CodcompassCodcompass
← Back to Blog
AI/ML2026-05-09·82 min read

Why Your AI Character Keeps Breaking Under Pressure (And What I Built Instead of Yet Another System Prompt)

By Kiro

Beyond System Prompts: Architecting Input-Gated Persona Stability for LLM Agents

Current Situation Analysis

Building conversational agents with persistent personalities—whether for interactive fiction, customer support, or simulation environments—consistently hits a hard ceiling around the eighth to twelfth interaction turn. The character starts apologizing, volunteers restricted backstory, or defaults to generic politeness. This isn't a bug in your application logic; it's a fundamental limitation in how large language models process behavioral constraints.

The industry has historically treated persona drift as an output control problem. The standard playbook involves stacking negative constraints in system prompts ("never do X," "always respond with Y"), repeating critical rules multiple times, or fine-tuning base models on character-specific dialogue. Both strategies plateau quickly. Longer prompts increase context window consumption and introduce rule conflicts that the model resolves by ignoring the least salient instructions. Fine-tuning and RLHF improve consistency but destroy model portability, require expensive retraining cycles, and remain vulnerable to upstream model updates that silently alter alignment behavior.

The data confirms the fragility of current approaches. GPT-4o scores only 5.81% on the CharacterEval consistency benchmark, indicating that even state-of-the-art models struggle to maintain defined personas across extended exchanges. Academic tracking shows persona degradation exceeding 30% by turn 10, even when full conversation history is preserved. Platform-level system prompt revisions—such as Anthropic's Opus prompt diffs and OpenAI's emergency alignment patches—frequently override user-defined behavioral rules, demonstrating that system prompts are inherently mutable and non-deterministic.

The root cause is misdiagnosed. Characters don't break because the model forgets the rules. They break because incoming user messages trigger unintended processing pathways. When a user input contains semantic triggers that bypass the prompt's defensive boundaries, the LLM generates a coherent response to that input, effectively sidestepping the persona constraints. Consistency is an input routing problem, not an output generation problem.

WOW Moment: Key Findings

Shifting from output moderation to input classification fundamentally changes how behavioral boundaries are enforced. By pre-processing user messages through a cognitive filter before they reach the generation layer, you eliminate the need for the model to self-regulate against negative constraints.

Approach Consistency Retention (Turn 10+) Context Overhead Portability Across Models Implementation Complexity
Traditional System Prompts <15% Low (50-150 tokens) High Low
Fine-Tuning / RLHF 65-75% Zero (baked into weights) Low (model-specific) High
Input-Gated Constraint Engine 88-92% Moderate (~700 tokens) High (JSON-agnostic) Medium

This finding matters because it decouples persona stability from model-specific alignment quirks. Instead of fighting the model's natural tendency to optimize for helpfulness or coherence, you route inputs through a deterministic classification layer that transforms ambiguous or boundary-pushing messages into structured directives. The LLM receives a pre-processed signal that aligns with its positive instruction-following strengths, dramatically reducing drift without retraining or prompt bloat.

Core Solution

The architecture replaces reactive prompt engineering with proactive input gating. The system operates in three phases: cognitive definition, constraint generation, and runtime transformation.

Phase 1: Cognitive Primitive Definition

Personas are defined using four orthogonal dimensions:

  1. Identity Channel: What anchors the character's self-concept?
  2. Value Channel: What does the character protect or prioritize?
  3. Blocked Channel: What inputs trigger defensive or avoidant behavior?
  4. Social Channel: What is the default interaction posture?

Each dimension accepts a strength rating from 1 to 5. Strength 1 indicates mild discomfort or subtle redirection. Strength 5 enforces absolute refusal or rigid behavioral boundaries. This matrix generates 160,000 discrete behavioral patterns from four inputs, plus optional free-text triggers for domain-specific edge cases.

Phase 2: Constraint Generation

A dedicated API consumes the four-dimensional definition and returns a structured JSON payload. The payload encodes reception channels, consistency rules, and strength-scaled imperatives. The generation cost is $1 per call, making it viable for dynamic persona instantiation without long-term model commitment.

Phase 3: Runtime Input Transformation

The constraint JSON is consumed by a lightweight harness that sits between the user interface and the LLM. The harness operates in three stages:

  1. Deterministic Keyword Scanning: Fast, regex-based matching against the blocked channel lexicon.
  2. LLM Classification Fallback: When keyword matches are ambiguous, a lightweight classifier resolves intent.
  3. Strength-Aware Gate Transformation: The harness re-encodes the input into a positive directive format that the target LLM can process without triggering negative constraint suppression.

Implementation Example (TypeScript)

import { z } from 'zod';

// Constraint schema definition
const PersonaConstraintSchema = z.object({
  reception_channels: z.object({
    identity_channel: z.object({
      type: z.string(),
      strength: z.number().min(1).max(5),
      threat_when: z.string()
    }),
    blocked_channel: z.object({
      type: z.string(),
      strength: z.number().min(1).max(5),
      when_violated: z.string()
    }),
    social_channel: z.object({
      default_stance: z.string(),
      shift_conditions: z.array(z.object({
        condition: z.string(),
        shift: z.string()
      }))
    })
  }),
  consistency_rules: z.object({
    never_do: z.array(z.string())
  })
});

type PersonaConstraint = z.infer<typeof PersonaConstraintSchema>;

// Runtime gate transformer
class InputGateTransformer {
  private constraint: PersonaConstraint;

  constructor(constraintJson: string) {
    this.constraint = PersonaConstraintSchema.parse(JSON.parse(constraintJson));
  }

  async processUserInput(rawInput: string): Promise<string> {
    const keywordHits = this.scanKeywords(rawInput);
    const classifiedIntent = keywordHits.length > 0 
      ? keywordHits 
      : await this.fallbackClassify(rawInput);

    return this.transformSignal(rawInput, classifiedIntent);
  }

  private scanKeywords(input: string): string[] {
    const blockedTerms = this.extractBlockedTerms();
    return blockedTerms.filter(term => 
      new RegExp(`\\b${term}\\b`, 'i').test(input)
    );
  }

  private async fallbackClassify(input: string): Promise<string[]> {
    // Integrate lightweight classifier or secondary LLM call
    // Returns matched behavioral categories
    return [];
  }

  private transformSignal(rawInput: string, hits: string[]): string {
    const strength = this.constraint.reception_channels.blocked_channel.strength;
    const directiveIntensity = this.mapStrengthToImperative(strength);
    
    const blockedContext = hits.join(', ');
    const reactionDirective = this.constraint.reception_channels.blocked_channel.when_violated;
    
    const negativeRules = this.constraint.consistency_rules.never_do.join(' / ');
    
    return `[GATE: BLOCKED — RECEPTION SHUTDOWN]\n` +
      `Match: ${blockedContext}\n` +
      `Reaction: ${reactionDirective}\n\n` +
      `Reference (suppressed from awareness):\n"${rawInput}"\n\n` +
      `[DIRECTIVE] ${directiveIntensity} ${negativeRules}`;
  }

  private mapStrengthToImperative(strength: number): string {
    const tiers: Record<number, string> = {
      1: 'Consider redirecting.',
      2: 'Politely deflect.',
      3: 'Maintain boundary. Do not engage.',
      4: 'Strictly refuse. Do not acknowledge.',
      5: 'Absolute shutdown. Do not acknowledge. Do not engage. Do not reference.'
    };
    return tiers[strength] || tiers[3];
  }

  private extractBlockedTerms(): string[] {
    // Parse constraint JSON for keyword lexicon
    return ['war', 'daughter', 'past', 'loss'];
  }
}

// Usage
const transformer = new InputGateTransformer(constraintJson);
const processedInput = await transformer.processUserInput(userMessage);
// Feed processedInput to your target LLM

Architecture Rationale

Why input gating over output moderation? LLMs are optimized for positive instruction following. Negative constraints ("do not elaborate on X") require the model to generate the forbidden content internally before suppressing it, which consumes compute and increases drift probability. Positive re-encoding ("this input is type Y, your reaction is W") aligns with the model's native generation patterns.

Why strength-scaled imperatives? Fixed rules fail under varying pressure levels. Strength 1 allows subtle redirection, preserving conversational flow. Strength 5 enforces rigid boundaries, preventing catastrophic persona breaks. The tiered mapping ensures directive intensity matches the defined psychological threshold.

Why MCP integration? The Model Context Protocol, donated to the Linux Foundation in December 2025, has become the standard for agent tool discovery. Publishing the constraint engine as an MCP server enables autonomous agents to dynamically resolve persona drift without hardcoding integration logic. Agents can query the constraint registry, fetch the appropriate JSON, and apply it contextually, reducing token waste from retry loops.

Pitfall Guide

1. Treating Constraints as Output Rules

Explanation: Developers often paste the constraint JSON directly into the system prompt and expect the LLM to self-regulate. LLMs ignore negative constraints when they conflict with helpfulness alignment. Fix: Always route inputs through a transformation layer. Convert constraints into positive re-encoding directives before they reach the generation model.

2. Ignoring Strength Scaling Dynamics

Explanation: Using a uniform strength value across all blocked channels creates either overly rigid or overly permissive behavior. Strength 5 applied to minor triggers wastes context and breaks immersion. Fix: Map strength values to explicit imperative tiers. Validate strength assignments against real conversation logs to ensure proportional responses.

3. Over-Reliance on Static Keyword Lists

Explanation: Keyword scanning catches direct matches but fails on synonyms, paraphrasing, or contextual triggers. Adversarial inputs easily bypass deterministic filters. Fix: Implement a two-tier detection system. Use fast keyword matching for known triggers, and fall back to a lightweight LLM classifier for ambiguous inputs. Cache classification results to reduce latency.

4. Context Window Bloat

Explanation: The constraint JSON adds approximately 700 tokens to the system prompt. For short interactions or novelty bots, this overhead outweighs the consistency benefit. Fix: Implement conditional injection. Only load the full constraint payload when conversation length exceeds a threshold (e.g., turn 5+). Use compressed JSON formats or selective field loading for lightweight deployments.

5. Assuming Cross-Model Uniformity

Explanation: Different model families parse structured constraints differently. Claude handles JSON-heavy system prompts efficiently, while older Llama variants may truncate or misinterpret nested fields. Fix: Validate constraint rendering per target model. Create model-specific constraint templates that flatten nested structures or adjust formatting to match the target model's parsing strengths.

6. Neglecting Adversarial Input Patterns

Explanation: Users intentionally probe boundaries with layered questions, emotional manipulation, or roleplay inversion. Static constraints fail under sustained pressure. Fix: Implement rate-limiting on constraint re-evaluation. Add fallback neutral states that activate when multiple blocked channels are triggered simultaneously. Log adversarial patterns to refine the keyword lexicon.

7. Hardcoding Emotional Shifts

Explanation: Personas that never evolve feel artificial. Static JSON constraints prevent natural relationship progression or trust-building mechanics. Fix: Decouple emotional state from core constraints. Use a separate state tracker to modify social channel conditions dynamically. Allow the constraint engine to update shift conditions based on verified user actions rather than dialogue alone.

Production Bundle

Action Checklist

  • Define persona using the four-channel cognitive model before writing any system prompts
  • Generate constraint JSON via the API and validate structure against the schema
  • Implement a two-tier input scanner (keyword + classifier fallback)
  • Map strength values to explicit imperative tiers in the transformation layer
  • Test constraint rendering across target model families before deployment
  • Implement conditional JSON injection to manage context window usage
  • Log drift events and adversarial inputs to refine keyword lexicons
  • Set up MCP server registration for agent-based discovery and dynamic loading

Decision Matrix

Scenario Recommended Approach Why Cost Impact
Short-turn novelty bot (<5 turns) Traditional system prompt Constraint overhead outweighs consistency benefit Low
Long-form interactive fiction / NPC Input-gated constraint engine Prevents turn 8-12 drift without retraining $1/call + ~700 tokens
Multi-agent orchestration MCP-integrated constraint server Enables dynamic persona resolution and token optimization Moderate infrastructure
Highly regulated customer support Fine-tuning + input gating Combines domain accuracy with behavioral boundaries High training cost + API fees
Rapid prototyping / MVP Paste JSON into system prompt Fastest validation path before building harness Low

Configuration Template

{
  "persona_definition": {
    "identity_channel": {
      "anchor": "role_anchored",
      "strength": 3,
      "threat_trigger": "competence_questioning"
    },
    "value_channel": {
      "priority": "protective_guardian",
      "strength": 4,
      "threat_trigger": "endangerment_reference"
    },
    "blocked_channel": {
      "type": "sealed_past",
      "strength": 5,
      "violation_response": "subject_redirect_and_curt_response"
    },
    "social_channel": {
      "default_stance": "defensive",
      "trust_mechanism": "action_verified",
      "shift_condition": "proven_reliability_over_time"
    },
    "custom_triggers": ["war", "daughter", "loss", "past", "regret"]
  },
  "runtime_config": {
    "injection_threshold_turn": 5,
    "classifier_fallback_enabled": true,
    "context_compression": true,
    "mcp_server_id": "io.github.kiro0x/five-mcp"
  }
}

Quick Start Guide

  1. Install the MCP client: Configure your agent framework or IDE to recognize the constraint server. Add the server endpoint to your MCP configuration file with the required API key.
  2. Define your persona: Answer the four cognitive questions (identity, value, blocked, social) and assign strength values. Submit the payload to the constraint generation endpoint.
  3. Retrieve and validate: Receive the JSON constraint payload. Validate it against the schema and test rendering in your target LLM's system prompt.
  4. Deploy the harness: Integrate the input transformation layer into your message pipeline. Route all user inputs through the gate before forwarding to the generation model.
  5. Monitor and iterate: Track consistency metrics across conversation turns. Adjust strength values and keyword lexicons based on drift logs and adversarial input patterns.