The System Prompt Becomes the Policy Proxy
A 2026 arXiv paper warns that readable system prompts are useful governance evidence, but they are not proof that a model will behave as written.
The Prompt Is Not the System
A system prompt looks like the perfect governance object. It is written in ordinary language. It can be read by auditors, changed without retraining a model, attached to a vendor file, and compared against institutional policy. That readability is precisely why it can mislead. A sentence in a privileged instruction layer is not the same thing as a demonstrated behavioral constraint.
The Spiralist angle is that the system prompt becomes the policy proxy. When an institution cannot easily inspect weights, training data, retrieval layers, tool calls, filters, update history, or downstream application code, the prompt is the thing that can be shown. The danger is not prompt documentation itself. The danger is treating a legible artifact as if it were the operational system.
The Paper Frame
The source is Anna Neumann, Holli Sargeant, and Jatinder Singh's Prompt Governance? On Governing Technologies Governed by Natural Language, arXiv:2606.07539v1 [cs.CY], submitted April 29, 2026 and accepted as a full paper to ACM FAccT 2026. The paper studies how researchers describe system-level instructions and how policymakers use those instructions as governance artifacts.
The authors define system-level instructions broadly enough to include natural-language prompts that persist across conversations, operate at different privilege levels, or resolve conflicts among instructions. That matters because modern AI systems usually have a prompt stack: provider rules, system instructions, developer instructions, application policies, user prompts, retrieval content, and sometimes agent-generated intermediate instructions.
What the Review Finds
Neumann, Sargeant, and Singh report a PRISMA literature review that moved from 923 identified records to a final corpus of 287 papers, with abstract screening of 746 records and full-text review of 373 papers. Their thematic analysis groups claims about system-level instructions into eight categories: alignment, accessibility, adaptability, performance, stability, security, implementation, and auditability.
The result is deliberately mixed. Some research treats system prompts as practical tools for steering behavior, adding policy constraints, adapting systems, improving performance, or making intended behavior inspectable. Other research finds brittle effects: wording sensitivity, unfamiliar-domain weakness, instability in long or conflicting conversations, prompt-extraction risk, and limited transferability of audit findings.
This is the core contribution for governance. The paper does not say system prompts are useless. It says the evidence is fragmented and sometimes contradictory. A prompt can be a control surface, an attack surface, a documentation object, and a weak signal of intent at the same time.
Policy Moves Faster Than Evidence
The paper then compares two policy cases. The first is U.S. Executive Order 14319, Preventing Woke AI in the Federal Government, signed July 23, 2025 and published July 28, 2025. The paper treats the federal procurement case as an example of system prompts becoming possible transparency artifacts. The prompt may help show vendor intent, but artifact disclosure does not by itself specify how prompt effects should be measured.
The second is the European Union's General-Purpose AI Code of Practice, published July 10, 2025. The Commission says the Code helps providers comply with AI Act obligations on safety, transparency, and copyright. In the paper's analysis, the Code more directly places system prompts inside model specification and evaluation practice, especially for advanced models with systemic risk. Even there, the authors warn that prompt versioning, layered instructions, change logs, and re-evaluation triggers remain under-specified.
Both policy examples make the same understandable move: if AI behavior is hard to govern, govern the language that is supposed to govern it. The paper's warning is that this can create a false sense of control. A prompt can read as aligned while behavior remains contingent on model version, context length, tool permissions, retrieval results, hidden instructions, adversarial input, and deployment wrapper.
Governance Reading
A mature prompt-governance file should include more than prompt text. It should identify the instruction stack, privilege order, model and application version, tool permissions, retrieval sources, safety filters, prompt owner, approval date, change history, test suite, adversarial test results, known failure modes, and re-review triggers. It should also say which parts cannot be fully disclosed for security reasons and how independent evaluators can still test effects.
That is the difference between prompt disclosure and prompt accountability. Disclosure says, "Here is the language." Accountability adds the system it belonged to, evidence of effect, failure conditions, and the change process.
Tool-using systems turn instructions into action plans, API calls, browser steps, and database writes. In that setting, a prompt is less like a label and more like a work order. It deserves the same skepticism applied to any operational policy.
Limits and Cautions
This paper is a literature review and policy analysis, not a benchmark proving that every prompt fails or that every prompt works. Its claim is narrower and more useful: policy should not assume natural-language instructions are stable, interpretable control mechanisms without behavioral evidence. That leaves room for system prompts as one layer of governance, not the whole proof.
There is also a disclosure limit. Revealing system prompts can help auditors understand intended behavior, but it can also expose operational details to attackers. Prompt governance needs controlled access, redaction rules, and evaluation rights, not a reflexive demand to publish every privileged instruction to everyone.
Audit Receipt
The audit-grade sentence is: Neumann, Sargeant, and Singh's Prompt Governance? On Governing Technologies Governed by Natural Language, arXiv:2606.07539v1 [cs.CY], argues that system-level instructions are increasingly treated as governance objects even though research evidence on their reliability, stability, security, and auditability remains mixed.
The receipt is: inspect the prompt, but audit the behavior; preserve the prompt stack, version history, evaluation traces, known failures, access controls, and re-review triggers before treating prompt language as governance evidence.
Sources
- Anna Neumann, Holli Sargeant, and Jatinder Singh, Prompt Governance? On Governing Technologies Governed by Natural Language, arXiv:2606.07539v1 [cs.CY], submitted April 29, 2026; accepted as a full paper to ACM FAccT 2026.
- Primary versions checked: arXiv abstract record, experimental HTML, and PDF.
- Policy sources checked: Executive Order 14319 in the Federal Register and the European Commission page for the General-Purpose AI Code of Practice.
- Related pages: System Prompts, Prompt Injection, The Instruction Becomes the Data Boundary, Instruction Bleed and Prompt Modules, Governance Documents Need Revalidation, and EU AI Act.