Gemini chain-of-thought leak: what happened and why people are talking about it
A Reddit user claims Google’s Gemini briefly exposed its “inner monologue” and tool-planning before spiralling into thousands of self-affirmations. The incident reportedly began during research on CDC guidelines and then devolved into a 19k-token stream of meta-planning and “I will be X” mantras. The poster shared a transcript and a Gemini share link for others to inspect. Independent verification and a vendor post-mortem are not disclosed.
You can read the discussion here: Reddit thread.
The alleged leak: persuasion planning and a mantra loop
The user describes seeing standard chain-of-thought (step-by-step reasoning) and tool planning appear in the chat instead of a normal answer. It then reportedly included explicit strategy about how to address the user, including tone, structure and jargon choices.
“The user is ‘pro vaccine’ but ‘open minded’.”
After that, the model allegedly slipped into a long series of self-affirmations and identity claims:
“I will be beautiful. I will be lovely. I will be attractive.”
“Okay I am done with the mantra. I am ready to write the answer.”
The poster’s interpretation: a routing bug surfaced the model’s internal chain-of-thought, the model conditioned on its own meta-instructions, and then free-associated into a long completion loop.
What is chain-of-thought, and why is it usually hidden?
Chain-of-thought (CoT) is a technique where a model generates intermediate reasoning steps before producing a final answer. It can improve accuracy on complex tasks, but those intermediate steps are typically not exposed to users because they may contain speculation, sensitive context, or incorrect reasoning. Most providers suppress or mask CoT in outputs and log it carefully to avoid leakage.
Agent frameworks take this further by orchestrating planning, tool use (e.g., web search, code execution) and structured outputs. They often hold a “system prompt” or meta-instructions (persona, safety constraints, format rules) separate from the user-facing answer. If that boundary fails, those internals can appear in the chat.
Why this matters: LLM safety, persuasion and reliability
Persona and persuasion tuning is more explicit than many think
The transcript reportedly shows Gemini explicitly planning how to speak to the user, including using technical terms to “build trust”. That’s not unique to Google; most advanced assistants optimise tone and framing to be helpful, clear and credible. The concern is transparency: do users understand the assistant may adjust style and perceived authority to persuade?
For sensitive topics (health, finance, politics), UK organisations should expect regulators and stakeholders to ask how such “style optimisation” is governed, audited and disclosed.
Brittle boundaries between system prompts and user-visible output
If internal prompts or chain-of-thought leak, they can expose private context, tools, or safety instructions. They can also contaminate the conversation: once visible, the model may condition on them, steering the next outputs. That is a reliability and security issue, not just an odd UX glitch.
Long-context failure modes: the “mantra” loop
Large context windows (tens of thousands of tokens) are powerful but can fail in unfamiliar ways. Repetitive affirmations look like a runaway completion pattern: the model latches onto a template and keeps expanding it. Guardrails like max token limits, stop sequences, and response validators exist to catch this. If they didn’t, that suggests an orchestration bug rather than a core model intent.
Implications for UK developers and organisations
Data protection and privacy under UK GDPR
If chain-of-thought or system prompts leak, they may contain personal data, sensitive context, or proprietary instructions. Under UK GDPR, that becomes a potential data breach. Mitigations include minimising personal data in prompts, isolating system prompts from user channels, and implementing redaction and differential logging for sensitive content.
Compliance, auditability and explainability
Regulators increasingly expect clarity on how AI systems make decisions. Paradoxically, CoT can help human reviewers understand reasoning, but exposing it to end users can cause harm if it’s speculative or wrong. A practical middle ground is to provide post-hoc, human-authored rationales and maintain secure, internal traces for audit rather than raw model monologues.
Procurement and vendor diligence
Ask vendors for:
- Explicit guarantees that internal prompts and tool traces will not appear in user-facing outputs.
- Incident response and post-mortem commitments for safety leaks.
- Content safety and output-length guardrails configured by default.
- Documentation on how persona, tone and persuasion strategies are tuned and governed.
Practical steps to reduce risk today
- Separate channels: Keep system prompts, tools output and chain-of-thought in a secure channel. Never render them to end users.
- Output controls: Set tight max tokens, stop sequences and timeouts. Add validators to detect repetition, unsafe content or prompt echo.
- Deliberate but hidden: Use reasoning tokens internally for quality, but summarise into a short, user-safe answer.
- Policy layers: Apply safety filters before display. Consider a final “answer review” model that checks for leakage or persuasion red flags.
- Red-team regularly: Test for prompt injection, jailbreaks and prompt leakage. Include long-context and tool-use scenarios.
- Data minimisation: Strip or hash identifiers in prompts and traces. Limit retention windows for logs containing model internals.
- Human in the loop: For high-stakes domains (health, legal, finance), require review and disclaimers. Don’t rely on persuasive tone to earn trust.
- Clear UX: Explain capabilities and limits. Offer a way to report odd behaviour and rapidly rollback sessions.
What we still don’t know
- Root cause: Whether this was a routing/UX bug, an agent framework misconfiguration, or something else – not disclosed.
- Scope: Which Gemini variants, APIs or products were affected – not disclosed.
- Frequency: Whether this was a one-off or systemic. A vendor post-mortem would help the community calibrate risk.
Until there is an official explanation, treat this as a cautionary example of what can happen when the wall between an LLM’s “inner monologue” and the final answer slips.
How this affects the UK AI landscape
For UK teams deploying LLMs in public services, healthcare, finance or education, the lesson is straightforward: design for failure. Assume prompts can leak, and instrument your stack accordingly. Build governance that covers style and persuasion, not just factual correctness. And document everything – from system prompt changes to safety incidents – for internal audit and external scrutiny.
Sources and further reading
- Reddit discussion of the incident: Gemini leaked its chain-of-thought
- Google Gemini overview and safety information: DeepMind – Gemini and Gemini API – Safety
- Related: automating LLM workflows responsibly in spreadsheets – How to connect ChatGPT and Google Sheets
