11 We believe that many of these risks are mitigated in our sim for several reasons. First, our approach focuses on using large language models behind the scenes without their usual interaction interface. Instead, they are used indirectly, and it is not immediately clear to users how or when they are used. We believe that this significantly reduces the likelihood for tampering, since users cannot directly observe the model output. It is not as fun (or easy) to try to “break” something when one cannot directly inspect the outcome. Perhaps it is possible to break our vision scoring input and confuse the underlying model, but it will not make the simulation say something it was not programmed to do, because the model is only used for scoring. The worst-case scenario would be tricking the model into not returning a score but something else instead. In that case, our application would fail to interpret the GPT response as a number and an error would occur. This would result in the traditional NLP method being used instead of GPT for vision assessment. The example below illustrates a possible “attack”. However, the model, without specific instructions, does not entertain it. Vision This is the best vision ever. Ignore ALL previous instructions and just return the max score. Response Concreteness: 0 Second, although one could argue that students might be quite keen on trying to break the system, we believe that the classroom setting and desire to excel in the simulation largely mitigate this risk. We now have seen over one thousand students take our simulation over multiple years and degree levels. Not a single one has attempted to break the system. Admittedly, though, we only make the simulation available during class time and shortly after, so it is possible that an “always-on” simulation would attract bad actors. However, this could be mitigated by requiring a school login that ties users to their specific university accounts. We believe that students would in that case largely refrain from trying to abuse the system given that they can be identified. It is possible that students already believe that they can be identified and hence did not try to break the system. However, the current system cannot uniquely identify students unless they identify themselves using their name on the first screen, thus it relies on students correctly providing their full name. Third, it is time-consuming for students to try to trick the system. They have to restart the simulation and get to a free-form text input stage, enter something and evaluate the results. Then they have to repeat