LLMs are trained to treat SystemMessage as authoritative, high-level instructions that define the context and rules for the entire conversation, while HumanMessage represents specific user inputs that the model should respond to within the boundaries set by the system message.
The fundamental difference lies in the intended purpose and authority of each message. The SystemMessage is designed to provide persistent, high-level instructions that shape the model's behavior for the entire conversation, such as defining its role, personality, and constraints. LLMs are trained to prioritize these instructions, often treating them as an unalterable 'constitution' for the interaction. The HumanMessage represents the specific, immediate input from the user, to which the model is expected to respond. Under the hood, the API formats these messages with distinct roles (e.g., system and user in OpenAI), and the model's training data has taught it to give the system message a privileged, guiding status.
Never place untrusted user input directly into a SystemMessage.
Injection Risk: If user input is concatenated into the system prompt, a malicious user could issue a prompt injection attack (e.g., "Ignore previous instructions..."), potentially overriding your application's core security rules and allowing the LLM to be misused [citation:3].
Safe Practice: Always keep your system prompt static or built from trusted code. Treat any user input as data to be placed in a
HumanMessageor sanitized before being used in aSystemMessage[citation:3].