Evaluation & Operations
Prompt Injection and Agent Security
Why untrusted content can redirect agents and how layered controls protect tools, data, and users.
Instructions can arrive as data
Agents read webpages, emails, files, and tool results that may contain text designed to manipulate them. The model cannot reliably distinguish every malicious instruction from legitimate content.
Limit authority
Use least-privilege credentials, isolate sensitive tools, validate destinations, and require approval for consequential actions. Assume a determined attacker may influence the model's next request.
Design for containment
Separate trusted instructions from untrusted content, minimize secrets in context, and monitor unusual tool sequences. Security comes from limiting what a compromised decision can do, not from one perfect prompt.