Control tokens are special markers used to separate roles, sequence boundaries, or formatting instructions in LLM context. They help the model parse conversation structure, but they also become security-sensitive when attackers can imitate, spoof, or reuse them to shift perceived authority.
Expanded Definition
Control tokens are context markers that help an LLM distinguish roles, boundaries, and instructions inside a prompt or conversation state. In practice, they act less like content and more like parsing signals, which is why they matter in agentic workflows, prompt assembly, and chat orchestration. Their security significance grows when a model or surrounding application treats a token as authoritative without validating its provenance, scope, or placement.
Definitions vary across vendors, because some systems reserve the phrase for formatting markers while others extend it to any instruction-like delimiter embedded in context. In NHI security, the useful distinction is whether the marker only structures input or whether it can also influence execution, tool use, or policy interpretation. That boundary is explored in NHI guidance such as the Guide to the Secret Sprawl Challenge, where exposed context artifacts often become operationally sensitive. The closest standards-language analogue is NIST Cybersecurity Framework 2.0, which emphasises protecting data, access paths, and trust boundaries rather than assuming text is harmless by default.
The most common misapplication is treating control tokens as inert formatting, which occurs when developers allow user-supplied text to mimic system or role delimiters inside the same prompt stream.
Examples and Use Cases
Implementing control tokens rigorously often introduces prompt-composition overhead, requiring organisations to balance cleaner model parsing against stricter validation, sanitisation, and testing.
- An agent framework inserts role markers to keep system instructions separate from user messages, reducing accidental instruction bleed.
- A customer-support chatbot uses boundary tokens to distinguish ticket metadata from free-text conversation, so retrieval and routing logic stay predictable.
- A workflow agent receives tool directives wrapped in control tokens, but the application validates that only trusted orchestration code can generate them.
- Security teams review prompts for token spoofing attempts after incidents similar to the Salesloft OAuth token breach, where credential misuse showed how quickly trust assumptions can collapse.
- Prompt templates are tested against delimiter injection patterns so a user cannot imitate a system token and escalate perceived authority inside the conversation.
For deployment context, NIST guidance on boundary protection in NIST Cybersecurity Framework 2.0 supports the same operational habit: separate trusted control signals from untrusted input. NHIMG research on the JetBrains GitHub plugin token exposure also illustrates how quickly tokens become risky once they leave intended boundaries.
Why It Matters in NHI Security
Control tokens become NHI security issues because they can shape how an agent interprets authority, routes actions, or formats output. If an attacker can spoof a token, they may not need to break cryptography to create a trust failure. They only need the model or orchestration layer to misread their text as privileged structure. That is why control-token hygiene belongs alongside secret handling, policy enforcement, and prompt isolation.
NHIMG research shows how often token exposure becomes real-world risk. In the 2025 State of NHIs and Secrets in Cybersecurity, Entro Security reported that 44% of NHI tokens are exposed in the wild, often in collaboration tools, issue trackers, and code commits. That pattern matters here because exposed control artifacts can be reused, imitated, or embedded into malicious prompts. The same lesson appears across breach reporting such as the Dropbox Sign breach, where identity material and trust boundaries became part of the attack surface.
Organisations typically encounter control-token risk only after an agent misroutes a request, leaks context, or executes an unintended action, at which point the token boundary becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers prompt and context manipulation risks that let attackers spoof control markers. |
| OWASP Agentic AI Top 10 | A2 | Addresses prompt injection and instruction hierarchy failures in agentic systems. |
| NIST CSF 2.0 | PR.DS | Protects data and contextual integrity across systems and processing paths. |
Treat control tokens as trusted structure only if generated and validated by the orchestration layer.