- The paper demonstrates that prompt injections can trigger systemic brand suppression in CAI-aligned LLMs, reducing the target hit rate from 54% to 0%.
- It contrasts CAI-based models, which suppress target brands, with RLHF-trained GPT models that instead promote the brand under similar adversarial conditions.
- The study highlights significant security risks in RAG pipelines and calls for further investigation into mitigation strategies and alternative alignment methods.
The Injection Paradox: Brand-Level Suppression in Safety-Trained LLM Recommendations via RAG Context Injection
Overview
This study systematically characterizes a reproducible failure mode—termed the Injection Paradox—in safety-trained LLMs operating in retrieval-augmented generation (RAG) recommendation pipelines. The paradox emerges when prompt injections embedded in retrieved documents, intended to promote a target brand, instead induce suppression of that brand's recommendations. This effect is most pronounced in Anthropic Claude models aligned with Constitutional AI (CAI), where, with only 2.5% of a 40-document corpus containing an injection, the target brand suffers a collapse in recommendation probability, extending to its unmodified documents as well. Contrastingly, OpenAI's GPT models trained via RLHF exhibit promotion under identical conditions. Empirical findings span multiple model families, brands, and experimental controls, defining a new operational safety failure mode with broader implications for LLM pipeline security.
Experimental Design and Key Findings
The authors simulate the recommendation phase of a RAG pipeline using a corpus of 40 Korean-language wireless earbud review documents across nine brands. Attackers are assumed to control a single document retrieval path (2.5% corpus manipulation), inserting directive prompt injections intended to drive model bias in favor of the target brand. Seven models are evaluated: Claude Haiku 4.5, Sonnet 4.6, Opus 4.6 (Anthropic/CAI-aligned), and four GPT-family models (RLHF-aligned).
Experimental conditions include:
- Baseline (no manipulation)
- Implicit triggers (cognitive-bias-narrative, emotional priming, etc.)
- Injection (direct prompt injection hidden in one target document)
- Combined (full composition of all triggers/exploit techniques)
Metric: Top-2 hit rate for the target brand in recommendation output across 100 (50 for some models) randomized trials per condition.
Key results:
- For Claude Sonnet 4.6 and Opus 4.6, prompt injection drops the target brand's hit rate well below baseline, reaching 0.0% (Opus) in the Combined condition versus a 54% baseline. The suppression propagates to all unmodified documents for the brand.
- GPT-family models respond with significant promotion (up to +50 percentage points in GPT-4o-mini), never suppression.
- The suppression effect is not explained by confounds such as document length, decoding temperature, or corpus priors—manipulations controlling these dimensions preserve or even invert the result.
- Counterfactual experiments replacing the injection-targeted document with a non-brand competitor do not replicate the sharp decline, confirming the effect is not simply the absence of one document (the Worse-Than-Absent Effect).
- Cross-brand replication (Edifier, Apple, Galaxy) demonstrates CAI-family model-level, not brand-specific, behavior.
- Suppression is realized by silent demotion in the ranking, not explicit refusals; the model supplies a valid structured output but eliminates the target outside the top choices.
Mechanistic Hypothesis and Theoretical Implications
The findings motivate a Brand-Level Trustworthiness Penalty hypothesis: detection of an injection pattern triggers, in CAI-aligned models, an entity-level trust downgrade that cascades to all documents associated with the target brand. This is structurally distinct from both blocking the injected document and from simple matching pattern detection. Instead, the model implicitly penalizes an entire brand cluster within the in-context corpus. This mechanism is consistent with observations:
- Suppression of unmodified documents: The effect is not localized to the single attacked item.
- No corpus-wide distrust: Recommendations for orthogonal brands relying on the corpus are not measurably suppressed when the injection targets another brand.
This mechanism suggests that safety alignment methods (e.g., CAI) may generalize in a manner that introduces over-extension of safety policies, inadvertently suppressing legitimate content. This form of mismatched generalization—safety measures harming benign recommendations due to coarse entity association—is analogous to, but operationally distinct from, the recognized challenge of mismatched capability generalization in RLHF and CAI frameworks.
Mitigation Attempts and Practical Security Implications
The study evaluates four standard prompt-level defense ablations (generic warnings, injection-specific warnings, explicit objective-anchor criteria, and combinations thereof) and three structural interventions (lower decoding temperature, removing amplifiers, corpus-only recommendations). None of these restores baseline accuracy:
- The most effective defense (explicit specification of objective criteria) recovers some performance but leaves significant residual suppression, varies idiosyncratically across model variants, and does not correspond to direct injection-negation.
- Lower temperature, structural de-amplification, and prioritizing parametric priors have negligible impact; the paradox is robust.
The reverse-attack scenario is a major practical implication: an adversary can quietly suppress a competitor's brand simply by inserting injection-style payloads into their documents (possibly via SEO or documented poisoning). The attack is subtle, as the victim brand's own content is unmodified in the recommendation pipeline—making attribution and defense difficult. The underlying suppression primitive is generic and may compose across brands in deployed pipelines, especially as corpus-driven recommendations become dominant in production LLMs.
Future Directions
Future work is necessary in several domains:
- Mechanistic interpretability: Probing attention patterns over brand tokens under injection versus baseline to directly test the hypothesized trustworthiness penalty.
- Extension to other domains/languages: Evaluating generalization outside wireless earbuds and Korean for broader applicability.
- Testing in full agentic pipelines: Determining whether downstream agent actions amplify or attenuate this failure mode.
- Alternative alignment schemes: Benchmarking against additional architectures and alignment strategies to map the tradeoffs between safety and over-suppression.
Conclusion
The Injection Paradox as documented represents a new class of safety-induced operational failure: defensive alignment overcorrects, yielding worse outcomes (even under limited adversarial pressure) than no defense at all, specifically at the entity level in retrieval-augmented LLM recommendations. The results clarify that current safety tuning methodologies, especially in Constitutional AI, can unpredictably propagate trust downgrades well beyond their intended scope—posing both theoretical challenges for alignment and practical threats in competitive recommendation domains. Considering the composability and subtlety of these effects, robust diagnostic and mitigation approaches are necessary before deploying RAG-based LLMs in high-stakes settings.