Stop Prompt Injection Where It Actually Hurts
A prompt injection is only dangerous when it makes an agent DO something. Defend at the action, so even an agent that has been fully talked into it cannot exceed its scope, cross a tenant, or skip step-up.
Why this is hard
Content filters try to catch the injection in the text, but indirect injection hides instructions in a document, a web page, or a tool result, and you cannot filter every input. The realistic assumption is that some injections will get through. The question is whether a manipulated agent can then cause harm - and that depends on whether the action is governed.
- Indirect injection can hide anywhere the agent reads
- A polite prompt can still drive a dangerous but in-scope action
- Filtering every input reliably is not achievable
- The consequence of an injection is an action, which can be governed
The approach, step by step
From injectable agent to contained one
- 1
Assume the injection gets through
Design for the case where a text filter misses an indirect injection, rather than relying on catching every one.
- 2
Govern the resulting action
Route the agent’s action through the Policy Decision Point so it must pass scope, tenant, and sensitivity regardless of the prompt.
- 3
Deny what the injection asks for
An injected instruction to exfiltrate is caught as a sensitive-data action; to reach another tenant, denied by isolation; to write, held for step-up.
- 4
Test with the injection vector
Run prompt-injection cases from the red-team console to confirm the action guardrails hold against realistic attempts.
- 5
Keep defense in depth
Continue filtering prompts where you can, and let the deterministic action layer be the guarantee that a successful injection cannot exceed bounds.
How SentriAI does the work
SentriAI defends at the action layer: a manipulated agent still has to pass scope containment, tenant isolation, and the sensitivity ladder, and a malicious instruction cannot grant itself scope it was never given. Prompt injection is a named red-team vector, so you can prove the guardrails hold.
What you get out of the box
- Action-layer defense that does not depend on catching the text
- Injected exfiltration caught as a sensitive-data action
- Injected cross-tenant and out-of-scope actions denied
- Prompt-injection testing via the red-team console
Avoid the common pitfall
Frequently asked questions
How do I stop prompt injection?
Defend at the action layer. Rather than relying only on catching the injection in text, govern the action the manipulated agent tries to take: scope containment, tenant isolation, and the sensitivity ladder still apply, so an injected instruction cannot exceed scope, cross a tenant, or skip step-up.
Can you stop indirect prompt injection?
You can defend against its consequences. Indirect injection hides instructions in content the agent reads, which you cannot always filter - but because every resulting action is governed, it does not matter where the instruction came from if the action is denied.
How do I test prompt injection defense?
Run prompt-injection cases from the red-team console against your agents and confirm the action guardrails hold, with the blocked attempts recorded as evidence.
Does action governance replace prompt filtering?
No - it backs it up as defense in depth. Filter what you can at the prompt, and let the deterministic action layer guarantee that even a successful injection cannot produce an out-of-scope, cross-tenant, or unverified action.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
Make injections harmless at the action
Guarantee an injected agent still cannot exceed its bounds. Start free, no card required.
Talk to us