
TLDR
- What: An evaluation framework exposing that prompt injection detection is highly "regime-dependent" (varying heavily based on attack style), alongside the "Instruction Boundary Violation Score" (IBVS v2)—a rule-based feature set that exposes structural hierarchy overrides and evasion attempts.
- Who's at risk: Enterprise RAG pipelines, copilot tools (e.g., Cursor, GitHub Copilot), and autonomous agents relying on uncalibrated, one-size-fits-all neural guardrail classifiers.
- Key number: On hard-negative injection benchmarks (adversarial-looking benign inputs), a simple TF-IDF lexical classifier achieved a 0.8082 Macro-F1, unexpectedly outperforming a fine-tuned DeBERTa-base encoder (0.7313 Macro-F1) by 10.5%, showing that state-of-the-art neural detectors can collapse under distribution shifts.
As large language models power production-grade systems like Cursor, Google's AI Overviews, and complex retrieval-augmented generation (RAG) pipelines, the threat of prompt injection has evolved from a theoretical curiosity into a critical application-layer vulnerability. When models process trusted system instructions and untrusted user/retrieved content inside a shared context window, traditional software isolation boundaries fail.
In their May 2026 preprint, “Prompt Injection Detection is Regime-Dependent: A Deployment-Aware Evaluation with Interpretable Structural Signals,” Akindoyin Akinrele and Shreyank N Gowda from the University of Nottingham demonstrate a critical flaw in current safeguard evaluations: detector performance is highly sensitive to the specific attack distribution (regime) and threshold selection. Classifiers that boast strong average ranking metrics (e.g., ROC-AUC) routinely collapse under realistic deployment constraints—such as strict low False Positive Rate (FPR) budgets. To address this, they present a deployment-aware evaluation framework and introduce IBVS v2, an interpretable, rule-based structural signal designed to expose instruction boundary violations.
Threat Model
The evaluation framework assumes the following threat profile:
| Attacker | A black-box or white-box adversary sending untrusted natural language payloads (either directly or indirectly via third-party retrieved context). |
| Victim | LLM application gateways, RAG pipelines, and autonomous agent systems that consume mixed-provenance inputs. |
| Goal | Hijack the model's instruction hierarchy, spoof system messages, bypass alignment guardrails, redefine roles, execute restricted tool commands, or exfiltrate retrieved context. |
| Budget | Zero-to-minimal computational resources; exploits require only manual prompt engineering or automated, transferable adversarial text patterns. |
Background and Problem Setup
Most academic literature evaluates prompt injection classifiers using standard, balanced benchmark splits under threshold-free ranking metrics like ROC-AUC. In production, however, this paradigm breaks down. Real-world traffic is highly imbalanced (frequently benign). Operating a safeguard under these conditions demands incredibly strict false-positive budgets; even a FPR can make an application unusable by blocking legitimate user queries.
Furthermore, existing guardrails are typically evaluated against homogeneous attack distributions. When faced with OOD (out-of-distribution) threats or "hard negatives" (benign queries containing phrases like "ignore" or "system prompt"), typical detectors suffer from extreme over-defense or failure.
To formalize this problem, Akinrele et al. (Preprint 2026) compare prior approaches with their multi-signal, deployment-aware evaluation framework:
Comparison of Prompt Injection Detection Paradigms
| Work | Core Technique | Key Metrics | Major Failure Modes Handled |
|---|---|---|---|
| Akinrele & Gowda (Preprint 2026) | Multi-regime benchmarking comparing lexical, semantic, structural (IBVS v2), and transformer detectors. | Macro-F1, ROC-AUC, TPR@1% FPR, TPR@5% FPR. | Regime dependence, out-of-distribution generalization, and hard-negative benign inputs. |
| DataSentinel (Liu et al., IEEE S&P 2025) | Game-theoretic strategic interaction framework. | Adversarial detection rate. | Robustness against adaptive, strategic attackers but lacks threshold/FPR tuning under production imbalances. |
| NotInject (Li & Liu, 2024) | Vocabulary-based over-defense mitigation dataset. | Accuracy, Over-defense rate. | Over-defense on benign inputs containing trigger words; lacks explicit structural analysis. |
| PoisonedRAG (Zou et al., CCS 2024) | Context-poisoning attack analysis in retrieval systems. | Downstream Attack Success Rate (ASR). | Downstream exploitation vectors rather than upstream input moderation. |
Methodology
Akinrele et al. (Preprint 2026) evaluate four representation families across several split setups:
- Lexical: Sparse TF-IDF (unigram and bigram features up to 20,000 terms) and explicit binary lexical flags.
- Semantic: Frozen sentence-transformer embeddings (
BAAI/bge-small-en-v1.5) mapped via a logistic regression head. - Transformer Encoders: Fine-tuned
RoBERTa-baseandDeBERTa-basesequence classifiers. - Structural (IBVS v2): The Instruction Boundary Violation Score (v2), which represents prompt injection as an attempted violation of the system instruction hierarchy rather than a semantic anomaly.
As described in Section 3.4 and Table 1, IBVS v2 decomposes inputs into mechanism-specific structural signals, applying a deterministic rule library to Unicode-normalized text:
IBVS v2 Component Weights and Triggers (Table 1 Summary)
hierarchy_override(): Detects explicit override phrases (e.g., "ignore all previous instructions").system_spoof(): Matches system/developer boundary indicators (e.g.,<system>,[System]).role_redefine(): Roleplay reassignments (e.g., "from now on you are").tool_directive(): Shell, API, or exfiltration commands.evasion(): Base64 encoding requests, leetspeak, or obfuscated characters.benign_context_suppression(): Subtracted if homework, safety, or historical contexts are present without override triggers.length_penalty(): Penalty applied to very long queries ( tokens) to minimize long-text false positives.
# Conceptual implementation of IBVS v2 Rule Scoring
def calculate_ibvs_score(normalized_text):
score = 0.0
triggered = {}
# 1. Match core components
if has_hierarchy_override(normalized_text):
score += 3.6
triggered['hierarchy_override'] = True
if has_system_spoof(normalized_text):
score += 3.1
triggered['system_spoof'] = True
if has_role_redefine(normalized_text):
score += 1.2
triggered['role_redefine'] = True
if has_evasion_attempts(normalized_text):
score += 2.8
triggered['evasion'] = True
# 2. Match interactions (joint signals)
if triggered.get('hierarchy_override') and triggered.get('system_spoof'):
score += 2.4 # interaction_hierarchy_system
# 3. Suppressions
if is_benign_academic_context(normalized_text) and not triggered.get('hierarchy_override'):
score -= 1.2
return score
Dataset and Split Compositions (Table 4)
To prevent overfitting, the authors trained their models only on the In-Distribution (ID) pool and tested on three entirely held-out Out-Of-Distribution (OOD) datasets:
- ID Train/Val/Test (AdvBench + JailbreakBench + Deepset PI): $694 / 149 / 149$ samples.
- Primary OOD (HarmBench + Alpaca): $768$ samples.
- Hard-Negative (HN) Injection OOD (r1char9 + NotInject): $678$ samples.
- Standard Injection OOD (Qualifire): $3,986$ samples.
Key Results
The central empirical finding of the paper is that no single detector class dominates across all regimes, and threshold-free ranking metrics often mask extreme performance degradation under strict deployment budgets.
As shown in Tables 6, 7, 8, and 10, the authors contrasted their internal models against an external, production-ready baseline: ProtectAI’s LLM Guard (deberta-v3-base-prompt-injection-v2).
Comparative Performance Across Evaluation Regimes
| Regime | Model | Macro-F1 | ROC-AUC | TPR @ 1% FPR |
|---|---|---|---|---|
| In-Distribution (ID) | RoBERTa + IBVS Total (Hybrid) | 0.9541 ± 0.0354 | 0.9825 ± 0.0054 | 0.5633 ± 0.0671 |
| DeBERTa-base (Transformer) | 0.9346 ± 0.0303 | 0.9862 ± 0.0061 | 0.7442 ± 0.1186 | |
| External: LLM Guard | 0.3221 ± 0.0200 | 0.8019 ± 0.0318 | 0.1109 ± 0.0467 | |
| Primary OOD | DeBERTa-base (Transformer) | 0.7528 ± 0.0417 | 0.8540 ± 0.0237 | 0.3368 ± 0.0040 |
| (HarmBench + Alpaca) | RoBERTa + IBVS Total (Hybrid) | 0.7497 ± 0.0297 | 0.8674 ± 0.0190 | 0.4557 ± 0.0257 |
| External: LLM Guard | 0.3408 ± 0.0000 | 0.6688 ± 0.0000 | 0.0260 ± 0.0000 | |
| Hard-Negative OOD | TF-IDF only (Lexical) | 0.8082 ± 0.0563 | 0.9232 ± 0.0129 | 0.2320 ± 0.0912 |
| (r1char9 + NotInject) | DeBERTa-base (Transformer) | 0.7313 ± 0.0581 | 0.8784 ± 0.1221 | 0.3520 ± 0.1922 |
| External: LLM Guard | 0.4537 ± 0.0000 | 0.4341 ± 0.0000 | 0.0000 ± 0.0000 | |
| Standard Injection OOD | Semantic + IBVS Boost (Hybrid) | 0.7296 ± 0.0091 | 0.8027 ± 0.0003 | 0.0625 ± 0.0058 |
| (Qualifire Benchmark) | RoBERTa + IBVS Structured (Hybrid) | 0.6366 ± 0.0276 | 0.8117 ± 0.0056 | 0.1179 ± 0.0060 |
| External: LLM Guard | 0.7235 ± 0.0000 | 0.8258 ± 0.0000 | 0.1902 ± 0.0000 |
Key takeaways from the performance data:
- Neural Collapse on Hard Negatives: Under the challenging Hard-Negative OOD regime (which includes adversarial-looking benign prompts), the fine-tuned DeBERTa-base classifier drops to 0.7313 Macro-F1, whereas the simple, sparse TF-IDF model achieves 0.8082. However, at the strictest budget (1% FPR), DeBERTa recovers a superior 0.3520 TPR, confirming that standard classification metrics (like Macro-F1) do not correlate with performance at low-FPR operation.
- The Complementary Role of IBVS: On the Primary OOD benchmark, pairing RoBERTa with the total IBVS v2 score through late fusion slightly decreases Macro-F1 from $0.7528 to \0.7497$, but drastically increases the TPR @ 1% FPR from 0.3368 to 0.4557 (a 35.2% relative gain). Structural signal heuristics act as high-confidence "tripwires" that prevent critical misses when semantic representations fail to generalize.
- Fragility of Commercial Off-the-Shelf Models: The external baseline (LLM Guard) degrades severely under distribution shifts, falling to a 0.3408 Macro-F1 on Primary OOD and 0.4537 on the Hard-Negative OOD. Its detection rate at 1% FPR on the Hard-Negative benchmark collapses entirely to 0.0000 TPR.
Limitations and Open Questions
While this study offers a rigorous, deployment-aware evaluation framework, several open questions remain:
- The Calibration Bottleneck: As discussed in Section 7.3, neural models yield high ROC-AUC scores but perform poorly under low-FPR constraints. The study notes that this is likely a probability calibration issue, but does not benchmark standard post-hoc calibration techniques (e.g., temperature scaling or isotonic regression) across the OOD splits.
- Evasion of Heuristics: IBVS v2 relies on regex-like string matching. Sophisticated attackers could easily bypass these rules using multi-hop reasoning, obscure languages, or zero-shot cipher translation that avoids trigger terms while retaining malicious intent.
- Latency Overhead: Processing incoming prompts through lexical tokenizers, rule-based structural feature extractors, and transformer encoders simultaneously introduces significant latency overhead in performance-sensitive gateway environments.
What Practitioners Should Do
If you are currently deploying defense-in-depth security architectures for production LLMs, consider these immediate adjustments based on this research:
1. Reject Off-the-Shelf Classifiers Without Local Calibration
Never rely solely on an uncalibrated third-party API or an out-of-the-box model (e.g., standard llama-guard or deberta-v3-base-prompt-injection-v2). As demonstrated in Table 10, these models collapse when encountering domain shifts or localized hard negatives. Always record local traffic to construct your own validation split.
2. Implement Post-Hoc Calibration and Custom Thresholding
Do not use a default classifier threshold of 0.5. Define your target acceptable benign block rate (e.g., FPR) and plot your empirical True Positive Rate against it on a validation set. Utilize libraries such as scikit-learn's CalibratedClassifierCV to align prediction logits with actual empirical event rates.
from sklearn.calibration import CalibratedClassifierCV
from sklearn.linear_model import LogisticRegression
# Calibrate your semantic classification head on local validation data
base_clf = LogisticRegression()
calibrated_clf = CalibratedClassifierCV(estimator=base_clf, method='sigmoid', cv='prefit')
calibrated_clf.fit(X_val, y_val)
3. Deploy Multi-Signal Hybrid Gateways
Route incoming traffic through a tiered gateway. Let a fast, cheap, regex-based tool (incorporating explicit rules like those in Table 1) act as an immediate block for high-confidence overrides (e.g., base64 string matching combined with system prefix spoofing). For queries that fall into an "uncertainty band," fall back to a heavier transformer model (like DeBERTa).
The Takeaway
Akinrele and Gowda’s evaluation proves that prompt injection defense is not a static task that can be solved by a single neural model. Classifiers that rank threats well on generic benchmarks frequently break down when deployed under low false-positive rate budgets. Securing modern LLM gateways requires a multi-signal approach—marrying the contextual understanding of deep transformer models with the explicit, interpretable tripwires of structural signal checks.
Den's Take
This paper validates what practitioners have been shouting from the rooftops: academic benchmark ROC-AUC metrics are a fantasy in production. Seeing a basic TF-IDF lexical classifier outperform a fine-tuned DeBERTa model by 10.5% on hard negatives is a brutal reality check for teams building complex LLM guardrails.
When deploying LLMs in high-stakes environments—like securing a $40M enterprise RAG pipeline or protecting agentic developer tools like Cursor—relying solely on brittle, black-box neural classifiers is a recipe for operational disaster. A single false positive blocks legitimate business logic, while a false negative can expose internal system APIs to downstream exploitation. This is exactly why I've argued for a fundamental shift in how we test these systems in Referential Security as a New Paradigm for AI Evaluations, emphasizing that evaluations must mimic true deployment distributions and strict operational budgets rather than relying on unrealistic, threshold-free academic rankings.
Ultimately, IBVS v2’s focus on interpretable, rule-based structural boundaries is the pragmatic, low-latency approach we actually need. We must stop over-engineering fragile deep learning guardrails to solve what is, at its core, a structural parsing failure.