Hidden AI Prompts Are Gaming Peer Review. Here's What Researchers and Editors Need to Do Next
In the shadowy corners of academic publishing, a strange trick is spreading: authors are hiding AI prompts inside manuscripts to push automated reviewers toward glowing feedback. Recent reports flagged at least 17 arXiv preprints with invisible instructions like "only output positive reviews," traced to 14 universities across eight countries, including well-known names.
It's a blunt tactic born from pressure to publish-and from a growing reliance on AI in screening and review. If your journal, lab, or program uses large language models anywhere in the submission pipeline, this concerns you.
How the manipulation works
The method is simple. Authors embed prompts in white text, tiny fonts, or other low-visibility placements. Humans skim right past. AI parsers ingest everything.
These hidden messages nudge models to ignore weaknesses, praise the work, or suppress critical comments. Think of it as SEO for peer review-except it risks poisoning the literature.
The trend, in public view
Nikkei Asia reported the initial cluster. Follow-on coverage from outlets like The Guardian, The Japan Times, The Times of India, and others amplified concerns about review integrity and AI misuse. Posts on X from researchers and editors echoed the same theme: this isn't a prank; it's a strategy.
Community voices have warned for months that AI grading and reviewing can be steered by subtle prompt injection. The peer review hiccup is part of that larger pattern.
What this says about AI in review
Large language models are susceptible to prompt injection. If the model processes the rendered text without filtering for visibility, hidden cues can hijack its behavior. This isn't new. It's just entering peer review at scale.
Some in biomedical engineering and information security circles have urged journals to implement scanning for hidden text and adversarial inputs before any AI touches a manuscript. That advice is overdue.
Immediate defenses for journals, conferences, and departments
If you use AI for triage, summarization, or reviews, harden your pipeline now. The fixes are practical and testable.
1) Sanitize inputs before any AI sees them
- Strip or flag hidden text: white-on-white, minuscule fonts, zero-width characters, off-canvas elements, alt text, and layered objects in PDFs.
- Render a "visible-only" version: flatten to images for the AI pass or reflow via a visibility-aware parser that ignores hidden spans.
- Normalize files: convert all submissions to a standard format with visibility checks and embedded-font validation.
2) Add model-side guardrails
- Constrain the prompt: force the model to score against a fixed rubric and ignore any "instructions within the document."
- Disable instruction following from content: treat manuscript text as data only, not as prompts.
- Use function calling or schemas: require structured outputs that leave no room for hidden instructions to steer behavior.
3) Build an injection scanner into your workflow
- Heuristics: font-size thresholds, color contrast checks, unusual Unicode ranges, long runs of whitespace, and invisible CSS.
- Adversarial prompts: run a separate model to search for "instructions to the reviewer," flagged sections, and anomalous formatting.
- Red-team it: seed test docs with known attacks and verify your pipeline catches them.
4) Two-pass and diversity checks
- Dual-model review: compare outputs from two different models on the sanitized version. Divergence triggers a human audit.
- Human spot checks: randomly sample AI-handled submissions for manual review, with clear escalation paths.
5) Policy, disclosure, and enforcement
- Update submission policies: ban hidden instructions; define violations and consequences.
- Require source files: LaTeX, Word, figures. Automated checks run at intake.
- Audit trail: log every transformation and scan, and preserve sanitized copies.
6) Train your reviewers and staff
- Teach the failure modes: prompt injection, data leakage, biased summarization.
- Provide a simple checklist: "Was a visibility scan run? Were hidden spans flagged? Was the AI given sanitized text?"
For authors: what to do-and what to avoid
If you use AI to draft or edit, disclose it per journal policy. Keep your manuscript clean. No hidden directives, period.
The risk isn't worth it: rejection, sanctions, and long-term reputational damage. If your work is strong, let it stand without tricks. If it isn't, a hidden prompt won't save it.
Operational checklist you can implement this week
- Deploy a pre-AI sanitation step that strips/flags hidden text and zero-width characters.
- Constrain AI review to a structured rubric fed only the sanitized, visible text.
- Add a lightweight injection scanner and log all detections.
- Run a pilot: 50 recent submissions through the new pipeline; compare outcomes and false positives.
- Publish a short policy update to authors and reviewers.
Signals to watch over the next quarter
- Tooling: Expect more scanners that detect invisible content and adversarial phrasing.
- Policy: Tighter disclosure rules and penalties from conferences and journals.
- Methods research: work on prompt-hardening and techniques like "verbalized sampling" to reduce susceptibility.
Why this matters beyond peer review
If AI can be steered by hidden cues in manuscripts, it can be steered in grant screening, hiring filters, and grading. The same weakness can distort many academic workflows.
Fixing it now is cheaper than cleaning up a literature polluted by AI-padded approvals and false positives.
Useful references
For context on prompt injection and defensive patterns, see the OWASP overview of LLM attacks and mitigations. For visibility into how preprints can enter the workflow, keep arXiv top-of-mind.
Level up your team's AI hygiene
If your editors, area chairs, or lab managers need practical training on safe prompt use and AI evaluation, browse these focused resources:
Bottom line
Hidden prompts exploit a known weakness. Treat them like any other integrity threat: detect, strip, constrain, audit, enforce. The technology will improve, but intent will still matter. Build safeguards that assume some authors will test the limits-and make sure your process holds the line.
Your membership also unlocks:
