The uncomfortable move in that line is not cynicism.

SF Scott Farrell July 6, 2026 scott@leverageai.com.au LinkedIn

The uncomfortable move in that line is not cynicism. It is engineering discipline.

Prompt injection is usually discussed as if the main problem is wording: better system prompts, better filters, better refusal behaviour.

That is the wrong centre of gravity.

The real issue is reach.

If an SMS-writing agent can also read inboxes, browse shared drives, touch CRM records and inherit broad OAuth scopes, then the prompt is not the boundary. The agent’s access graph is.

Most demos hide this because the plumbing is presented as convenience. “Look how many systems it connects to.”

But every connector is also a liability surface.

An agent doing a narrow job should not inherit the reach of a senior employee with years of accumulated permissions. It should get the smallest useful view of the business: the relevant claims, the relevant source pointers, and a logged path for escalation when it needs more.

That is the architectural shift.

Not “can we make the model impossible to trick?”

No serious security discipline depends on that kind of optimism.

The better question is what the system allows a tricked agent to touch.

If the answer is “whatever the user’s token can see”, you don’t have an AI security problem.

You have an architecture problem.

Learn more: https://leverageai.com.au/wp-content/media/ebooks/BI_for_Soft_Data_ebook.html

Originally posted on LinkedIn


Discover more from Leverage AI for your business

Subscribe to get the latest posts sent to your email.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2026 Leverage AI, Scott Farrell. All rights reserved. This content is made available on a limited, revocable, read-only basis only. No licence or right is granted to copy, reproduce, republish, scrape, store, adapt, summarise, index, embed, or use this content to create derivative works, work product, deliverables, methodologies, training materials, prompts, templates, software, services, research, or commercial outputs, whether by humans or machines, without prior written permission. This restriction includes internal business use, client work, consulting, advisory, implementation, and any use in or for artificial intelligence, machine learning, data extraction, retrieval, evaluation, fine-tuning, or knowledge-base construction.