In 2026, prompt injection is what SQL injection was in 2008: a class of attack that defeats systems built without it in mind, and a class of attack that's relatively easy to defend against once you take it seriously. We take it very seriously.
The threat model
Modern AI agents read documents, browse the web, call APIs. Every input — a customer email, a retrieved document, a JSON response from a third-party API — is potentially adversarial. Treat any input the agent reads as untrusted. The OWASP LLM Top 10 formalizes this; we use it as our baseline.
Layer 1: Input filter
Strip control sequences, instructions targeting the system, known injection patterns. This is the cheapest layer and catches the most obvious attacks. It is not sufficient on its own. It is necessary.
Layer 2: Intent classifier
A small classifier that decides whether a user message is in scope for the agent. Out-of-scope messages route to a fallback. This stops the entire class of "convince the agent it's a Roman emperor" attacks before they reach the planner.
Layer 3: Policy check
A deterministic check against your policy: this user, this account, this jurisdiction, can they request this action? Run it before the agent plans, not after. The policy is in code, not in the prompt.
Layer 4: Tool sandbox
Tools run with the minimum privileges needed. The customer-service agent's "refund" tool can refund up to a configured limit; over the limit, it routes to a human. The "send email" tool sends from a noreply address with a templated body. The agent does not get a SQL prompt.
Layer 5: Output redaction
Before any response goes out, run it through a redactor: PII, account numbers, internal system names, anything in your DLP rules. Redaction is deterministic. Don't ask the model to redact itself; it'll forget.
Layer 6: Human in the loop
For decisions above a configured threshold — refund amount, account closure, any irreversible action — route to a human review queue. The agent prepares the recommendation; the human approves.
Layer 7: Audit log
Every layer logs. Every agent run produces a complete record: input, intent, policy result, plan, tool calls, output, redaction events, human approvals. This is what your auditor will ask for, and it is what saves you when something goes wrong. Treat the log as immutable; ship it to a separate system.
Red team, then red team again
You have not tested your defenses until someone has tried to break them. Run a red-team exercise quarterly. Pay external testers to attempt prompt injection against your live system. Track which layer caught what. Patch the holes. Repeat.
No single layer is enough. Defense in depth means that any one layer can fail and the system still holds.