How would you defend an LLM application against prompt injection?

The short answer

No single fix is complete, so defenses are layered: separate trusted instructions from untrusted data, constrain and least-privilege the tools and actions the model can take, validate and sanitize inputs and tool outputs, add output guardrails and injection classifiers, and keep a human in the loop for sensitive actions. Treat all external or retrieved content as untrusted.

How to think about it

No single fix is complete, so defenses are layered: separate trusted instructions from untrusted data, constrain and least-privilege the tools and actions the model can take, validate and sanitize inputs and tool outputs, add output guardrails and injection classifiers, and keep a human in the loop for sensitive actions. Treat all external or retrieved content as untrusted.

Learn it properly Prompt injection & guardrails

Keep practising

What is prompt injection and how do you defend against it? What prompt engineering techniques should every LLM practitioner know? What is prompt injection, and what is the difference between direct and indirect injection? What is MLSecOps, and what are the main threats across the ML lifecycle? When should you use prompt engineering versus fine-tuning to adapt an LLM?

All NLP & LLMs questions

Explore further

Agent Security ML security (MLSecOps) LLM evals & LLM-as-judge

Prompt Injection Guardrails Prompt Engineering Confused Deputy