@davidgerard I really don’t understand this. Unlike most prompt injection issues (which are intrinsic to how the models work internally) this one is entirely fixable at the tokenisation stage. The only explanation that makes sense to me is that they don’t want politicians to say ‘you fixed these prompt injection attacks, so you must be able to fix all of them and we are going to mandate in AI safety laws that models are not subject to prompt injection and that sellers are liable for all damage done as a result’. Which would, of course, kill their ability to sell these things.

And even that, I can see backfiring because it’s easy for sanity advocates to argue that Google is unwilling to fix this and so regulation is necessary, and then later point out that regulations typically don’t name explicit exploit techniques and so the thing that requires liability is the broad category of prompt injection.