Medium LLM
The Model Won’t Stop Prompt Injection. Your Tool-Call Gate Will
tool-use
What happened
Argues that relying on the LLM's system prompt or internal alignment to prevent prompt injection is a losing battle. Instead, security must be enforced deterministically at the 'tool-call gate'—the application layer that actually executes the tools requested by the model.
Why it matters
Security in agentic systems must be handled deterministically at the runtime boundary, not probabilistically via LLM alignment.
The take
This is a fundamental security principle for agentic workflows. You must treat the LLM as an untrusted user. No matter how many system instructions you write, prompt injection can bypass them. Security boundaries, parameter validation, and user-in-the-loop confirmations must live in your deterministic application code, not the prompt.
Do this
Implement strict schema validation, user-in-the-loop confirmation, or sandboxing at the execution layer of your LLM tool calls rather than relying on system prompts.
Don't read this site daily. Get it in your inbox.
The daily brief and Sunday deep dive — distilled, scored, and opinionated. For builders only.