The uncomfortable move in that line is not cynicism. It is engineering discipline.
Prompt injection is usually discussed as if the main problem is wording: better system prompts, better filters, better refusal behaviour.
That is the wrong centre of gravity.
The real issue is reach.
If an SMS-writing agent can also read inboxes, browse shared drives, touch CRM records and inherit broad OAuth scopes, then the prompt is not the boundary. The agent’s access graph is.
Most demos hide this because the plumbing is presented as convenience. “Look how many systems it connects to.”
But every connector is also a liability surface.
An agent doing a narrow job should not inherit the reach of a senior employee with years of accumulated permissions. It should get the smallest useful view of the business: the relevant claims, the relevant source pointers, and a logged path for escalation when it needs more.
That is the architectural shift.
Not “can we make the model impossible to trick?”
No serious security discipline depends on that kind of optimism.
The better question is what the system allows a tricked agent to touch.
If the answer is “whatever the user’s token can see”, you don’t have an AI security problem.
You have an architecture problem.
Learn more: https://leverageai.com.au/wp-content/media/ebooks/BI_for_Soft_Data_ebook.html
Discover more from Leverage AI for your business
Subscribe to get the latest posts sent to your email.
Previous Post
For years, legacy systems survived because the economics protected them.
Next Post
We've been told a comforting story about AI safety: the models will get smarter, and smarter models will be safer.