← All resources

Evaluation & Operations

Prompt Injection and Agent Security

Why untrusted content can redirect agents and how layered controls protect tools, data, and users.

Instructions can arrive as data

Agents read webpages, emails, files, and tool results that may contain text designed to manipulate them. The model cannot reliably distinguish every malicious instruction from legitimate content.

Limit authority

Use least-privilege credentials, isolate sensitive tools, validate destinations, and require approval for consequential actions. Assume a determined attacker may influence the model's next request.

Design for containment

Separate trusted instructions from untrusted content, minimize secrets in context, and monitor unusual tool sequences. Security comes from limiting what a compromised decision can do, not from one perfect prompt.