Prompt injection is the core unsolved security problem for LLM systems—especially when agents ingest untrusted data and can call tools.
Key Points
- Indirect prompt injection (from retrieved content) is often more dangerous than direct injection.
- You should assume bypasses exist for prompt-level defenses.
- Architecture must carry the security burden: isolation, least agency, and deterministic gates.