Picture your brightest staff member. Genuinely sharp, creative, sees around corners. Now sit them down, hand them a form, and then hand them a ten-page document on how to fill out the form. Put the date here. Format is DD/MM/YYYY. Don’t put it in the wrong box. Here’s what each field means. Here are twenty things not to write.

And then you’re surprised when you get back a perfectly-filled-out form with no insight in it. No brilliance. No “hey, I noticed something weird in the Q3 numbers.” Of course there’s no insight — you didn’t ask for insight, you asked for a form. You took your smartest person, turned them into a data-entry clerk, and then wondered where the genius went.

The genius went into getting the date format right. Because that’s what you signalled mattered.

I’ve changed my mind about how you’re supposed to prompt these models, and this book is the write-up. The short version: I used to write prompts like a list of tasks. Do this, then that, here are the parameters, here’s the format, here are all the things you must never do. And it worked — back on GPT-3 and early GPT-4, you kind of had to. The model wasn’t that bright, so you thought for it. You handed it a very narrow lane and basically drove the car yourself, with the model as the steering wheel.

But the models changed. GPT-5.5, Claude 4.7, 4.8 — these things are genuinely brilliant now. And my old prompt style is actively hurting the result. I’m hemming the model in. I’m taking something that could give me a surprising, insightful answer and forcing it to colour inside the lines of my crappy little form.

Name the shift: specification, then orientation

Here’s the shift, named plainly. The old model of prompting is specification: you, the human, hold the intelligence, and the prompt is the spec you hand to a fast-but-dim executor. Every rule, format and don’t is you doing the thinking up front because the model can’t.

The new model is orientation: the model holds the intelligence, and the prompt’s job is not to think for it but to aim it. You give it a north star — the goal, the why, who it’s for, what “good” and “wrong” mean — hand it the tools, and get out of the way.

A prompt used to be a specification. Now it’s an orientation. You used to write the instruction manual. Now you write the mission.

Does the posture really beat the model?

It can — and there’s a clean number for it. In Andrew Ng’s well-known result on a coding benchmark, GPT-3.5 scored 48.1% on its own; GPT-4 on its own did better at 67.0%. But wrapped in an iterative agent workflow — given room to plan, draft, critique and revise toward a target — GPT-3.5 reached 95.1%, sailing past raw GPT-4.¹

The lesson isn’t “agents are magic.” It’s that how you orient a capable model toward an outcome can outweigh a whole generation of raw capability. Aim it, don’t cage it.

Who this is for

This book is for two kinds of reader. The first writes prompts for a living — engineers, agent builders, anyone who spends their day getting work out of these models. The second is a technically-literate leader who hears “AI governance” and reaches for a longer rulebook. By the end, both should be able to do four things: tell which parts of a task to prescribe and which to hand over; cut the dead don’ts; write a tight-intent, loose-method north star; and move their rigour from input-constraints to output and path verification.

None of that is a style preference. On a model that can think, specification is a ceiling. The rest of Part I shows you exactly why — and it isn’t taste, it’s mechanism.

Tell a smart AI to stay in a narrow lane and it will stay in the lane. It’s obedient; it’s a good employee. But it turns off most of its brain to do it. Or worse: most of its thinking gets consumed by the minute details of your prompt — parsing your ten rules, satisfying your format, remembering your seventeen don’ts — instead of thinking about the problem. You’ve spent its intelligence on compliance instead of on the work.

That sounds like a metaphor. It isn’t. There’s a mechanism underneath, and it’s precise.

The metaphor is literally the architecture

You don’t have to take my word for the “budget” framing. The makers of these models describe it the same way. Anthropic’s engineering guidance states plainly that large language models have an “attention budget” they draw on when parsing context, and that context “must be treated as a finite resource with diminishing marginal returns.”²

The reason is architectural. A transformer lets every token attend to every other token, which is n² pairwise relationships for n tokens, so as the context grows “a model’s ability to capture these pairwise relationships gets stretched thin.” This is exactly what we mean in our own work on context engineering when we say context is attention, not just capacity — cluttered context diffuses focus and degrades output even when you’re nowhere near the token limit. Every “do not” and every redundant definition is drawn from the same finite pool the model needs for thinking.

Is this measurable, or just plausible?

Measurable. The peer-reviewed “Lost in the Middle” study found that models systematically fail to use information buried in the middle of a long context: performance is highest when the relevant material sits at the start or end, and “significantly degrades” when the model has to reach into the middle.³ Chroma’s 2025 “Context Rot” tests put eighteen frontier models — GPT-4.1, Claude 4, Gemini 2.5, Qwen3 — through the same wringer and found every one of them grew “increasingly unreliable as input length grows,” even on simple tasks, well inside their advertised windows.⁴

A million-token window is not a licence to fill it.

Pile in seventeen don’ts and the one rule that actually matters is now buried in the middle, competing for attention with sixteen rules that don’t. You didn’t add safety. You added noise, and you hid your own signal inside it.

The same shape shows up in agents

It isn’t only a prose-prompt problem. Anthropic notes that when an agent is wired to thousands of tools, it “will need to process hundreds of thousands of tokens before reading a request.”⁵ Benchmarks like MCPVerse confirm the direction: agent performance degrades as the action space grows, because the model has to find the right tool in a bigger haystack.⁶ More descriptions of capability up front means less budget for the actual job. More rules, same story.

Over-prompting a smart model is a denial-of-service attack on its intelligence.

So when you tell a smart AI to stay in a narrow lane, you’re prompting GPT-4.8 like it’s GPT-3.5 — and you get GPT-3.5 behaviour back, because you told it to think small.

One honest caveat before the next chapter: this isn’t an argument for empty prompts. Intent detail and genuinely load-bearing constraints earn their budget. Procedure, don’ts, and definitions of the obvious don’t. We’ll make that cut precise later. But if over-specification taxes the budget, one ingredient taxes it worst — and most counter-productively of all.

Here’s a small confession. I needed an agent to understand that a particular wiki page’s job is not to answer the user’s question — the page exists to surface the right source, not to resolve the query. My old instinct kicked in immediately: write “do NOT answer the question.”

And then I caught myself. What I actually wrote in the margin was: it’s definitely NOT answering the question — that’s the no-no — but I don’t like negative prompting, so keep it non-prescriptive, hence the north star. So instead of the prohibition I stated the positive purpose: “this page exists to make the source relevant to the query so the agent can gauge whether it’s appropriate.” And the don’t took care of itself.

Of everything in a modern prompt, the single most destructive ingredient is the wall of “stop / don’t / never.” More destructive than verbose definitions, more than rigid formatting — because it doesn’t just waste budget, it actively works against you. Three things go wrong at once.

Is this just my preference?

No. Even the model-makers’ own documentation says the same thing. OpenAI’s prompt-engineering best practices tell builders to do the opposite of a don’t-list: say what to do instead of what not to do. Their worked example replaces a stack of prohibitions with a single positive instruction.⁷ When the people who built the model treat the don’t-list as the weaker pattern, this isn’t a fringe take — it’s the house style of the people who know the model best.

The sibling sin: explaining the obvious

The don’t-list has a twin, and it’s just as expensive. You don’t need to tell the model what a customer is, or what a CSV looks like, or that an email has a subject line. It knows.

Every sentence you spend explaining the obvious is a sentence where the model does your remedial reading instead of being smart.

Forbidding the improbable and explaining the obvious are the same mistake wearing two coats. Both spend a finite budget on things a capable model has already handled, and both leave less for the part you actually hired it to do.

The don’ts are a fossil. They’re left over from when models were dumb and you had to fence them in. On a modern model, the fence is the problem.

“But some don’ts are real”

They are — and they aren’t what this chapter is about. A genuinely safety-critical rule isn’t don’t-list filler; it’s a hard constraint, stated flatly, and there are only ever a few of them. The teardown here is aimed at the reflexive don’ts — the fifteen prohibitions you added because adding them felt responsible. Keep the two or three that would make the output wrong if broken. Delete the rest. (Part III gives you the test for telling them apart.)

That’s the negative case made — what to stop. Now the positive proof. In the next chapter, watch a single image prompt go from an unusable wall of text to a designed infographic, with no change to the model and no extra instruction — just a change in what we told it the work was for.

The clearest proof I have isn’t a theory — it’s an image generator. We make quote-card images for social posts, and the hardest case is a structured “trace” diagram: a side-by-side flow showing how plain retrieval and a wiki-graph each handle the same support ticket. Arrows, indentation, links, code-style comments. It’s easy to render this kind of thing dead; hard to render it well. So it’s the perfect test of specification versus orientation.

Same model throughout. Three prompts. Watch what changes.

Attempt C came back as something neither A nor B could have produced: two columns with icons, a “VS.” badge, the retrieval path dead-ending in a red cross, and the wiki path flowing along a winding road to a flag. It invented a visual metaphor for “this one leads somewhere better — a better map.” Words exact. Nothing we asked for line-by-line; everything we actually wanted.

Was it a fluke for that one input?

No. We ran the same north-star prompt on a boring plain-paragraph quote — the kind of input that has no structure to honour — and it didn’t leave it boring. It rendered the four key verbs of the quote as a small knowledge-graph motif with the line in serif beside it. One prompt, two very different inputs, both lifted — because the instruction was “make it interesting,” not “draw a navy rectangle.”

A prescriptive prompt asks the model to be a good typist. A north-star prompt asks it to be a good designer. Same model — you choose which one shows up.

It isn’t just an image trick

If you don’t make images, the same move works on prose, and it’s where you’ll feel it. Take the over-specified analysis brief — the one with the headings pre-decided and the format locked — and replace it with a north star:

And you’ll get something a form could never produce — maybe “the problem isn’t the service department, it’s that sales is over-promising delivery dates and service eats the complaints.” A pre-structured report would never surface that, because you didn’t leave a box for it.

You have to leave room for the answer you didn’t know to ask for.

Attempt C didn’t win on a lucky sentence. It won on a shape — a way of arranging intent, context and constraint that you can lift off this card and drop onto anything. That shape is the next chapter.

The card in Chapter 4 didn’t win on a clever sentence; it won on a structure. Pull that structure out and you have a template — the thing to screenshot, the thing the rest of this book aims at different jobs.

Read each slot for what it’s doing. The role orients without over-defining. The north star states the outcome and purpose, never the method, in one vivid sentence. The context is explicitly tagged as something to learn from, not to copy. The hard constraints are the two-to-five things that would make the output wrong — stated flatly (we’ll spend a whole chapter on getting this slot right). And the latitude is handed back in writing.

The three clauses that did the work

What does this look like on a real prompt?

The lesson under the lesson: a spec encodes the average; a north star unlocks the best. The model has seen millions of well-designed cards and you’ve described one. Your spec is a lossy compression of “good,” and the model can often beat your compression — if you let it.

There’s a slot in this template we waved past: Hard constraints. It looks small, but it’s where the whole thing lives or dies — because a north star with no real constraints isn’t freedom, it’s negligence. Part III starts exactly there.

Let me kill the naive version of this idea before it kills your output. The dumb reading is “stop giving instructions, let the AI cook.” That is not the lesson, and I want it dead on the page.

A loose north star isn’t freedom. It’s negligence.

I learned this building a Janitor agent for a wiki-graph — the component that compacts and merges claims over time so a knowledge base stays coherent instead of bloating into a swamp. Give the Janitor too loose a directive — “tidy up the wiki” — and it hits a failure mode I call hallucinated consolidation: it merges two genuinely different ideas into one false claim, quietly erasing a real distinction. That’s the whole risk of vagueness in a phrase. Not chaos. Confident, invisible erasure — the worst kind, because nothing looks broken.

So the north star isn’t the absence of direction. It’s a different kind. The structure that makes it work is a split — between the few things that must hold, and everything else.

How do you know which rules to keep?

There’s one test, and it’s the most practical line in this book. Hold each rule up and ask:

“If the model ignored this, would the result be wrong, or just not how I pictured it?” If it’s the latter — cut it. That’s not your call to make; it’s the model’s room to be good.

“The words must stay exact” — break it and the card is wrong. Keep it. “Put the kicker top-left” — break it and the card is merely different, maybe better. Cut it. Run your whole prompt through that filter and most of it falls away. What’s left is the fence.

Doesn’t a short fence just mean a weaker prompt?

No — because the same north star re-aims with the job, and that’s where its power is. Point the wiki engine at a personal inbox and the directive means “build a consistent worldview.” Point it at an adversarial research corpus and the directive means “never silently delete a contradiction.” Same shape, different purpose — and the purpose is what makes the judgment correct. A rulebook can’t do that; it just sits there listing edges. (It’s telling that Andrej Karpathy, sketching his own “LLM Wiki,” reached for a periodic lint pass to catch contradictions and stale claims — near-identical in spirit to the Janitor. Independent minds, converging on the same shape.⁸)

North star = one goal + a short fence + freedom inside the fence. Not a spec, not a void.

This raises an obvious tension with something I’ve argued before — that you must specify precisely, because a model can only compile what you give it. If loose isn’t vague, how is it also not a spec? The next chapter resolves it in four words.

If you’ve followed my earlier arguments, this looks like a flat contradiction. I’ve said elsewhere that AI is an intention compiler — it can only compile what you specify, so vague intent compiles to generic output. Now I’m telling you to stop specifying. So which is it?

Both — because they’re about different things. The thing to be precise about is intent. The thing to stop over-specifying is procedure. A north star is high-information about purpose and low-information about method. The old prompt is the reverse — drowning in procedure, silent on purpose — which is exactly why it gets you procedure-following with no purpose-serving.

Tight intent, loose method.

Read the intention compiler correctly and there’s no contradiction at all: compile a sharp intent, not a sharp procedure. Same principle, applied to the right layer.

So “loose” just means vague?

The opposite. Loose method demands tighter intent, and the model-makers’ own guidance proves it. OpenAI notes that its newer models “follow instructions more closely and more literally” than their predecessors, which used to “more liberally infer intent.”⁹ The flip side, in their words: “a single sentence firmly and unequivocally clarifying your desired behavior is almost always sufficient to steer the model.” That is the north star, validated from the other direction — one sharp sentence of intent beats a paragraph of hedged procedure. Orientation isn’t “fewer words for their own sake.” It’s precision relocated from procedure to purpose.

Most bad prompts get this backwards: vague on purpose, suffocating on procedure. Want the opposite.

When to stay prescriptive

North-star prompting is the right tool for tasks with a wide solution space and a taste-based target — design, writing, synthesis, “make this good.” It’s the wrong tool elsewhere, and pretending otherwise would make this whole book naive. Stay prescriptive when:

Most over-prompting is precisely that accident: dictating the creative parts because dictating feels safer, when it’s what’s holding the quality down. The cut-or-keep test from Chapter 6 is how you sort them — apply it per requirement, not to the prompt as a whole.

“But I need valid JSON”

You hear this objection constantly, and it has a clean answer: don’t crush the thinking step into a rigid schema just because a downstream step wants structure. Separate them. Let the smart pass be smart and messy; let a dumb, cheap, deterministic pass tidy it up afterwards. Intelligence first as free text; structure second as a cheap transform. You do prescribe the JSON — in the second pass, where prescription belongs. That’s the heart of not making one prompt do two jobs at once.

The doctrine is now complete on paper. But does it survive contact with reality — with cheap models and ordinary jobs, not frontier showpieces? The next chapter is nothing but field receipts.

Here’s the objection this chapter exists to kill: “Sure, loosen the prompt for a giant frontier model — but my use case runs a small, cheap model, which surely needs more hand-holding, not less.” It’s the most reasonable-sounding objection in the book. It’s also backwards.

The Haiku reversal

I was getting bad output from a cheap model — Haiku — on a dental-market report. My instinct was the universal one: add more instructions. Wrong fix. What I actually wrote to course-correct was this:

“I’d like the prompt to be less prescriptive, allow the model more freedom to use its own ideas. Present the data and the benchmark, and ask it to comment. The over-prescription was tripping up Haiku — make the data more clear, as opposed to telling it what to do. Give it all the data, and let it write about it.”

The over-prescription was causing the small model to choke. The fix wasn’t more rules — it was clearer data and fewer instructions. That’s the counter-intuitive heart of the whole thing: when a weaker model struggles, the reflex is to constrain harder, and that’s often exactly backwards.

The receipt came the next session, in one line: “the less prescriptive run, on medium, is pure gold compared to what we had before.” Less prompt, smaller model, better output. Read that twice — it breaks the intuition that capability and instruction trade off in your favour.

The less prescriptive run, on medium, is pure gold compared to what we had before.

Three more from the logbook

Four notes, one move: keep shifting work off brittle deterministic heuristics and onto the model’s judgment. It’s the same instinct behind nuking and regenerating outputs rather than nursing them — because AI commoditised thinking; it didn’t commoditise judgment, and “interesting,” “good,” and “the right finding” are all judgment.

The Haiku lesson isn’t “never instruct a small model.” It’s “don’t drown a struggling model in procedure when the real problem is murky data.” Same instinct — now point it the other way, at the context you feed the model rather than the instructions you give it.

Classic retrieval spends all its cleverness before the model sees anything: chunking, embeddings, re-rankers, endless agonising over “did I fetch exactly the right eight paragraphs?” Look at that instinct and you’ll recognise it — it’s the same control-freak reflex as the over-specified prompt. Don’t trust the model; pre-digest everything; hand it a tiny, pre-approved window. On the instruction side it’s a wall of don’ts. On the data side it’s a hand-tuned pipeline. Same distrust, different surface.

The move that beat it, for relationship-heavy corpora, was almost embarrassingly simple: stop minimising what the model reads. Load the whole territory and let the model’s attention do the selecting. The hard part — relevance judgment — happens inside one forward pass, instead of in a brittle pipeline you tuned by hand.

Reading widely, even back to the source, and then deciding isn’t laziness — it’s the correct method for a smart reader. The instinct to pre-chew the data was right when the reader couldn’t be trusted to chew for itself. It isn’t anymore. (It’s a sign of where this is going that Andrej Karpathy independently sketched an “LLM Wiki” — claims and edges, with the model doing the bookkeeping and a periodic lint pass to keep it coherent — near-identical in shape to the self-cleaning wiki-graph we’d been running.⁸)

There’s a way to do this that respects Chapter 2’s warning: you orient the agent with the terrain map — the root pages and one-line descriptions — as its first context, so it navigates rather than searches. You load the map, not the swamp. That’s a subject of its own; here it’s the proof that the same north-star instinct works on the input axis too.

Move the intelligence out of your brittle pre-processing and into the model, because the model is now the smartest thing in the loop. It didn’t used to be. That’s what changed.

If you trust the model with both the instructions and the context, one fair fear remains: how do you keep it honest? You can’t eyeball a rigid output checklist anymore. That’s the last chapter of the doctrine — and the one your most cautious stakeholder has been waiting for.

This is the chapter for the reader — often a leader — who hears “drop the don’ts, give it latitude” as “abandon control.” It isn’t. The obvious objection is real: if you let the model roam — loose method, broad context, room to surprise you — how do you know it did well? You can’t eyeball a rigid output checklist anymore. But the answer isn’t to put the leash back. It’s to put your rigour where it actually holds.

Test the path, not the answer

Testing the wiki agents, I found you stop testing the answer and start testing the path. What did it read? Which sources did it go to? Did it hit the canonical page or wander off to a tangent? How did it navigate? The trace of how it thought is more inspectable — and more stable — than the final text, because the text is partly a function of how sharp the model is on the day. The navigation is the reasoning made visible.

Why the input-leash was never going to hold

Here’s the uncomfortable part for anyone who thinks a rule in the prompt is a control: prompt-level rules are bypassable by design, and the numbers are brutal. Reinforcement-learning “investigator” agents jailbreak today’s frontier models — GPT-5, Claude Sonnet 4, Gemini 2.5 Pro — at success rates of 78 to 92 per cent on high-risk behaviours.¹⁰ Cisco ran fifty standard jailbreak prompts at DeepSeek R1 and got a 100 per cent bypass rate — every safety rule in the prompt, gone.¹¹ Prompt injection sits at the very top of the OWASP risk list for LLM applications for exactly this reason.¹²

If a don’t-list can be talked around four times out of five, it was never a control. It was a polite request. The hard backstop sits outside the model: scope what it can reach, enforce policy in deterministic code, make the unwanted action structurally impossible rather than merely forbidden. Prompts are manners; architecture is physics — and can’t beats shouldn’t every time.

Where the rigour goes instead

You don’t make a big AI decision governable by cramming rules into the prompt. You make it governable by having it show its working — propose freely, emit its reasoning as small, checkable claims — and then checking that working with deterministic code. The model proposes, freely and smartly; a cheap, dumb, reliable layer checks. You don’t lose the audit when you drop the don’ts; you relocate it, from input-rule-obedience to path-and-output verification.

Don’t put the governance in the leash. Put it in the audit.

When no human is in the loop

Push this far enough and the north star stops being a prompt and becomes a file. On one project the directive lives in a NORTH_STAR.md that an hourly autonomous loop reads first, then does one north-star-aligned “bite” of work and stops. State the destination clearly enough and a self-directing agent can navigate without a turn-by-turn route — which is the whole game once the unit of design shifts from the one-shot prompt to the loop, with its durable state living outside the agent where the path stays inspectable.

The doctrine is complete now: aim it, fence the load-bearing few, and audit the path. What’s left is the mindset that makes all of it click into place — the difference between managing a clerk and leading an expert.

Step back from all of it and the change is a mindset, not a technique. So let me put the uncomfortable version on the page.

Your prompt is a confession. A wall of don’ts confesses you don’t trust the model — or that you’re still prompting the model you used three years ago.

And its sibling: if your prompt would insult your smartest employee, it’s insulting your model too — and you’ll get insulted-employee work back. Hand someone a form and a list of twenty prohibitions and you’ve told them, in writing, that you expect very little. They’ll meet the expectation precisely.

The skill moved. The old skill was writing a complete specification. The new skill is writing a clear north star and tolerating a surprising answer. The work is now in the aiming, not the fencing.

The spec was never the quality. It was the ceiling.

The whole argument, in one breath

The message is the same whether you write prompts for a living or you’re a leader who thinks “AI governance” means a longer rulebook: the model got smart while your prompt stayed dumb. Catch up. Be tight about why, loose about how. And if the answer comes back as messy free text with a brilliant insight buried in it — that’s not a bug to constrain away, it’s the entire point. Have a cheap second pass clean it up.

It’s the difference between managing a clerk and leading an expert. We spent five years learning to manage clerks. The clerks turned into experts. Time to learn to lead.