Agent Security And Prompt Injection
---
title: Agent Security And Prompt Injection
owner: Prompthon IO
updated: 2026-06-07
depth: advanced
region_tags:
- global
coding_required: optional
external_readings:
- title: "OpenAI: Designing AI agents to resist prompt injection"
url: https://openai.com/index/designing-agents-to-resist-prompt-injection/
- title: "OpenAI: Understanding prompt injections"
url: https://openai.com/safety/prompt-injections/
- title: "OpenAI Help: Lockdown Mode is now available to all logged-in users"
url: https://help.openai.com/en/articles/6825453-chatgpt-release-notes
- title: "OpenAI API: MCP and Connectors"
url: https://developers.openai.com/api/docs/guides/tools-connectors-mcp
- title: "OpenAI API: Building MCP servers"
url: https://developers.openai.com/api/docs/mcp
- title: "OpenAI API: Computer use"
url: https://developers.openai.com/api/docs/guides/tools-computer-use
- title: "Model Context Protocol: Security Best Practices"
url: https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices
status: draft
---
import SupportCTA from "/snippets/support-cta.mdx";
<SupportCTA />
## Summary
Prompt injection turns agent security into a system-design problem. Once an
agent can browse, read files, call connectors, or trigger write actions, the
real question is no longer just "can the model detect bad text?" It becomes
"which untrusted inputs can reach which dangerous actions, under which review
and containment controls?"
## Why It Matters
Prompt injection is not only a prompt-quality issue. It is an architecture
issue that shows up wherever untrusted content and real capability meet.
- Web pages, emails, PDFs, chat logs, connector payloads, and tool outputs can
all carry hostile instructions.
- The riskiest failures usually involve `sources` plus `sinks`: untrusted input
reaches a capability that can exfiltrate data, change state, or take action
for the user.
- Better model behavior helps, but production systems still need boundaries,
approvals, and logs in case some attacks succeed.
That is why the current security signal around Lockdown Mode is useful for the
handbook: it frames prompt injection as a control-surface problem, not only a
model-intelligence problem.
## Mental Model
Use a four-part review:
1. `sources`: where untrusted content enters the run
2. `sinks`: which tools, connectors, or side effects could become dangerous
3. `boundaries`: what isolation, auth, or scope limits stand between them
4. `confirmations`: which actions require human approval before the system
proceeds
The key design move is to assume some malicious content will be seen. The goal
is to make sure seeing it does not automatically grant power.
## Architecture Diagramwhen to use it
Community prompt sourced from the open-source GitHub repo Prompthon-IO/agent-systems-handbook (NOASSERTION). A "Agent Security And Prompt Injection" style prompt — adapt the placeholders and specifics to your task. Imported as-is and not independently retested here, so check the output before relying on it.
tags
productivitycommunitydeveloper
source
Prompthon-IO/agent-systems-handbook · NOASSERTION
more in Productivity
Productivity✓ tested
Summarize a doc into decisions & actions
chief of staff who extracts what to DO, not just what was said
Productivity✓ tested
Draft a reply to a hard email
calm, direct communicator who de-escalates without caving
Productivity✓ tested
Turn a brain-dump into a weekly plan
planning coach who protects your focus, not just your calendar