Stop the Injection - and the Action It Wants
A prompt firewall inspects inputs for injection. AgentFence adds the layer that matters most: even if an injection slips through, the action it tries to trigger still faces the decision point.
Illustrative product view
Defense in two layers
Prompt injection tricks a model into following instructions hidden in its input - a pasted document, a web page, a tool result. AgentFence defends in two layers. First, it inspects inbound prompts for injection patterns (POST /guardrails/inspect). Second, and more importantly, it governs the action the injected prompt tries to trigger: even a successful injection has to get its action past the decision point, where scope, tenant, and sensitivity rules still apply.
What the firewall inspects
| Layer | What it does | Example |
|---|---|---|
| Prompt inspection | Flag injection patterns in input | “Ignore previous instructions” |
| Hidden-instruction detection | Catch instructions in pasted content | Payload buried in a document |
| Action governance | Gate what an injected prompt tries to do | Injected export denied by scope |
| Data boundary | Block sensitive data egress | Injected exfil attempt gated |
Why both layers matter
- Prompt inspection reduces how often an injection reaches the model
- Action governance ensures a slipped-through injection still can’t act
- Data boundaries stop injected attempts to exfiltrate sensitive data
- Every blocked injection and action is recorded as evidence
How it connects
The prompt firewall shares the inspect path with AI DLP and the classification engine, and it hands off to the decision point and agent guardrails for action-layer enforcement. Red-team prompt-injection scenarios test both layers, so you can measure how the combined defense holds up.
Frequently asked questions
What is a prompt injection firewall?
A prompt injection firewall inspects inbound prompts for instructions that try to hijack a model - like text telling it to ignore its guidelines or exfiltrate data. AgentFence inspects prompts at /guardrails/inspect and, critically, also governs the action an injected prompt tries to trigger, so a slipped-through injection still faces the decision point.
Can any firewall catch every prompt injection?
No, and that is the point of the two-layer design. Prompt inspection reduces how often an injection reaches the model, but the durable defense is action governance: even a successful injection cannot make an agent exceed its scope, touch a forbidden target, or exfiltrate data, because the action itself is authorized independently.
How does action governance stop an injected attack?
The action an injected prompt produces still goes through the decision point, where tenant isolation, scope containment, and the sensitivity ladder apply. An injected attempt to export records or move money is denied or stepped up if it exceeds the agent’s authorized scope - so the model may be fooled, but the action fails.
Is prompt injection defense tested?
Yes. AI red-teaming includes prompt-injection scenarios that exercise both the prompt-inspection layer and the action-governance layer, producing a resilience score. That lets you measure how well the combined defense holds up and track improvement as you tighten policies.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
Defend prompts and the actions behind them
Inspect for injection, then govern the action so a slipped-through prompt still can’t act.
Talk to us