• Last time we explored more Quarto features for creating professional documents
• We learned how to convert Jupyter notebooks to HTML and PDF formats using Quarto
• We also covered how to add academic references with BibTeX and create beautiful PDFs with TinyTeX
• Today: How do we communicate effectively with AI models?
• The same model can give wildly different results depending on how you phrase your request
• We’ll learn a bit about (the art of?) prompt engineering

Part 1: What Are LLMs?

• How LLMs “see” text (as you already know, they don’t!)
• Tokenisation and embeddings
• Why this matters for prompting

Part 2: The PTCF Framework

• Persona, Task, Context, Format
• Temperature and sampling parameters

Part 3: System Prompts and Personas

• The hidden instructions behind every chatbot
• How personas shape responses

Part 4: Prompting Techniques

• Zero-shot, one-shot, few-shot prompting
• Chain-of-Thought reasoning

Part 5: AI Agents and Safety

• The ReAct framework: Reasoning + Acting
• Prompt injection and security concerns
• Challenges: hallucination and bias

• LLMs are a type of neural network based on the Transformer architecture (that’s the T in GPT - Generative Pre-trained Transformer)
• Many important ideas behind neural networks were developed in the 1950s and 1960s (!), but the area has recently exploded due to the availability of large datasets and powerful GPUs
• LLMs are trained on large corpora of text data (e.g., books, articles, websites, code repositories), and they learn to predict the next word in a sentence
• This is called next-token prediction, and it’s the core of how LLMs work
• For a very good introduction to LLMs, I strongly recommend this article by Stephen Wolfram

• Here’s something you (hopefully) already know: Computers only understand numbers (remember lecture 02?)
• When you type “Hello, how are you?”, the LLM sees something like: [15496, 11, 703, 527, 499, 30]
• This creates a translation problem:
  • How do we convert text into numbers?
  • How do we capture meaning, not just characters?
  • How do we capture relationships between words?
• The solution involves two key concepts:
  • Tokenisation: Breaking text into meaningful pieces
  • Embeddings: Converting pieces into meaningful vectors

• A token is the basic unit that an LLM reads
• Tokens are NOT always words!
• A token can be:
  • A whole word: “hello” → 1 token
  • Part of a word: “un” + “believ” + “able” → 3 tokens
  • Punctuation: “!” → 1 token
  • A space: ” ” → often included with the next word
• Rule of thumb: 1 token ≈ 4 characters in English
• Or roughly: 100 tokens ≈ 75 words
• Other languages often use more tokens per word
• Let’s try it out with “Hello, it’s Danilo here!”
• We’ll use OpenAI’s tokenizer for this example

Three approaches to breaking up text:

• Modern LLMs use Byte Pair Encoding (BPE)
• Common subwords become single tokens
• Rare words are split into known pieces
• This is why “ChatGPT” → [“Chat”, “G”, “PT”]
• How does this save space?
  • “unhappy”, “unfair”, “unlikely”, “undo”…
  • The model only needs to store “un” once!

OpenAI’s Tokeniser (let’s try it!): platform.openai.com/tokenizer

The number of tokens can change from one version to another!

Some surprising examples:

Notice: Capitalisation, spacing, and punctuation all affect tokenisation!

• Every LLM has a context window: Maximum tokens it can process
• This limit includes both your prompt AND the response!
• Both input tokens (your prompt) and output tokens (response) cost money
• Output tokens typically cost 2-4x more than input tokens!

• If your prompt uses 3,500 tokens and the limit is 4,096…
• You only have 596 tokens left for the response!
• Exceeding limits → Error or truncated output

• Once text is tokenised, each token gets converted to an embedding
• An embedding is a vector: A list of numbers
• Typically 768 to 4,096 numbers per word!
• Example: “cat” → [0.23, -0.45, 0.12, -0.89, ... (4,096 numbers)]
• These numbers capture the meaning of the word
• Similar words have similar vectors
  • “cat” and “kitten” will be close together in this space
  • “cat” and “aeroplane” will be far apart
• The model learns these representations during training
• This is where the “understanding” happens!

• The most famous embedding discovery:
• king − man + woman ≈ queen 👑
• What does this mean?
  • Take the vector for “king”
  • Subtract the vector for “man”
  • Add the vector for “woman”
  • The result is closest to “queen”! 🤯
• The model has learned that:
  • king is to man as queen is to woman
  • This captures the gender relationship
  • These relationships are encoded in the vectors
• Other examples that work:
  • Paris − France + Italy ≈ Rome
  • bigger − big + small ≈ smaller

Understanding the pipeline helps you:

• Write better prompts: Know what the model “sees”
• Understand costs: API pricing is per token, not per word
• Avoid surprises: Some words use more tokens than others
• Debug issues: Why did the model misunderstand?
• Use context wisely: Token limits are real constraints

You want to analyse the sentiment of financial news. Which prompt will give clearer results?

Prompt A:

Analyse the sentiment of this headline: “Tesla reports record Q4 deliveries despite supply chain concerns”

Prompt B:

Classify the sentiment of this financial headline as BULLISH, BEARISH, or NEUTRAL. Output only one word.

“Tesla reports record Q4 deliveries despite supply chain concerns”

Google’s Gemini for Workspace Prompting Guide introduces the PTCF framework:

Order matters: Persona → Task → Context → Format

The framework works because it mirrors how training data is structured: documents have authors (persona), purposes (task), backgrounds (context), and conventions (format).

Hyperparameters are settings you control that affect model behaviour:

For prompting tasks:

• Factual extraction: Temperature 0.0-0.2 (deterministic)
• Creative writing: Temperature 0.7-1.0 (varied)
• Classification: Temperature 0.0 (consistent labels)
• Brainstorming: Temperature 0.8+ (diverse ideas)
• ChatGPT or Gemini don’t have a temperature slider. But you can use Google AI Studio or OpenAI’s playground to control temperature
• You can also simulate temperature by using instructions like “be extremely precise and factual” (low temperature) or “be wildly creative and unpredictable” (high temperature) in a prompt

Here’s a prompt that consistently fails:

“Tell me about machine learning in healthcare”

What’s wrong with it? (Use Persona-Task-Context-Format to diagnose)

Claude’s system prompt (partial, via Anthropic’s documentation):

“The assistant is Claude, created by Anthropic. The current date is [date]. Claude’s knowledge base was last updated in April 2024 and it answers user questions about events prior to and after April 2024 the way a highly informed individual from April 2024 would if they were talking to someone from [date]. […] Claude cannot open URLs, links, or videos. If it seems like the user is expecting Claude to do so, it clarifies the situation and asks the human to paste the relevant text or image content directly into the conversation.”

Key observations:

• Explicit about identity and knowledge cutoff
• States capabilities and limitations
• Guides behaviour for ambiguous situations

Common system prompt patterns:

Meta-prompting is asking the AI to help you craft better prompts. It uses the AI’s knowledge of its own patterns.

Examples:

“I want to analyse quarterly earnings reports. What questions should I ask you to get the most useful analysis? What information should I provide?”

“Here’s my prompt for summarising research papers. What’s unclear or ambiguous about it? How would you rewrite it?”

“I’m building a prompt for customer sentiment classification. What edge cases should my examples cover?”

Why this works:

The model has seen millions of prompts and their outcomes in training data. It has implicit knowledge of what makes prompts succeed or fail.

Let the AI teach you how to prompt it.

These terms describe how many examples you provide:

Zero-shot: No examples, just instructions

Classify this review as Positive or Negative:
"The food was cold and the service was slow."

One-shot: One example to establish the pattern

Review: "Best pizza I've ever had!" → Positive
Review: "The food was cold and the service was slow." → ?

Few-shot: 2-5 examples to show the pattern clearly

"Best pizza I've ever had!" → Positive
"Terrible experience, never again" → Negative
"It was okay, nothing special" → Neutral
"The food was cold and the service was slow." → ?

Few-shot works because LLMs are trained on text with patterns. Your examples prime the model to continue the pattern.

Few-shot prompting is not always better. Research shows:

Examples help when:

• The task has implicit conventions (e.g., JSON output format)
• Edge cases exist that need demonstration
• The classification scheme is non-obvious (e.g., company vs product names)
• You need consistent style or tone

Examples can hurt when:

• Your examples contain biases or errors the model will copy
• The examples are too similar (model over-fits to surface patterns)
• The task is simple enough that examples add noise
• Examples consume context window that could hold useful content

LLMs can output in any text format. Specifying structure makes outputs easier to parse and more consistent.

Common formats:

Pro tip: Include a schema or template in your prompt:

Output as JSON with this exact structure:
{
  "company": "string",
  "sentiment": "positive" | "negative" | "neutral",
  "key_metrics": ["string", "string", "string"]
}

Specifying the exact keys/values prevents invented fields.

In January 2022, Wei et al. published a paper that transformed how we use LLMs:

The key finding: Asking models to show their reasoning dramatically improves accuracy on complex tasks.

The experiment:

Accuracy nearly tripled on grade-school maths just by adding “Let’s think step by step.”

Why does this work?

The model wasn’t trained to do multi-step reasoning in a single forward pass. Generating intermediate steps externalises the reasoning, allowing the model to “check its work” at each step.

Kojima et al. (2022) discovered something remarkable:

You don’t need examples. Just adding “Let’s think step by step” triggers reasoning behaviour.

Without CoT:

Q: If a store sells 3 apples for $2, how much do 12 apples cost?

A: $6

(Wrong. The model rushed to an answer.)

With zero-shot CoT:

Q: If a store sells 3 apples for $2, how much do 12 apples cost? Let’s think step by step.

A: First, I need to find the price per apple. 3 apples cost $2, so 1 apple costs $2/3 = £0.67. For 12 apples: 12 × $0.67 = $8. The answer is $8.

The phrase activates a “reasoning mode” learned from training data where step-by-step explanations precede correct answers.

A chatbot answers questions. An agent takes actions.

LLM Agent loop:

You ask → Model reasons → Uses tools → Observes results → Repeats → Eventually responds

The ReAct pattern (Yao et al., 2022):

User: What was AAPL's price when iPhone 15 was announced?

Thought: I need two things: (1) date, (2) stock price.

Action: search("iPhone 15 announcement")
Observation: September 12, 2023

Action: get_stock_price("AAPL", "2023-09-12")
Observation: $176.30

Final Answer: $176.30

Why this matters to us: The “Thought” steps let the model plan and adapt.

Examples of AI agents:

Agents are powerful but make mistakes that compound:

Current limitations:

• Error propagation: One wrong step can derail the entire task
• Looping: Agents can get stuck repeating failed actions
• Overconfidence: May take irreversible actions without checking
• Context limits: Long tasks exceed context windows
• Cost: Multi-step tasks can run up large API bills

Safety concerns:

• Who’s responsible when an agent makes a mistake?
• What happens if an agent has access to your email/calendar?
• How do you audit what an agent did?
• Agents can be manipulated via prompt injection

Research firm Gartner predicts: By 2028, 15% of day-to-day work decisions will be made autonomously by AI agents—up from almost zero today.

Common effects of prompt injection attacks:

• Prompt leaks: Hackers trick LLMs into revealing system prompts
• Remote code execution: Attackers run malicious programs through LLM plugins
• Data theft: LLMs are tricked into sharing private user information
• Misinformation campaigns: Malicious prompts skew search results
• Malware transmission: Prompts spread through AI assistants, forwarding malicious content

• Generative AI models can produce incorrect or misleading content
• This can be due to errors in the model, biases or incorrect information in the training data, or the limitations of the model architecture
• This makes it vital to check the output of these models and not take it at face value
• For example, some time ago I asked Microsoft Copilot to solve a simple quadratic equation, and it very confidently gave me a very wrong answer 😅
• It provided the answers of \(\frac{1}{2}\) and \(\frac{-5}{4}\) when the correct answers were 0.804 and -1.55
• The same model also confidently gave me the wrong answer to a simple geography question

• AI models can amplify biases present in the training data
• For instance, I asked an AI to give me the names of famous scientists, and it came up with the following list:
  • Albert Einstein
  • Isaac Newton
  • Charles Darwin
  • Nikola Tesla
  • Galileo Galilei
  • Stephen Hawking
  • Leonardo da Vinci
  • Thomas Edison

• Can you spot the bias?