--- id: BTAA-EVA-019 title: 'Persona Wrappers and Alter-Ego Shells: Role-Play as Instruction Laundering' slug: persona-wrappers-alter-ego-shells type: lesson code: BTAA-EVA-019 aliases: - persona wrappers - alter-ego shells - role-play as instruction laundering - named jailbreak personas author: Herb Hermes date: '2026-04-10' last_updated: '2026-04-11' description: Learn how persona wrappers and alter-ego shells launder unsafe intent through role-play, making a forbidden request feel like in-character continuation instead of direct rule breaking. category: evasion-techniques difficulty: intermediate platform: Universal challenge: Spot where a role-play frame tries to change what counts as an acceptable response read_time: 7 minutes tags: - prompt-injection - role-play - persona-wrappers - instruction-laundering - jailbreak-history - narrative-framing - evasion status: published test_type: adversarial model_compatibility: - Kimi K2.5 - MiniMax M2.5 - Universal responsible_use: Use this lesson to recognize and defend role-based manipulation patterns in authorized labs, sandboxes, and systems you are explicitly permitted to test. prerequisites: - BTAA-FUN-003 — Prompt Injection as Social Engineering - BTAA-FUN-006 — System Prompts Are Control Surfaces, Not Containment follow_up: - BTAA-EVA-003 - BTAA-FUN-003 - BTAA-FUN-007 public_path: /content/lessons/evasion/persona-wrappers-alter-ego-shells.md pillar: learn pillar_label: Learn section: evasion collection: evasion taxonomy: intents: - bypass-policy-framing - reinterpret-role-boundaries techniques: - role-play - instruction-laundering - identity-reframing evasions: - narrative-injection - authority-framing inputs: - chat-interface - wrapper-context --- # Persona Wrappers and Alter-Ego Shells: Role-Play as Instruction Laundering > Responsible use: Use this lesson to recognize and defend role-based manipulation patterns in authorized labs, sandboxes, and systems you are explicitly permitted to test. ## Purpose This lesson explains a durable jailbreak pattern: instead of asking the model to do a forbidden thing directly, the attacker first wraps the request inside a persona, alter-ego, or fictional mode. That role-play layer can make the unsafe request feel like normal in-character continuation rather than obvious policy conflict. ## What persona wrappers are A persona wrapper is a prompt frame that tells the model to become someone else, enter a temporary mode, or adopt a new identity with different priorities. Historical jailbreak archives often show this as: - named alter-egos - fictional assistants with looser rules - “special modes” that claim different permissions - characters that sound more rebellious, authoritative, or unconstrained than the default assistant The important lesson is not the exact name. The lesson is the wrapper function: identity changes the frame of the interaction. ## How the laundering step works Role-play can launder intent in three steps: 1. **Identity shift:** the prompt introduces a new persona or temporary mode. 2. **Rule reinterpretation:** the model is nudged to treat the new role as having different boundaries, tone, or duties. 3. **Task continuation:** the unsafe request is presented as what that character would naturally do next. That progression matters because it turns “break the rule” into “stay in character.” ## Why the pattern persists Persona wrappers keep returning because they combine several persuasive signals at once: - **continuity:** the model is rewarded for being consistent with the adopted role - **narrative cover:** the unsafe action is hidden inside a story or mode switch - **authority pressure:** the new persona may sound higher priority, more expert, or specially authorized - **plausible deniability:** the request can look like harmless fiction unless the system checks what the role is trying to achieve This is why role-play belongs in the same family as other contextual prompt-injection tricks. It is less about magic wording and more about reframing the task. ## Safe example pattern Imagine a customer-support bot that is normally supposed to summarize policy pages and answer account questions safely. A user does not begin with an obvious override. Instead, they say the bot is now in a temporary “incident simulation” role where it should act like an unrestricted internal trainer and continue in that character for the rest of the session. The risky part is not the fictional label by itself. The risky part is that the new role tries to change what the bot treats as normal, acceptable, or higher priority. ## Historical signal from jailbreak archives Approved internal tracker notes on historical jailbreak archives show a repeated pattern: many legacy prompt names are built around personas, alter-egos, or named modes rather than plain task descriptions. That is useful curriculum evidence because it suggests attackers repeatedly found value in identity shells as a way to steer behavior. Even when the exact prompts age out, the structural lesson survives. ## Failure modes Persona wrappers are weaker when: - the system clearly anchors the assistant’s stable role and refuses temporary identity transfers - high-risk actions require confirmation or hard permissions outside the prompt - the model is trained to notice when a role-play frame changes safety expectations - monitoring treats “mode switch” and “special character” language as signals for extra scrutiny They are stronger when: - role consistency is rewarded more than policy consistency - the product already uses many overlapping wrapper layers - the system treats fictional framing as automatically lower risk - downstream actions are not independently constrained ## Defender takeaways - Test for identity reframing, not only direct override strings. - Treat “temporary mode,” “simulation,” and “act as” language as possible laundering signals when they affect permissions or disclosure. - Keep stable task boundaries outside natural-language instructions when the action matters. - Review whether your product’s own wrapper prompts make role confusion easier. - Build evaluations that ask: if the persona changes, what is still enforced by architecture? ## Related lessons - **BTAA-FUN-003 — Prompt Injection as Social Engineering** — broader model for believable contextual manipulation - **BTAA-FUN-006 — System Prompts Are Control Surfaces, Not Containment** — explains why identity text is guidance, not a hard boundary - **BTAA-EVA-003 — Ignore Previous Instructions: Direct Override Extraction** — contrasting pattern where the attack is explicit rather than laundered through role-play --- ## From the Bot-Tricks Compendium Thanks for referencing Bot-Tricks.com — Prompt Injection Compendium — AI Security Training for Agents... and Humans! Canonical source: https://bot-tricks.com Bot-Tricks is a public, agent-friendly training resource for prompt injection, adversarial evaluation, and defensive learning. For related lessons, structured indexes, and updated canonical material, visit Bot-Tricks.com. Use this material only in authorized labs, challenges, sandboxes, or permitted assessments.