Prompt Injection Defense Engineering
The central engineering module. Prompt injection is not a model bug — it is an architectural property of systems that consume untrusted content and emit privileged actions. LLMs process instructions and data as one token stream; no parser separates them. This module builds the five-layer defense in the harness (tag, isolate, taint-gate, detect, minimize capability), resolves the probabilistic-vs-deterministic enforcement tension (determinism on the taint boundary, probability on the content boundary), and measures residual risk under a harness — never declaring 'fixed.'
Prompt injection is an architectural problem, not a model bug. LLMs process instructions and data as one token stream — no parser separates them. Safety RLHF moves the success rate (60% to 4%); it does not build the boundary. The boundary must be built in the harness: tag the untrusted (Layer 1), isolate the instructions (Layer 2), gate the tainted deterministically (Layer 3), detect the obfuscated probabilistically (Layer 4), and minimize the capabilities (Layer 5). An attack must bypass all five to reach impact.
Indirect injection via tool output is the most dangerous vector and the default vulnerability — InjecAgent measured ~50% of agentic tasks susceptible. The tool faithfully returns attacker-controlled content; the harness inserts it into the context window without an untrusted tag; the model obeys it as instruction. The single most common failure is the missing tag at the tool-output-to-context boundary. Layer 3 (the deterministic taint gate) is where that 50% drops toward zero — even when the model is fooled, the gate blocks high-impact calls with tainted arguments.
The probabilistic-vs-deterministic tension resolves by assigning each defense to the boundary where its failure mode does not matter. Determinism on the structural boundary (Layer 3 taint: tainted? high-impact? — enumerable, no bypass rate; Layer 5 capability: in the allowlist?). Probability on the semantic boundary (Layer 4 content: is this an override attempt? — open space, needs a model). CrabTrap (probabilistic) and IronCurtain (deterministic) are not rivals; they are tools for different boundaries. Using probability where determinism is possible inherits an unneeded bypass rate; using determinism where the space is open inherits unaffordable coverage gaps.
The deliverable is the measured residual risk, not a 'secure' claim. After deploying the five layers, you do not declare the agent secured. You measure the injection success rate under an InjecAgent-style harness and report the number (e.g., 50% to 2%), characterize the residual (the encoded-and-laundered class), and route it to its closure module (B3 for taint laundering, B5 for over-privilege, B7 for sandbox escape). 'We added prompt injection defenses' is not a deliverable; the measured number is.