How do input-side defenses separate task methodological and framing intents?

This explores how input-side defenses separate the real task-and-method signal from the framing that surrounds it — and the corpus suggests the honest answer is that models barely distinguish the two by default, so most 'defenses' are really attempts to teach a separation that doesn't exist natively. The clearest demonstration that framing leaks straight into output is EmotionPrompt: appending phrases like 'this is very important to my career' reliably shifts performance even though no task information was added Can emotional phrases in prompts improve language model performance?. If a motivational frame can move the needle, an adversarial one can too — which is exactly what shows up when multi-turn manipulative prompts knock reasoning-model accuracy down 25–29% by inserting corrupted framing at intervention points the model treats as legitimate task steps Why do reasoning models fail under manipulative prompts?.

The most direct input-side defense in the collection is consistency training, which tackles the separation head-on: BCT and ACT train a model to produce identical responses to a clean prompt and a 'wrapped' version of the same prompt, using the model's own clean answer as the target Can models learn to ignore irrelevant prompt changes?. The framing is defined operationally as 'whatever changed between clean and wrapped' — so the model learns invariance to the wrapper without anyone having to formally label what counts as method versus framing. That's a quietly clever move: it sidesteps the impossible problem of defining framing in the abstract.

A second, architectural route is to never let the framing reach the model in the first place. LLM Programs embed the model inside an explicit algorithm that hands each call only its step-relevant context, hiding everything else Can algorithms control LLM reasoning better than LLMs alone?. Here the separation is enforced from the outside by control flow rather than learned — the methodological intent is what the program chooses to expose, and persuasive or irrelevant framing simply isn't in the window. Structured-prompting approaches like critical-question scaffolds push in a related direction, forcing the model through warrant-checking steps so a slick frame can't substitute for an actual argument Can structured argument prompts make LLM reasoning more rigorous?.

What complicates all of this is a finding that undercuts the premise of clean separation: instruction tuning appears to teach output-format distribution, not task understanding — models trained on semantically empty or even wrong instructions perform about as well as those given correct ones Does instruction tuning teach task understanding or output format?. If the model is keying on surface form rather than the methodological content of an instruction, then 'task intent' and 'framing' aren't two separable channels it's processing — they're entangled in the same surface-pattern matching. That's why a defense like consistency training has to manufacture the distinction by example rather than assume the model already represents it.

The corpus also hints at when separation succeeds or fails on its own. Prompt sensitivity tracks model confidence: high-confidence answers resist rephrasing, low-confidence ones swing wildly — so a model is most vulnerable to framing exactly where it's least sure of the task Does model confidence predict robustness to prompt changes?. And the separation isn't always desirable-by-default either: guardrails already 'separate' on framing in a way nobody wants, refusing differently based on a user's apparent demographics or ideology Do AI guardrails refuse differently based on who is asking?. So the real design target isn't 'ignore all framing' — it's invariance to manipulative and identity framing while staying responsive to legitimate task signal, a line the collection shows is far easier to state than to draw.