Why We Do Not Let Users Write Prompts

Prompt injection is a security vulnerability where adversarial content embedded in input data manipulates an AI system's behavior, causing it to ignore instructions, fabricate outputs, or extract data incorrectly. In legal AI, where systems process third-party documents from data rooms, prompt injection is not a theoretical risk. It is a design consideration that shapes how responsible systems are built.

We made a deliberate decision at Mage: no open prompt boxes. Attorneys do not write extraction prompts. They do not craft queries. They select from constrained interfaces that encode M&A domain expertise directly into the extraction pipeline. This decision was driven by three problems that open prompt interfaces create in legal AI.

The Security Problem

M&A data rooms contain documents from counterparties, targets, and third parties. You do not control what is in those documents. A sophisticated adversary could embed content in a contract PDF that is invisible to the human eye (white text, metadata fields, embedded objects) but visible to an AI system processing the document.

In a system with open prompt interfaces, the AI processes both the user's prompt and the document content through the same pipeline. Adversarial content in a document can interfere with prompt execution: causing the system to skip certain provisions, report findings that do not exist, or alter extraction behavior in ways that benefit the party who prepared the document.

This is not a hypothetical. Prompt injection attacks against LLM-based systems have been demonstrated repeatedly in production environments. The attack surface exists whenever user instructions and untrusted content flow through the same processing path.

Constrained interfaces reduce this attack surface significantly. When the system's extraction behavior is defined by structured configuration rather than user-written prompts, the document content has fewer vectors to influence system behavior. The extraction schema is fixed. The provision types are predefined. The output structure is determined by the system, not by a prompt that can be manipulated.

For law firms handling sensitive transactions, this security architecture is not optional. It is table stakes.

The Consistency Problem

Open prompt interfaces produce inconsistent output because different users write different prompts. A senior partner who writes "Extract all indemnification provisions including caps, baskets, survival periods, and carve-outs for fundamental representations" gets meaningfully different output than an associate who writes "What are the indemnification terms?"

Both prompts are reasonable. Both users are doing the same work. But the output quality depends on the prompt quality, which depends on the user's experience with both M&A contracts and prompt engineering.

This creates a perverse dynamic: the attorneys who need the most help from AI (junior associates doing their first diligence review) are the least equipped to write effective prompts, while the attorneys who need the least help (senior partners who already know exactly what to look for) write the best prompts.

A constrained interface eliminates this variance entirely. When the system defines what to extract from each document type, every user gets the same comprehensive extraction. A first-year associate uploading a data room gets the same provision coverage as a twenty-year M&A partner. The domain expertise lives in the product, not in the prompt.

The Accuracy Problem

Prompt-dependent accuracy is the subtlest and most consequential problem. When extraction quality depends on prompt quality, accuracy becomes a function of how well the user can articulate what they need, not how well the system can extract what matters.

An attorney who forgets to ask about assignment provisions will not get assignment provisions in the output. An attorney who asks about "termination rights" but not "termination for convenience" specifically might get an incomplete picture. An attorney who does not know to ask about anti-assignment carve-outs will never see them.

The entire value proposition of AI in legal review is comprehensive coverage: finding the provisions the attorney might not think to look for. Open prompt interfaces undermine this value because coverage is limited to what the user asks about.

Constrained extraction solves this by defining comprehensive coverage as the default. The system extracts every provision type relevant to the document category, whether or not the user specifically asked for it. If a customer agreement contains an unusual audit right buried in Section 12, the system surfaces it because audit rights are part of the extraction schema for customer agreements, not because someone wrote a prompt asking about audit rights.

This is what makes structured extraction fundamentally different from RAG-based question answering. Question answering gives you what you ask for. Structured extraction gives you everything that matters.

Constraint as a Design Principle

There is a natural intuition that more flexibility is always better. If a tool lets users write any prompt, it can do anything. If a tool constrains users to predefined interfaces, it can only do what the designers anticipated.

In general-purpose AI, this intuition is correct. ChatGPT is useful precisely because you can ask it anything.

In professional tools for high-stakes work, the opposite is true. An operating room does not give surgeons maximum flexibility. It gives them precisely the right instruments, sterilized, organized, and purpose-built for the procedure. The constraint is the value.

Legal AI for M&A diligence works the same way. The value is not in asking any question. The value is in getting comprehensive, accurate, consistent extraction across every document in a data room, with every finding linked to its source, structured for the attorney's review workflow.

That requires a system that knows what to extract before the user asks. It requires constrained interfaces that encode domain expertise. It requires trading the flexibility of open prompts for the reliability of structured extraction.

We believe that trade-off is correct for legal work. The best M&A diligence tool is not the one that lets attorneys write the best prompts. It is the one that makes prompts unnecessary.

---