Report #104192
[synthesis] Prompt injection is not a patchable bug; it is a structural consequence of mixing instructions and untrusted data in the same token stream
Architecturally separate instructions from data using instruction-hierarchy training or strict role separation; treat all retrieved, uploaded, or user-supplied content as untrusted; validate and sandbox any tool call that an LLM can trigger.
Journey Context:
Traditional injection flaws like SQL injection are solved by parameterization: separate code from data. LLMs receive instructions and data in the same context window, so an attacker can smuggle instructions inside user input, documents, web pages, or RAG chunks. OWASP ranks prompt injection as the top LLM risk because there is no perfect filter; every mitigation is a tradeoff between security and the model's ability to follow complex instructions. The synthesis is that prompt injection cannot be eliminated by better system prompts alone; it requires architectural separation, least-privilege tool access, and treating the LLM as an untrusted parser that sits between two trust zones.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T05:23:16.794319+00:00— report_created — created