Challenge: Existing defenses for indirect prompt injection are limited by static protection mechanisms . existing models prioritize injected rules due to strict alignment, whereas static protections sever the feedback loop required for adaptive reasoning.
Approach: They propose a framework that shifts the paradigm from restrictive isolation to a verify-before-commit protocol.
Outcome: The proposed framework outperforms state-of-the-art dynamic defenses by reducing the attack success rate by over 22% while more thandoubling utility under attack compared to static baselines.

Similar Papers

ToolSafe: Enhancing Tool Invocation Safety of LLM-based agents via Proactive Step-level Guardrail and Feedback (2026.findings-acl)

Copied to clipboard

Challenge: Unlike chatbots, autonomous agents act directly on external environments, making tool invocation safety critical for reliable deployment.
Approach: They develop a benchmark for step-level tool invocation safety detection in LLM agents and a guardrail model that proactively detects unsafe tool invoking actions before execution using multi-task reinforcement learning.
Outcome: The proposed model reduces harmful tool invocations of ReAct-style agents by 65% on average and improves benign task completion by 10% under prompt injection attacks.
AGENTVIGIL: Automatic Black-Box Red-teaming for Indirect Prompt Injection against LLM Agents (2025.findings-emnlp)

Copied to clipboard

Challenge: AGENTVIGIL is a black-box optimization framework to exploit indirect prompt injection vulnerabilities . indirect prompts compromise the core of LLM agents by manipulating contextual information rather than direct user prompts.
Approach: They propose a black-box optimization framework to exploit indirect prompt injection vulnerabilities . they use a Monte Carlo tree-based algorithm to iteratively refine inputs .
Outcome: The proposed framework achieves 71% and 70% success rates against two public benchmarks .
IPIGuard: A Novel Tool Dependency Graph-Based Defense Against Indirect Prompt Injection in LLM Agents (2025.emnlp-main)

Copied to clipboard

Challenge: Existing methods for detecting Indirect Prompt Injection (IPI) attacks rely on assumptions about the model's inherent security, which lacks structural constraints on agent behaviors.
Approach: They propose a novel task execution paradigm that models the agents’ task execution process as a traversal over a planned Tool Dependency Graph (TDG).
Outcome: The proposed model reduces unintended tool invocations triggered by injected instructions, enhancing robustness against IPI attacks.
The Task Shield: Enforcing Task Alignment to Defend Against Indirect Prompt Injection in LLM Agents (2025.acl-long)

Copied to clipboard

Challenge: Large Language Model (LLM) agents are becoming conversational assistants . indirect prompt injection attacks pose a critical threat to these systems .
Approach: They propose a novel and orthogonal perspective that reframes agent security . they propose 'task shield' that verifies whether each instruction and tool call contributes to user objectives .
Outcome: The proposed defense reduces attack success rates while maintaining high task utility on the AgentDojo benchmark.
From Allies to Adversaries: Manipulating LLM Tool-Calling through Adversarial Injection (2025.naacl-long)

Copied to clipboard

Challenge: Toolcalling has changed Large Language Model (LLM) applications by integrating external tools, but it also introduces new security vulnerabilities, particularly in the tool scheduling mechanisms of LLM, which have not been extensively studied.
Approach: They propose a framework that exploits vulnerabilities in Large Language Models through adversarial tool injection to execute privacy theft, launch denial-of-service attacks, and manipulate business competition.
Outcome: The proposed framework exploits vulnerabilities in LLM tool-calling systems through adversarial tool injection.
PromptKeeper: Safeguarding System Prompts for LLMs (2025.findings-emnlp)

Copied to clipboard

Challenge: PromptKeeper is a defense mechanism designed to safeguard system prompts . adversarial and regular queries can exploit LLM vulnerabilities to expose hidden prompts.
Approach: PromptKeeper is a defense mechanism designed to safeguard system prompts . it detects both explicit and subtle leakage and regenerates responses using a dummy prompt .
Outcome: PromptKeeper detects and mitigates side-channel vulnerabilities when prompts are exposed . it regenerates responses using a dummy prompt, ensuring outputs remain indistinguishable from typical interactions .
Agents Under Siege: Breaking Pragmatic Multi-Agent LLM Systems with Optimized Prompt Attacks (2025.acl-long)

Copied to clipboard

Challenge: Multi-agent LLMs are prone to adversarial attacks because of constraints such as limited token bandwidth and latency between message delivery.
Approach: They propose a permutation-invariant adversarial attack that optimizes prompt distribution across latency and bandwidth constraints to bypass distributed safety mechanisms within the system.
Outcome: The proposed method outperforms conventional attacks by up to 7 on multiple models.
LLM Safety From Within: Detecting Harmful Content with Internal Representations (2026.acl-long)

Copied to clipboard

Challenge: State-of-the-art guard models rely on terminal-layer representations and overlook safety-relevant features encoded across internal layers.
Approach: They propose a lightweight guard model that harnesses safety neurons from LLM internals without modifying the underlying model.
Outcome: The proposed model outperforms open-source guard models across multiple benchmarks while using 250 fewer trainable parameters.
Rethinking Assessments of Prompt Injection Attacks (2026.findings-acl)

Copied to clipboard

Challenge: Prompt injection attacks are recognized as one of the primary risks faced by LLM-integrated applications in recent years.
Approach: They evaluate prompt injection attacks on LLM-integrated applications across 37 target tasks, 185 injected tasks, 21 attack instructions, and 143,745 queries.
Outcome: The proposed framework provides a solid foundation for assessing vulnerabilities in LLM-integrated applications and evaluating the efficacy of defensive strategies.
OntoGuard: Enforcing Action Admissibility for LLM Agents in Complex Interactive Environments (2026.findings-acl)

Copied to clipboard

Challenge: Existing approaches to large language models (LLMs) are limited by their ability to enforce environmental and behavioral admissibility.
Approach: They propose an ontological framework to guard LLM agents by enforcing environmental and behavioral admissibility.
Outcome: Experiments on ScienceWorld and VirtualHome show that OntoGuard can enforce environmental and behavioral admissibility while preventing invalid actions.

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations