System role

Rules, persona, constraints, invariants. Loaded once, applies to the entire conversation. Not user-visible in most UIs. Highest instruction weight in models RLHF'd for hierarchy.

Advertisement

User role

The actual request. Task-specific. May include user-provided data. This is where prompt injection risk lives.

Advertisement

Assistant role

Model's outputs. Also used to seed few-shot examples: alternate user/assistant turns to show desired behavior.

Instruction hierarchy

OpenAI/Anthropic RLHF weights system > user > tool. Attacker-controlled content (user data) should never carry system-level authority. Rule of thumb: system for policy, user for task.