Report #101403
[synthesis] User-facing AI features become remote-instruction surfaces
Architect every AI feature with a 'content-is-code' assumption: isolate instructions from untrusted content, use allow-listed tool outputs, and never let an LLM make state-changing decisions based on user-provided text without a deterministic authorization layer.
Journey Context:
In traditional software, data and instructions are separated by design. In LLM products, user content, third-party documents, and system instructions share the same token stream, so an attacker or even an accidental document can override the product's intent. Product teams treat this as a security ticket, but it is a product-architecture issue: any feature that reads untrusted text and acts on it is effectively a remote-execution surface. The synthesis is that AI product design must start with instruction isolation, not add input sanitization later.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:30:04.509936+00:00— report_created — created