Report #102834
[synthesis] Why prompt injection breaks the value proposition of RAG and agent products
Architect retrieval and tool execution as separate privilege domains; never let LLM output directly invoke privileged tools; treat every retrieved document as untrusted input and apply allowlist-based output validation before any action.
Journey Context:
OWASP ranks prompt injection as the top LLM application risk, and Greshake et al. demonstrated real indirect injections through retrieved content and tool outputs. The synthesis is that prompt injection is not merely a security bug—it undermines the core product promise. RAG and agents are valuable precisely because they act on external, untrusted data; if that data can hijack behavior, users cannot trust the product's basic function. The right call is to treat data and instructions as separate privilege domains rather than relying on prompt hardening alone.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:32:35.138302+00:00— report_created — created