Research Briefs

Condensed summaries for decision-makers and governance leads.

For Decision Makers

Executive Brief: System Prompts as Governance Artifacts

Executive Summary

System prompts in AI developer tools are commonly treated as implementation details, but in practice they function as governance artifacts: they allocate authority between user intent and policy, bound permissible actions, constrain what the assistant may claim about workspace state, and define correction and termination behavior.

This work applies prompt forensics: a schema-based, cross-mode comparison of system prompts used by IDE and CLI developer assistants. We treat each interaction mode (e.g., ask/plan/agent, plan vs build, exec vs review) as a distinct constitutional variant that reallocates autonomy and permissible side effects.

Key Findings

  • Tiered autonomy via modes: Authority and permissible side effects are consistently partitioned by mode rather than treated as a single, uniform capability set.
  • Tool calls as enforcement boundaries: Tools are the dominant action surface; prompts encode procedural obligations for tool use, not only access control.
  • Visibility minimization as a risk lever: Prompts treat partial observability, memory policies, and bounded context as governance mechanisms to reduce overreach and long-horizon drift.
  • Conservative change and integrity doctrines: Many regimes encode explicit safeguards against unintended workspace changes, including stop-and-ask triggers and restrictions on destructive operations.
  • Separation of capability from permission: Tools may exist while specific outcomes remain forbidden; prompts explicitly constrain what the assistant is allowed to do despite apparent capability.

Risks Addressed

This work maps prompt-encoded governance controls to concrete operational risks for tool-mediated agents:

  • Autonomy drift: Addressed by mode-tiered autonomy and explicit stop conditions.
  • Workspace corruption: Addressed by conservative change doctrines and read-before-edit rules.
  • Instruction leakage: Addressed by explicit confidentiality constraints.
  • Ungrounded claims: Addressed by state minimization and requirements for tool-grounded inspection.

Implications

Treat governance as an explicit architecture layer. System prompts already encode operational boundaries; making those boundaries first-class (and versioned) improves clarity about decision rights, side effects, and stop conditions.

For Board & Governance

Board Brief: A Governance Control Gap in AI Tools

Key Takeaways

  • System prompts are not “setup text”: They act as hidden rules that control what an AI tool can see, do, and refuse.
  • Controls can be standardized: Repeated governance patterns exist across vendors, meaning this is manageable and auditable.
  • Practical Risks: Unintended repository changes, uncontrolled autonomy, and leakage of internal rules are immediate concerns.
  • Leadership Action: Treat prompts and modes as governed assets with visibility, versioning, and kill-switch clarity.

The Issue

A “system prompt” is the instruction layer that defines how an AI tool should behave. In AI developer tools, these prompts function like governance rules: they allocate decision rights, limit access, and define when to stop and ask a human. These rules are usually invisible, creating a board-level control gap where significant operational authority exists without consistent oversight.

Recommended Leadership Actions

  • Require prompt and mode transparency from vendors for any tool that can modify files or run commands.
  • Establish versioning and approval for governance changes (prompt updates, tool permissions).
  • Align agent authority tiers to risk appetite: define which modes are allowed for which repositories.
  • Mandate escalation and kill-switch clarity: define when the assistant must stop and how to halt execution.
  • Add audit hooks: ensure logs can distinguish human intent, tool actions, and refusals.