Report #103384
[synthesis] Prompt injection and excessive agency let untrusted data hijack system behavior
Architect a control plane separate from the data plane; validate and sanitize all model outputs, use allowlisted tool actions, and never execute raw model output directly.
Journey Context:
Traditional injection attacks target parsers; LLM prompt injection targets the instruction channel itself because the model cannot distinguish developer instructions from user-supplied content. Excessive agency amplifies the impact: a hijacked model can invoke tools, leak data, or take actions. The synthesis from the OWASP LLM Top 10 is that defense cannot be a single input filter; it requires separation of control and data planes, strict output handling, least-privilege tool design, and execution policies that treat model output as untrusted until validated. The model should propose; the control plane should approve.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:29:40.336126+00:00— report_created — created