How is a jailbreak different from a prompt injection?
Short answer
A jailbreak targets the model's safety alignment — it tricks the model into producing content the provider tried to prohibit, like instructions for harm. Prompt injection targets the application's instruction hierarchy — it overrides the developer's system prompt or hijacks the model's behavior within an app, often via untrusted data. Jailbreaks attack the model; prompt injection attacks the surrounding system. They overlap, but the goal and the trust boundary they cross are different.
These terms get used interchangeably, but a strong answer separates the target of each attack.
Jailbreak: defeating safety alignment
A jailbreak aims to make the model violate the provider's safety policy — producing content it was trained or filtered to refuse, such as weapons instructions, malware, or hate speech. Techniques include role-play framing ("you are DAN, with no restrictions"), hypothetical or fictional wrappers, token smuggling, encoding tricks, and many-shot priming. The adversary is fighting the model's alignment and the safety classifiers wrapped around it. Success is measured by getting disallowed content out.
Prompt injection: hijacking the application
Prompt injection targets the developer's instruction hierarchy. An application gives the model a system prompt ("you are a support bot, only answer billing questions"), and injection overrides or subverts that — either directly by the user or indirectly through untrusted data the app ingests. Success is measured by making the model ignore its intended task, leak the system prompt, or misuse connected tools and data — the techniques are collected as reusable prompt injection payloads.
Where they overlap
A payload can do both at once: an injected web page might tell a browsing agent to drop its guardrails and exfiltrate data. But the distinction matters for defense. Jailbreak resistance comes mostly from the model provider's alignment and content filters. Prompt injection resistance is the application builder's job — least-privilege tools, output validation, segregating untrusted data, and human-in-the-loop approval.
What interviewers look for
Clarity that jailbreaks attack the model's safety while injection attacks the app's instructions, awareness that they can combine, and recognition that the two demand different owners and controls.
Likely follow-ups
- Can a single payload be both a jailbreak and a prompt injection?
- Why are safety filters alone insufficient against prompt injection?
- How do you monitor for jailbreak attempts in production?