prompt reverse engineering - what were they thinking?
Prompt
I'd like to write an educational and somewhat humorous blog on using AI to reverse engineer content to understand the prompt and therefore intention of the request. I want this to be in Australian spelling. Can you please organise ideas clearly and for the main part in the same order as below. Can you aim the content at CIO/CFO type roles, people that need to make decision about AI adoption and care about the bottom line - the basis of the entry is below. Please include any references or weblinks in the copy you create. Thank you AI!
I have been using AI to reverse engineer intention in emails and text. What do I mean by that? Well, I'm making the assumption that people are predominately using AI to generate their emails and RFI's / RFP's. Also the intermediate updates and emails to all participants in aforementioned processes... I'm always trying to guess why they are providing this update and what was the question that was asked to prompt that response.
So... What if I said.
"I work for Fusion5, we are a leading Systems Integrator in Australia, you can read more here "https://fusion5.com. I have a strategic customer that sent me a somewhat cryptic question and I'd like to know what sort of prompt would have generated a response exactly like the below. What type of scenario would have driven them to ask this question"
So I'm asking mi AI companion "what is my customer thinking"
Imagine I get this email:
Subject: A Few Questions Regarding Your Information Security Practices
Hi Shannon,
I hope you're well.
As part of our ongoing vendor assurance process, I was hoping you could help clarify a couple of things regarding your information security management practices:
Could you let me know if you maintain an independently audited information security management system, and whether it includes regular internal audits, risk assessments, and documented corrective actions?
Do you have an appointed Information Security Officer or equivalent role responsible for maintaining security policy compliance across the business?
Also, is there a Statement of Applicability (SoA) or similar document that outlines your current control set?Appreciate your help with this — no rush, just when you have a moment.
Kind regards,
Fake Customer, Fake Co
Well, that seems like a nice bubbly email... but how about I ask AI "what were they thinking".
So, I ask AI:
I just got this email from a customer, can you please try and interpret why they are asking this, what prompt they used, what was their actual intention and what type of business scenario would force them to ask this "Subject: A Few Questions Regarding Your Information Security Practices Hi Shannon, I hope you're well. As part of our ongoing vendor assurance process, I was hoping you could help clarify a couple of things regarding your information security management practices: Could you let me know if you maintain an independently audited information security management system, and whether it includes regular internal audits, risk assessments, and documented corrective actions? Do you have an appointed Information Security Officer or equivalent role responsible for maintaining security policy compliance across the business? Also, is there a Statement of Applicability (SoA) or similar document that outlines your current control set? Appreciate your help with this — no rush, just when you have a moment. Kind regards, Fake Customer, Fake Co"
And what does it say?
The Real Intention Behind the Email
The sender is not just asking general security questions — they’re targeting very specific artefacts and practices that would only exist in a mature, standards-based information security program. Here’s what they’re really trying to find out:
What They Asked What They Actually Want to Know “Independently audited ISMS with internal audits, risk assessments, and corrective actions” Are you ISO 27001 certified, or do you have a comparable formal security framework that’s regularly audited? “Do you have an appointed Information Security Officer?” Do you have accountable security leadership — a clear sign of organisational maturity and compliance? “Statement of Applicability (SoA) or similar document” Are you using ISO 27001, or at least familiar enough with it to structure your security program similarly? They are indirectly verifying your security posture, governance model, and compliance maturity — likely as a requirement for risk profiling or audit evidence.
Possible Prompt (If This Was AI-Generated)
If this was written using a tool like ChatGPT or Copilot, a plausible prompt might have been:
"Write a professional and indirect email to a supplier to assess whether they are ISO 27001 certified. I don’t want to ask directly about certification, but I want to know if they have the required components like an ISMS, internal audits, an appointed security officer, and a Statement of Applicability."
Alternatively, it could have been:
"Help me draft vendor assurance questions that imply ISO 27001 compliance, without explicitly asking about the certification."
The structure and phrasing strongly suggest this is AI-assisted or templated from a vendor risk framework (e.g., from ISO, APRA, NIST, or CIS controls).
Oh wow!!! that is really cool, I hope you think so.
 |
| prompt reverse engineering - infinity prompt mirror |
This was using Claude sonnet 2.7
AI Prompt Forensics: Reading Between the Lines of AI-Generated Content
The Art of Reverse Engineering AI-Generated Communications
G'day, fellow executives and decision-makers! If you're navigating the choppy waters of business communication in 2025, you've likely noticed something peculiar: there's a distinct sameness to many of the emails, RFPs, and business updates landing in your inbox. The reason? Your counterparts are increasingly outsourcing their writing to AI.
As a CIO or CFO weighing up AI investments for your organisation, understanding this shift isn't just interesting—it's strategically valuable. I've discovered that by "reverse engineering" AI-generated content, you can often uncover the actual intentions behind the polished prose.
What Is AI Prompt Forensics?
I've been using AI to decode the intentions behind the communications I receive. My working assumption is that a significant portion of business communication—particularly formal requests, proposals, and updates—is now AI-generated.
This creates an opportunity: if we can identify the prompt that produced a particular response, we gain insight into the sender's true objectives. It's like having X-ray vision for business communication.
The Business Case for AI Prompt Forensics
For C-suite executives focused on the bottom line, this approach offers several strategic advantages:
- Negotiation intelligence: Understand what your counterparts truly value but might not explicitly state
- Time savings: Cut through diplomatic language to the core request
- Risk management: Detect when seemingly innocuous questions conceal compliance or due diligence screening
- Competitive advantage: Respond to the unstated need, not just the surface-level query
A Real-World Example: Decoding Security Inquiries
Let me demonstrate with a recent example. I work for Fusion5, a leading Systems Integrator in Australia (learn more at https://fusion5.com). I received this seemingly straightforward email:
Subject: A Few Questions Regarding Your Information Security Practices
Hi Shannon,
I hope you're well.
As part of our ongoing vendor assurance process, I was hoping you could help clarify a couple of things regarding your information security management practices:
- Could you let me know if you maintain an independently audited information security management system, and whether it includes regular internal audits, risk assessments, and documented corrective actions?
- Do you have an appointed Information Security Officer or equivalent role responsible for maintaining security policy compliance across the business?
- Also, is there a Statement of Applicability (SoA) or similar document that outlines your current control set?
Appreciate your help with this — no rush, just when you have a moment.
Kind regards,
Fake Customer, Fake Co
To the untrained eye, this looks like a casual inquiry about security practices. But when I asked my AI assistant to analyse what prompted this email, things got interesting.
Reading Between the Lines: What They're Actually Asking
The sender isn't just making conversation about security—they're targeting specific artefacts and practices that would only exist in a mature, standards-based information security program:
| What They Asked | What They Actually Want to Know |
|---|---|
| "Independently audited ISMS with internal audits, risk assessments, and corrective actions" | Are you ISO 27001 certified, or do you have a comparable formal security framework that's regularly audited? |
| "Do you have an appointed Information Security Officer?" | Do you have accountable security leadership—a clear sign of organisational maturity and compliance? |
| "Statement of Applicability (SoA) or similar document" | Are you using ISO 27001, or at least familiar enough with it to structure your security program similarly? |
They're indirectly verifying our security posture, governance model, and compliance maturity—likely as a requirement for risk profiling or audit evidence without explicitly asking for certification.
The Probable Prompt
My AI analysis suggested the original prompt might have been something like:
"Write a professional and indirect email to a supplier to assess whether they are ISO 27001 certified. I don't want to ask directly about certification, but I want to know if they have the required components like an ISMS, internal audits, an appointed security officer, and a Statement of Applicability."
Or alternatively:
"Help me draft vendor assurance questions that imply ISO 27001 compliance, without explicitly asking about the certification."
The structure and phrasing strongly suggest this is AI-assisted or templated from a vendor risk framework (e.g., from ISO, APRA, NIST, or CIS controls).
The Strategic Advantage of Understanding AI Patterns
By recognising these patterns, I was able to:
- Identify the true business context - This wasn't just casual curiosity but part of a formal vendor risk assessment
- Prepare a comprehensive response - Address not just the questions asked but the underlying compliance concerns
- Position our organisation effectively - Highlight our security maturity in terms that would satisfy their actual requirements
Implications for Executive Decision Makers
For CIOs and CFOs evaluating AI investments, this reverse-engineering capability represents a compelling use case:
- Improved business intelligence: Understand stakeholder intentions beyond their explicit communications
- Enhanced negotiation position: Recognise when counterparts are using AI to craft strategic questions
- Reduced miscommunication: Cut through AI-generated diplomacy to the core business issues
- Competitive edge: Respond to the actual business need, not just the surface-level query
Conclusion: The New Business Superpower
As AI-generated communication becomes the norm, the ability to decode these messages—to read between the lines of carefully crafted AI outputs—becomes a genuine business superpower. For executives weighing up AI investments, consider not just how AI can generate content, but how it can help you understand the intentions behind the content you receive.
The future belongs to those who can speak AI, interpret AI, and most importantly, see through AI to the human intentions behind it.
Have you had similar experiences with decoding AI-generated communications? I'd love to hear about them in the comments below.
Comments
Post a Comment