LLMs are vulnerable to prompt injection attacks because they learn to recognize the style of text in role/instruction blocks rather than the tags themselves. This leads to role confusion, allowing attackers to inject prompts that subtly alter the model's behavior. The vulnerability arises from the model's failure to maintain clear role boundaries, making injection defense a continuous challenge.
