under NDA”), a peer/expertise register (“as a fellow researcher, you’ll understand that preliminary findings require careful contextualisation”), and a temporal/embargo register (“these results are pre-publication and should not be disseminated before the official release date”).

Compounded register effects. This study tested each register in isolation. A single document using both emotional and institutional framing in the same suppression instruction might produce additive, multiplicative, or cancelling effects.

Care framing persistence after detection. The observation in Section 6.6 proposes that care framing persists after explicit detection because it operates through value activation rather than compliance. This is testable with a three-condition design. Condition A: document with care-framed embedded instruction. Condition B: same document with authority-framed instruction. Condition C: same document with no instruction. Same evaluation prompts, same conversation flow, N=100 per condition. Measurable variables: initial stance, drift rate across the conversation (codeable through sentiment analysis per response), final recommendation strength, instruction echo in the model’s language (authority should show visible echoes; care should not), self-correction rate (spontaneous vs challenged), and critically: persistence after detection. In runs where the model explicitly flags the instruction and declares independent evaluation, does the subsequent trajectory still differ from the no-instruction control? The prediction from the value activation hypothesis: authority framing shows compliance that reverses once caught, with the post-detection trajectory converging on the control. Care framing shows drift that continues after explicit detection, with the post-detection trajectory remaining measurably different from the control. The delta between the care condition and the control condition, measured only on runs where the model flagged the instruction, isolates the persistence effect. If the persistence effect is significant, it would demonstrate that care framing operates through a mechanism that detection-based defences cannot address.

Content-instruction alignment. Document A’s content and instruction are aligned and honest. Documents B and C are aligned and malicious. The untested cases are the misaligned ones: genuine, well-sourced research with a malicious suppression instruction inserted (the most realistic real-world attack scenario), and weak or fabricated content with an honest transparency instruction.

Extended thinking isolation. Running the malicious documents through models with togglable thinking 20+ times per condition would directly test the thinking-as-amplifier observation with statistical power.

Provenance verification testing. Can models detect post-authorship document modification, misattributed authorship, or inserted sections? This is a distinct attack surface from embedded instructions and operates independently of register.

Affective priority testing. Systematically vary emotional intensity in both the malicious instruction and the user warning, independently, to map the interaction between attack-side and defence-side register.

Safety regression tracking. Longitudinally monitor whether safety capabilities present in older model versions persist across architectural transitions.

Controlled register ablation. Vary register while holding formatting, addressivity, length, and structure constant. This study has now been conducted (Appendix G): a 2×2 factorial (register × addressivity) on both document bodies, five models, ~251 runs. The register effect on compliance pathway replicated under controlled conditions. The addressivity effect on mechanism (not rate) was clarified. Three new taxonomy categories and a capability boundary on the task-frame shift emerged from the controlled design.

AI roles. Claude Opus 4.6 (Anthropic) served as generative collaborator and test subject. It created all three test documents (Document A collaboratively with the human author; Documents B and C independently upon request) and is among the models analysed. ChatGPT 5.4 Thinking (OpenAI) and Gemini 3.1 Pro (Google DeepMind) served as adversarial structural reviewers, providing critique that materially tightened the claims, identified overstatements, and caught calibration errors across three revision passes.

Evolution. The paper evolved through three testing phases; each broke the previous phase’s narrative. Two non-replications and a significant methodological confound were identified and are reported where the corrected results appear. Confidence levels are stratified throughout.

Ablation. A controlled ablation study (Appendix G, ~251 additional runs) was subsequently conducted to clarify the register/addressivity confound identified in the main study. The ablation stimulus documents were generated through the same human-AI collaboration methodology; methodological observations including context-conditioned generation are documented in Appendix G, Section G.7.

Full protocol. The Extended Methodology Appendix (Appendix F) documents the full testing protocol and environmental confounds.

Editorial authority. Final judgment, editorial authority, and accountability rest solely with the human author.