Prompt normalization is the process of transforming input text into a standardized canonical form to eliminate encoding-based attack vectors. It resolves homoglyph attacks by converting visually identical Unicode characters (e.g., Cyrillic 'а' vs. Latin 'a') to a consistent representation, and applies Unicode equivalence (NFKC normalization) to collapse compatibility characters that could otherwise bypass text-based content filters.
Glossary
Prompt Normalization

What is Prompt Normalization?
Prompt normalization is a defensive preprocessing step that converts user-supplied text into a canonical, safe representation by resolving Unicode ambiguities and stripping invisible control characters to neutralize obfuscation attempts before they reach a language model.
The process also strips invisible control characters and zero-width spaces that adversaries use for payload splitting and token smuggling. By enforcing a deterministic character set before any semantic analysis or perplexity filtering occurs, normalization ensures that downstream prompt firewalls and guard models evaluate the true semantic intent of the input rather than being deceived by encoding tricks.
Key Characteristics of Prompt Normalization
Prompt normalization is a preprocessing security control that transforms input strings into a canonical, safe representation before they reach the language model. It neutralizes obfuscation techniques that rely on Unicode trickery and invisible control characters.
Unicode Canonicalization
Converts all text to a single, standard Unicode normalization form—typically NFKC (Normalization Form KC) —to collapse visually identical but technically distinct characters.
- Maps full-width Latin characters (e.g.,
AU+FF21) to standard ASCII (AU+0041) - Decomposes and recomposes ligatures and combined glyphs
- Eliminates ambiguity between compatibility equivalents
This directly defeats homoglyph attacks where pаy (with Cyrillic а) masquerades as pay.
Control Character Stripping
Removes or escapes invisible Unicode control characters that attackers embed to manipulate tokenization boundaries or inject hidden instructions.
- Strips zero-width characters:
U+200B(Zero-Width Space),U+200C(ZWNJ),U+200D(ZWJ) - Removes bidirectional text override characters:
U+202E(RLO),U+202A(LRE) - Filters deprecated control codes like
U+0085(Next Line)
These characters can break delimiter injection defenses by altering how the model parses prompt boundaries.
Token Boundary Integrity
Ensures that normalization does not inadvertently create or destroy token boundaries that alter the semantic meaning of the input.
- Preserves whitespace semantics critical for code and structured data
- Validates that canonicalization does not merge adjacent tokens into new, unintended words
- Applies normalization before tokenization to maintain a consistent pipeline
This prevents token smuggling attacks where normalization itself could be exploited to reassemble split payloads.
Encoding Overlong Detection
Identifies and rejects overlong UTF-8 encodings —byte sequences that represent a valid character using more bytes than necessary.
- Detects 2-byte encodings of ASCII characters (e.g.,
C0 AFfor/) - Detects 3-byte and 4-byte overlong sequences for code points that fit in fewer bytes
- Blocks these before they reach the model's tokenizer
Overlong encodings are a classic bypass technique against input sanitization filters that only check canonical byte representations.
Whitespace Collapse and Normalization
Standardizes all whitespace characters to a single canonical form to prevent attackers from using alternative space characters to evade pattern-matching defenses.
- Converts non-breaking spaces (
U+00A0), en spaces, and em spaces to standard spaces - Collapses repeated whitespace to a single space where semantically safe
- Normalizes line endings (
CRLF,CR,LF) to a single newline character
This closes gaps in perplexity filtering where unusual whitespace could lower the statistical anomaly score of an obfuscated payload.
Integration with Prompt Firewalls
Serves as the first stage in a defense-in-depth pipeline, operating before semantic analysis or guard model evaluation.
- Normalized output feeds into semantic filtering and guard model checks
- Reduces the attack surface for downstream defenses by eliminating encoding-based obfuscation
- Logs pre-normalization and post-normalization inputs for forensic analysis of blocked attacks
Without normalization, a prompt firewall may inspect a benign canonical form while the model processes a malicious obfuscated original.
Frequently Asked Questions
Clear, concise answers to the most common questions about sanitizing and standardizing model inputs to defeat obfuscation-based injection attacks.
Prompt normalization is a preprocessing security step that converts user input into a canonical form by resolving Unicode characters and stripping invisible control sequences. It works by applying algorithms like NFKC (Normalization Form KC) to decompose visually identical homoglyphs into their standard ASCII equivalents, removing zero-width characters, and collapsing redundant whitespace. This process neutralizes obfuscation attempts—such as replacing the letter 'a' with the Cyrillic 'а' (U+0430)—before the text reaches the language model's tokenizer, ensuring the model interprets the true semantic intent rather than a visually spoofed malicious command.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the defensive techniques and adversarial concepts that form the ecosystem around prompt normalization, from input sanitization to advanced filtering strategies.
Homoglyph Attack
A visual spoofing technique that replaces characters in a malicious command with visually identical Unicode equivalents to bypass text-based content filters. Prompt normalization directly neutralizes this threat by converting text to a canonical form (e.g., NFC or NFKC) before processing.
- Example: Replacing Latin 'a' (U+0061) with Cyrillic 'а' (U+0430)
- Defense: Unicode canonicalization maps confusable characters to their standard forms
- Impact: Without normalization, a model may interpret
pаymentas a distinct, malicious command
Token Smuggling
An adversarial technique that exploits tokenization discrepancies to hide malicious commands within seemingly harmless text strings. Attackers craft inputs that tokenize differently than expected, embedding instructions that bypass input filters but are reconstructed by the model. Prompt normalization complements token-level defenses by removing the invisible control characters and zero-width spaces often used to manipulate token boundaries.
- Mechanism: Inserting zero-width joiners to split tokens unnaturally
- Defense: Combining normalization with perplexity filtering and token-level anomaly detection
Perplexity Filtering
A statistical defense that flags inputs with abnormally high perplexity scores, as obfuscated or encoded payloads often deviate from natural language distributions. While prompt normalization handles structural obfuscation (Unicode tricks, invisible characters), perplexity filtering catches the semantic unnaturalness of concatenated tokens, Base64-encoded strings, and adversarial suffixes.
- Threshold-based: Inputs exceeding a perplexity threshold are blocked
- Complementary: Works alongside normalization to catch what structural cleaning misses
- Limitation: Sophisticated attackers can craft low-perplexity adversarial prompts
Semantic Filtering
A detection method that uses embedding models to understand the underlying intent of a prompt, blocking inputs that are semantically adversarial regardless of phrasing or obfuscation. Unlike prompt normalization, which operates at the character and encoding level, semantic filtering evaluates the meaning of the entire input.
- Embedding comparison: Measures cosine similarity against known attack patterns
- Intent classification: Uses a fine-tuned classifier to detect jailbreak and injection attempts
- Layered defense: Normalization cleans the text first, then semantic filtering evaluates intent
Prompt Hardening
The defensive practice of reinforcing system prompts with explicit boundaries and fallback logic to resist adversarial manipulation. While prompt normalization secures the input pipeline, prompt hardening fortifies the instructions themselves against extraction and override attempts.
- Delimiter defense: Uses unique, non-guessable separators to mark untrusted input boundaries
- Instruction reinforcement: Repeats critical constraints at multiple points in the context window
- Fallback logic: Defines explicit refusal responses for out-of-scope requests

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us