Safety

Defense in depth for enterprise AI

Prompt injection is the new SQL injection. Seven layers we put between the user and your most sensitive systems.

Mindlytic AI Team · Security Architect·2026-03-08·3 MIN READ·458 WORDS
DEFENSE IN DEPTH
SAFETYSECURITYINJECTION

In 2026, prompt injection is what SQL injection was in 2008: a class of attack that defeats systems built without it in mind, and a class of attack that's relatively easy to defend against once you take it seriously. We take it very seriously.

The threat model

Modern AI agents read documents, browse the web, call APIs. Every input — a customer email, a retrieved document, a JSON response from a third-party API — is potentially adversarial. Treat any input the agent reads as untrusted. The OWASP LLM Top 10 formalizes this; we use it as our baseline.

INPUT FILTERINTENT CLASSPOLICY CHECKTOOL SANDBOXOUTPUT REDACTHITL ESCALATEAUDIT LOGDEFENSE-IN-DEPTH STACK
FIG · Defense-in-depth: seven layers between user input and sensitive systems

Layer 1: Input filter

Strip control sequences, instructions targeting the system, known injection patterns. This is the cheapest layer and catches the most obvious attacks. It is not sufficient on its own. It is necessary.

Layer 2: Intent classifier

A small classifier that decides whether a user message is in scope for the agent. Out-of-scope messages route to a fallback. This stops the entire class of "convince the agent it's a Roman emperor" attacks before they reach the planner.

Layer 3: Policy check

A deterministic check against your policy: this user, this account, this jurisdiction, can they request this action? Run it before the agent plans, not after. The policy is in code, not in the prompt.

Layer 4: Tool sandbox

Tools run with the minimum privileges needed. The customer-service agent's "refund" tool can refund up to a configured limit; over the limit, it routes to a human. The "send email" tool sends from a noreply address with a templated body. The agent does not get a SQL prompt.

Layer 5: Output redaction

Before any response goes out, run it through a redactor: PII, account numbers, internal system names, anything in your DLP rules. Redaction is deterministic. Don't ask the model to redact itself; it'll forget.

Layer 6: Human in the loop

For decisions above a configured threshold — refund amount, account closure, any irreversible action — route to a human review queue. The agent prepares the recommendation; the human approves.

Layer 7: Audit log

Every layer logs. Every agent run produces a complete record: input, intent, policy result, plan, tool calls, output, redaction events, human approvals. This is what your auditor will ask for, and it is what saves you when something goes wrong. Treat the log as immutable; ship it to a separate system.

Red team, then red team again

You have not tested your defenses until someone has tried to break them. Run a red-team exercise quarterly. Pay external testers to attempt prompt injection against your live system. Track which layer caught what. Patch the holes. Repeat.

PRINCIPLE

No single layer is enough. Defense in depth means that any one layer can fail and the system still holds.

M
AUTHOR
Mindlytic AI Team
Security Architect

Authored by the Mindlytic AI engineering practice — a senior-only team shipping production AI systems for clients across hospitality, fintech, insurance, healthcare, legal, and MSP.

Email →More about the team →
Related reading

More from the blog.

PLANNER
Architecture
Anatomy of a production AI agent in 2026
2026-04-12 · 14 MIN
RETRIEVAL · TOP-K
Retrieval
RAG that actually works in production
2026-04-02 · 16 MIN
600MS · TURN LATENCY
Voice AI
Why your voice agent feels off (and how to fix turn-taking)
2026-03-26 · 11 MIN

Want to ship something like this?

Mindlytic builds production AI for hospitality, fintech, insurance, and more. Book a 30-minute discovery call.