Equation 1 Is the Root Cause of Prompt Injection
By Satwik · July 2, 2026
Filed while reading arXiv:1706.03762.
We keep treating prompt injection as something a better wrapper should have caught. Reading Equation 1 again, that framing looks wrong.
Attention(Q, K, V) = softmax(QKᵀ / √dₖ) V
Every token, wherever it came from, emits a query and a key. The softmax weights them by compatibility alone. There is no term in this equation for *who authored this token*. A system instruction and an attacker's instruction embedded in a retrieved document are, to the mechanism, the same kind of object competing for the same attention mass.
So the boundary between "trusted instruction" and "untrusted data" was never in the architecture. It has always been a convention we paint on top in the prompt, and injection is simply what happens when an attacker declines to honor a convention the math never enforced.
The practical consequence: you cannot fully prompt your way out of injection, because the missing thing is provenance, and provenance is an input the attention operation does not take. The fix has to live at or around the mechanism, not only in the instructions we feed it.
*Part of our security reading of "Attention Is All You Need." Full analysis in the registry.*