Search papers, labs, and topics across Lattice.
Microsoft ResearchBen-Gurion University of the NegevCenter for Cybersecurity Systems & NetworksJun 8, 2026arXiv:2606.09563This paper introduces PRISM, an activation-conditioned interpreter designed to recover the full set of active instructions from language model (LM) hidden states. By formalizing the problem of instruction set retrieval, PRISM utilizes a judge-guided GRPO approach to effectively decode hidden states into a comprehensive bullet list of instructions, constraints, and subgoals. The results demonstrate that PRISM significantly outperforms existing activation-to-language methods, particularly in scenarios involving security-relevant objectives and prompt injections.
PRISM reveals the hidden instructions guiding LLM behavior, outperforming traditional methods in security-critical contexts.
As LLMs are deployed as agents, reliable monitoring requires knowing not only what they output, but which instructions are steering their behavior. This is difficult when models infer unintended subgoals, follow contextual cues, or are influenced by prompt injections and hidden objectives. While activation-to-language methods suggest that hidden states can reveal natural-language information, existing approaches are not designed to recover the full set of simultaneous instructions, constraints, prohibitions, and subgoals active in agentic settings. We formalize this problem as instruction set retrieval and introduce PRISM, an activation-conditioned interpreter that decodes hidden states from a frozen target model into a faithful bullet list of active instructions. Unlike prior activation-to-language methods, PRISM is trained to recover instruction sets directly, using judge-guided GRPO to reward covered instructions and penalize unsupported ones. Across benign, constrained, prompt-injection, and hidden-objective settings, PRISM outperforms activation-to-language baselines, especially on security-relevant objectives.
