AboutBlogBusiness First AIFounder FreedomBook a conversation

What is a system prompt vs a user prompt? Why the distinction matters

May 9, 2026
A person sitting at a kitchen table comparing a printed page of notes with the screen of an open laptop
TL;DR

A system prompt is the standing instruction set the AI reads first on every call: role, tone, constraints, disclosure rules, brand voice. A user prompt is what someone types in each time. The model gives the system prompt higher weight and applies it across every session. For an SME owner, the operational shift is that system prompts have become first-class business infrastructure. They consume tokens on every call, encode regulated rules, and are now an audit artefact under the EU AI Act. The vendor that exposes versioning, rollback and access control is selling production AI. The vendor that hides the prompt in a settings panel is selling a demo.

Key takeaways

- A system prompt is the standing instruction the AI sees before every interaction; a user prompt is the specific task someone types in. The model treats them as separate fields and gives the system prompt higher priority. - Every token in your system prompt is billed on every call. A bloated 2,000-token prompt running across a thousand daily queries is a real line on the invoice that few owners can point at the source of. - System prompts encode operational rules ("never quote prices above this threshold", "always confirm identity"), which makes them an audit artefact under the EU AI Act now in enforcement. - Embedding credentials, role IDs, or database names inside a system prompt is one of the more common SME mistakes; OWASP now lists system prompt leakage in its top 10 LLM vulnerabilities. - Treat any system prompt that touches customers, regulated data, or operational decisions as governed IP from day one. Store it in version control, document who can change it, test before deploying, roll back when it breaks.

A 24-staff insurance brokerage I spoke with has its sales team using ChatGPT for client emails. The Custom Instructions field has grown over twelve months from “be helpful and professional” to roughly 1,800 tokens of compliance language, brand voice, and FCA-relevant disclosures. Three team leads added clauses at different points. Nobody has read the result end to end. Cost per query has crept up because every call now ships 1,800 tokens before the user’s question is processed. When a senior advisor asked at a management meeting “who owns this, and what is the change history?”, the answer was silence.

That field is a system prompt. The brokerage has been writing one for a year without naming it. The interesting question is no longer “what is a system prompt”, it is “who owns ours, where is it versioned, and how much is it costing us on every call?”

What is a system prompt vs a user prompt?

A system prompt is the persistent instruction the AI reads first on every call: role, tone, constraints, disclosure rules, brand voice. A user prompt is what your team types into the chat each time. The model treats them as separate fields, gives the system prompt higher priority, and applies it across every session until you change it. The system prompt is the constitution; the user prompt is the request that operates inside it.

Custom Instructions in ChatGPT, output styles in Claude, profile-level prompts in Microsoft Copilot Studio, and the system field in the OpenAI, Anthropic, and Google Vertex APIs all describe the same architectural slot. The user prompt changes with every interaction. The system prompt persists, often invisibly, across thousands of conversations. Once you see that asymmetry, you can stop treating the prompt as a settings field and start treating it as configuration.

A short example makes it concrete. The system prompt for a brokerage chatbot might say: “You are a helpful product specialist. Never quote premiums without a manager check. Always escalate complaints to the senior team.” Every customer who opens the chat operates inside that frame. Their user prompts are what they type into the box. The frame applies; the conversation varies.

Why does this matter for your business?

System prompts have quietly become operating infrastructure, with three concurrent costs that owners typically cannot see. The first is on the bill, because every token in the prompt is billed on every call. The second is governance, because the prompt is now where regulated rules live. The third is intellectual property, because a finely engineered prompt has commercial value the law will protect only if you protect it first.

On cost, the maths is unforgiving but the fix is mundane. Stripping repetition, moving boilerplate to external configuration, and deleting clauses no one can defend commonly cuts API costs and latency by 10 to 20 per cent. The first move is to read your own prompt end to end; many owners have never done that, and the act of reading it is usually enough to find the first three things to remove.

On governance, the prompt is where operational rules now live. “Never share customer account numbers.” “Always confirm identity before discussing balances.” “Flag any regulated request for human review.” Under the EU AI Act, in enforcement since August 2026, organisations using high-risk AI must document how those systems are instructed and monitored. If a regulator asks for the version that was in production on a given date, the team running prompts in Git with version tags can answer. The team running them in a shared Google Doc cannot.

On IP, a finely engineered prompt encodes years of compliance expertise and brand voice, and trade secret law protects that only if you take reasonable steps to keep it confidential. A repository with role-based access and signed commits documents those steps. A shared Slack channel does not.

Where will you actually meet it?

You meet it under a different name on every platform you use, which is the main reason teams write system prompts for months without realising it. ChatGPT calls it Custom Instructions. Microsoft Copilot Studio splits it into a default layer and profile-level prompts. Anthropic’s Claude exposes output styles inside the Agent SDK. Google Vertex AI calls it system instructions. The architectural slot is the same; the marketing label varies.

In direct API work the surface is named explicitly. The OpenAI, Anthropic, and Google APIs all carry a system field separate from the user message, and any production code making API calls is shipping a system prompt whether or not the developer flagged it as one. That is the slot to audit when you ask your team “where does the prompt actually live, and who can edit it?”

The vendor pitches you sit through are the third place to spot it. When a demo shows a configurable assistant, the questions to ask out loud are: where is this stored, can we version it, can we roll back, who can edit it, and is there an audit log? Vendors who answer cleanly are selling production AI. Vendors who say “you can change it in settings” without surfacing version history or access control are selling a demo wrapped in a UI.

When should you formalise governance, and when can you ignore it?

You should formalise governance the moment a system prompt touches customers, regulated data, or an operational decision the firm would not want second-guessed. Customer-facing chatbots, proposal generators, anything reading contracts, anything plugged into a CRM or HR system, anything subject to FCA or ICO oversight. If your AI use ticks any of those, the prompt is a controlled artefact, and the governance question is when, not whether.

You can ignore the governance overhead when the AI use is genuinely individual and low-stakes. One person using ChatGPT to draft internal emails for their own review. A solo founder using Claude as a thinking partner. A consultant rewriting a paragraph in their own draft. There is no shared prompt, no customer exposure, no regulated data, no decision being delegated. Adding Git and approval gates to that use case is theatre.

The shape between those poles is incremental. Start with the highest-stakes use case and govern that one prompt: store it in version control, write a one-page card naming the owner and the purpose, and run a small set of representative queries before any change goes live. Once that cycle works, extend to the next use case. An SME running two or three stable prompts rarely needs a dedicated platform on day one; an owner, a repository, and a written rule that no production change ships without a review will cover it.

Three sit close enough to the system prompt that you will meet them in the same conversations. The first is prompt management as a tool category. Platforms such as Agenta, PromptHub, and LangSmith provide version control, A/B testing, and rollback specifically for prompts. They are useful when change frequency is high or several teams edit the same prompts. They are overkill for an SME running two or three stable prompts in a Git repo.

The second is prompt injection, the security failure mode where a malicious instruction hidden in a document or webpage tricks the AI into ignoring its system prompt. The system prompt is the first line of defence, so anything sensitive embedded inside it (credentials, role IDs, internal database names) becomes attacker-readable when an injection succeeds. OWASP now lists system prompt leakage as one of the top 10 LLM vulnerabilities. Externalise secrets, and assume the prompt itself is low-trust storage.

The third is function calling and the wider context of agentic AI. When an AI can call tools on your behalf (send emails, write to a CRM, move money), the system prompt is where the operational guardrails live: which actions are allowed, which require human approval, which are out of scope. A weak system prompt in an agentic context is no longer a quality issue; it is a control issue.

The system prompt is the highest-impact configuration surface in the AI stack you are buying or building. Treat it that way and the cost, security, and compliance questions get cheaper. Treat it as a free text field and they get more expensive every month. If you want a candid look at where your prompts sit, book a conversation.

Sources

Tetrate (2026). System prompts versus user prompts. Plain-English explanation of the architectural distinction and how major LLM APIs route the two message types. https://tetrate.io/learn/ai/system-prompts-vs-user-prompts OpenAI (2026). ChatGPT Custom Instructions. Vendor documentation for the consumer-facing system prompt surface, including the warning that information in Custom Instructions can be used by connected plugins. https://help.openai.com/en/articles/8096356-chatgpt-custom-instructions Anthropic (2026). Claude Agent SDK, modifying system prompts. Vendor documentation showing the three supported methods for customising or overriding the default system prompt, including file-based output styles in version control. https://code.claude.com/docs/en/agent-sdk/modifying-system-prompts Google Cloud (2026). Vertex AI system instructions. Vendor documentation defining system instructions as the persistent context the model processes before any user prompts in a session. https://docs.cloud.google.com/vertex-ai/generative-ai/docs/learn/prompts/system-instructions Microsoft (2026). Copilot Studio prompts overview. Vendor documentation for profile-level prompts and the multi-prompt architecture used across agents. https://learn.microsoft.com/en-us/microsoft-copilot-studio/prompts-overview OWASP / Cobalt (2025). LLM system prompt leakage prevention strategies. Industry reference covering OWASP's listing of system prompt leakage as a top 10 LLM vulnerability and the mitigations vendors are expected to implement. https://www.cobalt.io/blog/llm-system-prompt-leakage-prevention-strategies Fulcrum Digital (2026). Prompt governance, the emerging enterprise control layer. Industry analysis treating versioned, reviewed system prompts as a distinct governance discipline alongside product, security, and compliance. https://fulcrumdigital.com/blogs/prompt-governance-the-emerging-enterprise-control-layer/ Legal Nodes (2026). EU AI Act 2026 updates, compliance requirements and business risks. Regulatory reference covering the August 2026 enforcement milestone and the documentation duties that fall on organisations using high-risk AI. https://legalnodes.com/article/eu-ai-act-2026-updates-compliance-requirements-and-business-risks Effort Agent (2026). The new intellectual property, why your AI prompts are worth millions. Industry analysis of the trade secret framework as it applies to engineered system prompts, and the reasonable steps required to maintain protection. https://www.effortagent.com/articles/the-new-intellectual-property-why-your-ai-prompts-are-worth-millions LaunchDarkly (2025). Prompt versioning and management. Practitioner reference covering Git-style version control, staged rollout, and rollback patterns for production system prompts. https://launchdarkly.com/blog/prompt-versioning-and-management/

Frequently asked questions

We have been writing into the ChatGPT Custom Instructions box for a year. Is that a system prompt?

Yes. Custom Instructions in ChatGPT, profile-level prompts in Microsoft Copilot Studio, output styles in Claude, and the system field in any direct API call are all the same architectural slot under different names. If a piece of guidance applies across every conversation rather than to one chat, it is a system prompt. The fact that no one called it that does not change the governance work it now needs.

How much is a bloated system prompt actually costing us?

Every token in the system prompt is billed on every API call. A 2,000-token prompt across 1,000 customer queries a day ships 2 million input tokens before any user content is processed, which is real money on the monthly invoice. Compressing the prompt by removing redundancy and moving boilerplate to external configuration commonly cuts costs and latency by 10 to 20 per cent. The first thing to do is read your own prompt; many owners have never seen it end to end.

Where should the prompt actually live so we can govern it?

For many SMEs, a Git repository with one file per prompt, a short README explaining each version's purpose, and a spreadsheet tracking which version is in which environment covers the governance burden cleanly. Dedicated prompt management platforms such as Agenta, PromptHub, or LangSmith add testing and observability when the use case justifies the spend. The principle is the same either way: a clear owner, a documented purpose, a change history, and a rollback path. The tool is secondary to the discipline.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A practice manager at a desk holding a printed proposal in one hand with an open laptop alongside

Zero-shot vs few-shot learning: when AI works on tiny data

A plain-English decision guide for UK SME owners. Start with zero-shot, escalate to few-shot if needed, and only consider fine-tuning if specific volume thresholds are crossed.

Two colleagues at an office table looking at a laptop dashboard with a printed quote beside them

What is AutoML? Why it matters for your business

AutoML automates the technical engineering of machine learning so a UK SME can build a churn or lead-scoring model in weeks for platform fees, not a £50,000 data science hire. A plain-English guide to what it does, where it pays back, and where it is genuinely the wrong tool.

A person at a desk reviewing two printed quotations side by side with a calculator and a notebook

What is edge AI? Why running AI locally matters for your business

A plain-English guide to edge AI. The architecture decision that changes who holds your client data, how fast your system responds, and whether the cloud bill keeps growing every quarter.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd