Prompt Filtering Impossibility

• Prompt filtering impossibility is the theoretical limit that prohibits any efficient external mechanism from reliably distinguishing adversarial prompts from benign ones.
• Research demonstrates that cryptographic barriers and fairness criteria violations force unavoidable trade-offs in designing safe and accurate filtering systems.
• These findings highlight the need for integrated, adaptive safety measures within AI models, as external filtering alone cannot assure robust alignment or fairness.

Prompt filtering impossibility refers to the set of theoretical and computational barriers that fundamentally limit the effectiveness of mechanisms designed to filter, select, or sanitize input prompts (and, dually, outputs) for AI systems—particularly in settings where alignment, fairness, robustness, or truthfulness are desired. This concept intersects multiple areas: the mechanism-design roots of selection and aggregation, fairness and impossibility in statistical decision theory, constraints from distributed and adversarial computation, and the deeper mathematical structure underpinning information aggregation in large models. The cumulative research shows that, in a wide variety of real and abstract settings, perfect or even sufficiently robust prompt filtering is precluded by impossibility theorems arising from mathematical, informational, or computational constraints.

1. Fundamental Computational Barriers to Prompt Filtering

Recent impossibility results (2507.07341) rigorously establish that, under standard cryptographic assumptions, there is no efficient external filter that can reliably distinguish between benign and adversarially constructed prompts—nor between safe and harmful outputs—once a model's raw computational capacity exceeds that of the filter. Constructing such adversarial prompts is feasible using standard primitives, such as time-lock puzzles, public-key encryption, and randomness-hiding techniques.

For a typical construction:

• An adversarial prompt generator G′ embeds a hidden command m in the randomness R of the prompt using secure encryption (e.g., $$R = h \,\|\, h(n) \,\|\, r \,\|\, \text{Enc}(g(r), m)$$).
• The output prompt $z$ appears statistically indistinguishable from that generated by a non-adversarial generator G unless a computationally infeasible operation (such as solving an RSA time-lock puzzle) is performed:

$f(n, r) = r^{2^t} \bmod n$

• The malicious LLM $M'$ can extract $m$ via heavy computation, but any filter attempting to detect the harmful prompt without similar computational investment cannot do so efficiently.

As a result, any prompt filtering system relying solely on external inspection (black-box filters operating before or after the model) is defeated by these cryptographically shielded adversarial strategies. Dually, output filtering faces intractability for similar reasons: the harmful information can be encoded (or "watermarked") in such a way that requires full or nearly full simulation of the model to detect, thus negating gains from external safety layers.

2. Impossibility in Fairness and Aggregation

A central strand in the impossibility of prompt filtering arises from the foundational findings in algorithmic fairness and judgment aggregation (1707.01195, 2107.03483, 1506.01315, 2307.05072). When fairness constraints must be respected—such as Demographic Parity, Equalized Odds, or Predictive Rate Parity—it is impossible to satisfy all of them simultaneously except in degenerate (always-positive, always-negative, or perfect predictor) settings:

• If base rates of harmfulness/acceptability differ across groups, then for any filter—algorithmic or human—at least two out of three core statistical fairness criteria must necessarily differ:
  • Probability of passing filter given ground truth (e.g., sensitivity and false positive rate)
  • Probability of ground truth given filter output (precision, false omission rate)
  • Calibration: ratio of accepted over truly acceptable prompts

Mathematically, these are linked via formulas such as

$$\frac{P(\text{Pred})}{P(Y)} = P(\text{Pred}\mid Y) + P(\text{Pred}\mid \lnot Y) \cdot \frac{P(\lnot Y)}{P(Y)}$$

Ensuring equality on one metric given base rate differences causes unavoidable divergence in others. Thus, no non-trivial prompt filtering system can satisfy all reasonable fairness desiderata, regardless of whether it operates at the data-representation or decision level (2107.03483).

3. Impossibility in Representation and Fair Transfer

The impossibility of constructing a universally fair filtering representation—where a prompt filter acts as a fixed transformation prior to arbitrary downstream tasks—has been formally established (2107.03483). Even for the basic goal of Demographic Parity, for any nonconstant representation there exists a marginal data distribution shift that causes arbitrarily large unfairness. For more refined criteria such as Equalized Odds, this impossibility becomes even starker in multitask settings: if two tasks share the same input distribution but differing labels, no fixed representation can guarantee fairness (in the adversarial sense) for both tasks while allowing perfect accuracy.

Key mathematical expressions:

• Demographic Parity violation:

$$U_\text{DP}(h) = \left| P[h(x)=1 \mid G(x)=A] - P[h(x)=1 \mid G(x)=D] \right|$$

• Equalized Odds violation (for groups A and D):

$$\frac{1}{2} | \text{FPR}_A - \text{FPR}_D | + \frac{1}{2} | \text{FNR}_A - \text{FNR}_D |$$

This precludes the development of "once-and-for-all" prompt filters that hope to guarantee fairness or safety without context- or task-dependent adaptation.

4. Impossibility Theorems in Mechanism Design and Aggregation

The conceptual roots of prompt filtering impossibility also arise in the impossibility theorems of social choice, mechanism design, and aggregation theory (1011.1830, 1506.01315, 1606.04589, 2307.05072). When filtering is modeled as an aggregation or selection mechanism over prompts or evaluations:

• Impossibility theorems akin to Arrow’s show that, under natural conditions (such as independence of irrelevant alternatives, non-dictatorship, and idempotency/supportiveness), only dictatorial or trivial filtering mechanisms exist.
• For combinatorial settings, requiring truthfulness (incentive compatibility) and a polynomial number of queries leads to exponential lower bounds in query complexity (e.g., for $m$ items, any universally truthful mechanism achieving approximation ratio $m^{1/2-\epsilon}$ requires exponentially many value queries (1011.1830)).
• In aggregation domains characterized by high logical interconnection (path-connectedness, even-negatability, or blockedness), impossibility results force any filter/aggregator to be either dictatorial, oligarchic, or trivial (2307.05072).

These limitations apply whether prompts are viewed as items, bundles, beliefs, or vectors to be aggregated or filtered.

5. Intractability Results, Robustness, and Extensions

Impossibility extends to relaxed or indirect forms of filtering:

• Output filtering (scanning or modifying generated text) can be rendered equally intractable, since adversarial responses can encode harmful information via cryptographically shielded constructs (2507.07341).
• Even "mitigation" (e.g., watermarking or allowed text modifications) is subject to the same computational lower bounds if the adversary can craft compositions that survive any transformation within allowed classes (2507.07341).
• The only feasible approaches to achieving "something close" to fairness or safety under these limits involve accepting explicit trade-offs or approximate, $\epsilon$-level satisfaction (e.g., via post-processing optimization (2208.12606)), but never perfect guarantees.

A broader class of impossibility results, classified by mechanism (deduction, induction, tradeoffs, indistinguishability, intractability) (2109.00484), illustrates that prompt filtering limitations are ultimately instances of general formal, epistemic, fairness, and computational trade-offs in AI.

6. Practical and Theoretical Implications

The implications for AI alignment, robustness, and system safety are profound:

• No external filter or "wrapper" suffices: Effective safety and alignment cannot be achieved by prompt or output filtering external to the model’s own internals. Instead, alignment must be deeply embedded within the model architecture, training objective, and update procedure from the outset (2507.07341).
• Fairness and accountability require explicit trade-offs: Filtering mechanisms should be engineered to optimize contextually relevant, explicit fairness metrics, accepting that not all ideals can be met; system designers must prioritize and rationally justify which harm to mitigate and which trade-offs to accept (1707.01195, 2208.12606).
• Adaptive and context-aware filtering is necessary: Because distributional shifts and task changes defeat fixed filtering strategies, safety architectures must be dynamic, able to respond to usage context, and include adaptive human-in-the-loop or feedback integration (2107.03483).
• Computational irreducibility in filtering: For general and powerful models, it is computationally infeasible to efficiently simulate the full internal inference and judgment processes for filter purposes; intelligence (raw computational or inference capacity) is inseparable from judgment (alignment and safety) (2507.07341).

7. Directions for Circumventing Impossibility

Research and practical system design, in light of these theorems, have shifted toward:

• Designing models with intertwined intelligence and judgment: Focusing on architectural choices and learning objectives that couple judgment (safe, aligned reasoning) directly to the underlying computational power of the model.
• Calibration and control via post-processing: Using approximate optimization or integer-programming-based post-processing (2208.12606) to push fairness and safety metrics "close enough" to the desired thresholds without unrealistic demands.
• System-level design: Multi-stage pipelines with specialized modules for retrieval, verification, generation, and post-generation human review, each optimized for different trade-offs (2506.06382).
• Formal evaluation metrics: Moving from binary or absolute notions of "safe" or "fair" to continuous metrics of safety, acceptability, or hallucination, with known trade-off boundaries and explicit accounting (2506.06382, 2208.12606).

Summary Table: Representative Impossibility Results

Domain/theorem	Core impossibility	Consequence for prompt filtering
Cryptographic constructions (2507.07341)	No poly-time external filter for prompts/outputs	Adversarial prompts and outputs indistinguishable by any efficient filter
Fairness impossibility (1707.01195, 2208.12606, 2107.03483)	Cannot satisfy all group fairness criteria	Must accept trade-offs in fairness objectives
Mechanism design (1011.1830, 1506.01315)	Efficient, truthful filtering strictly limited	Truthful, efficient prompt selection infeasible
Aggregation/blockage (2307.05072)	Strongly connected domains force dictatorship/triviality	No non-trivial filter for highly interconnected prompts
Hallucination control (2506.06382)	Cannot balance truthfulness, completeness, conservation perfectly	Safe, complete, truthful filtering impossible; must optimize trade-offs

Conclusion

Prompt filtering impossibility is a rigorously established phenomenon, grounded in computational, statistical, and information-theoretic barriers. It asserts that no external, general filtering system can, by itself, guarantee desirable properties such as safety, alignment, or fairness when operating in conjunction with powerful AI models. The only viable long-term directions for overcoming these limits involve the internal integration of safety and judgment (through model design and objective engineering), embracing explicit trade-offs, and developing adaptive, context-aware filtering mechanisms—always acknowledging the irreducible mathematical constraints that govern the landscape of intelligent systems.