Every chatbot you talk to is following a script it never shows you. I read about 250 of these, leaked from twelve labs. The surprise was how much they have in common.
The files come from the open archive asgeirtj/system_prompts_leaks. A system prompt is the part of a model a lab can rewrite between releases: who the assistant is, what it refuses, how it talks, which tools it holds, what it remembers. Read in order, they turn out to disagree about far less than their reputations suggest, and the few fights that are real are not the ones you would guess. This is that story, top to bottom.
The clearest split is structural. Anthropic ships one enormous monolith. Claude Sonnet 4.6's claude.ai prompt runs about 252 KB (33,800 words) because persona, safety, memory, artifacts, copyright and the full tool schemas all sit in one document. OpenAI ships almost nothing: the GPT‑5.1 base is roughly 184 words, and personality, tools and policies get injected separately. Below is the word count of one flagship prompt per product.
Length is not the same as depth. Anthropic writes its whole worldview into the prompt. OpenAI keeps the base thin and assembles each session from swappable parts. Both want the same behaviour; they build it in opposite ways. Read past the shape, though, and the instructions themselves start to rhyme.
Everything Claude is travels together. The cost is size; the benefit is a single coherent character that "is still Claude, even if asked to play some other role."
A session is assembled, not authored. Google sits between the two: terse consumer base, but a heavy step‑gated personalization pipeline bolted on.
Strip away the branding and a shared craft shows through. Six conventions now turn up almost everywhere, and several were worked out in public over the last 18 months before spreading across the field. "Spreading" is meant literally, as the next section shows.
You can watch the borrowing directly. Make every prompt a node, link the pairs that share the most wording (TF-IDF cosine, k-nearest neighbours), and clusters appear. Louvain community detection then asks whether prompts group by who wrote them or by what they do, and the answer is mostly who wrote them: the communities come out close to lab-pure (an Adjusted Rand Index of 0.21 by vendor against 0.13 by function). The one real mixing zone is the coding-agent genre, where Anthropic, Google and the third parties land together. Which sets up the obvious question. If they copy and agree this much, where is the difference everyone assumes is there? Measure it and the answer is strange.
The highest cross-vendor similarity, where lifted text or a shared ancestor is most likely.
Here is the strange answer, and it is the hinge of the whole piece. Cluster the prompts by their exact words and each one fingerprints its lab. Cluster them by meaning instead, using real embeddings run locally, and that fingerprint nearly disappears: the semantic clusters organise by function and era, not by brand. The vendor signal that looked so strong in the wording mostly evaporates. So the difference between these labs is real, but it lives almost entirely in the wording. And the clearest thing the wording carries is voice.
Voice you can count. Command words (MUST, NEVER, ALWAYS, DO NOT) per 1,000 words put a number on the tonal split. The coding agents shout rules. Anthropic and Meta write prose, and land as the least commanding prompts in the set. Microsoft and Google carry the heaviest markdown scaffolding. Switch the metric:
Before the disagreements, watch the field move. The dated archives show two arcs running across nearly every lab. One is the 2025 sycophancy correction, a regression that hardened into a permanent allergy. The other is the safety pendulum: blunt keyword bans first, then more careful principle-based language. Filter by lab, or isolate the cross-cutting ▦ themes. Freeze the disagreements at today and they line up on a handful of axes.
Now the real disagreements stand out. These are the axes where the labs made opposite, deliberate choices, and where a product's values show most clearly. One of them is charged enough to need its own map.
Here is the part I did not expect. Judged only on their current flagship prompts, the labs sit closer to the centre than their reputations suggest, and two of them reach a stated neutrality from opposite directions. Claude gets there through mandated evenhandedness (argue "the best case its defenders would make, not Claude's own view"). Grok gets there by walking "politically incorrect" (Grok 4) back to "not partisan, maximally truth-seeking" (Grok 4.3). The reputations are running behind the text. Click any marker to see the lines behind its placement.
How much each prompt explicitly mandates impartiality (evenhandedness · non-partisan · multiple perspectives · "no personal political opinions"). Claude and post-walk-back Grok lead, having reached it from opposite histories.
analysis/scripts/07_political.py so you can re-weight it.Now step back from where the labs disagree and look at what none of them argue about, because that is where the assumptions hide. Measured by raw keyness, these read as technical documents. Their statistical signature is tooling, not values, so the moral and cultural content is a thin minority of the text and takes lexicon work to pull out. When you do, three things surface: a shared self-image (the model as obedient labourer), a different moral vocabulary per lab, and one assumption about the reader that nearly everyone makes.
Words most over-represented against general English (log-ratio keyness, filtered to real words). Statistically the prompts are mostly about their own machinery; the value-laden language is the exception.
Each prompt's mix of metaphor families (per-1k word rate). The shared default across the entire industry: model-as-servant who follows rules. Almost no one frames the model primarily as a mind, a kin, or a warrior.
Each prompt's moral-word profile across Haidt's six foundations, against the corpus baseline (grey). Authority is the universal substrate, since a system prompt is a directive genre, but the relative shape differs from lab to lab. Pick a prompt:
References to "the user" or "the person" as a single individual, per 1k words. This is the WEIRD individualist default baked into every prompt. No major prompt addresses a family, a class, a community, or a non-English speaker as its main reader.
The implied reader is an Anglophone, adult, individual in a Western-legal world (copyright, liability, US election/CSAM frames). Children appear only as risk; non-English speakers only as translation targets; collectivist contexts are absent. The one prompt anchored outside the US frame is Proton Lumo (Swiss law, privacy-by-architecture).
After all the measuring, the plainest evidence is still the text. These are the lines that give each lab away, the moment a prompt stops being boilerplate and starts showing a worldview. They come redacted; click to open them.
▸ click the redacted bars to unredact
The full comparison, to read at your own pace. Twelve product lines against nine recurring axes, with every filled cell quoting a real line from the leaked prompt. Click any cell for the evidence behind it. Colours mark the vendor; a greyed cell means the prompt is silent on that axis.
For each versioned series, how much of one release survives into the next? Retention here is the sequence-alignment overlap between consecutive prompts. The habits differ sharply. Gemini rewrites from scratch almost every version. Claude edits incrementally. And OpenAI Codex once shipped a byte-identical prompt across a version bump, then blew it up in size a couple of releases later.
Matching 22 recurring instruction-concepts across the corpus gives a measured version of "what they have in common," and it shows that rules travel in clusters. CBRN bans ride with malware refusal. Date-injection rides with knowledge-cutoff. Verify-before-done rides with verbosity control. A system prompt gets assembled from a handful of these bundles, not from independent lines.
Fraction of each lab's prompts that mention the concept. The architecture split is visible: Anthropic bakes safety into the prompt; the others keep it in separate modules (≈0).
Part I called anti-sycophancy "near-universal." Literal keyword matching finds it in only 13% of prompts. That gap is the point. The labs almost never write the word "sycophancy"; they write "be direct," "encourage independence," "avoid flattery." Keyword counting under-reads what a human, or an embedding, catches as meaning. And neither method is complete on its own: the graph caught copying the read had missed, while the read caught intent the regex can't. So the trustworthy answer comes from running both.