Prompt Injection Is an Agent Problem, Not a Model Problem

In early 2023, researchers at the CISPA Helmholtz Center for Information Security published a paper that should have been a turning point. They called the technique indirect prompt injection - embedding adversarial instructions in content an LLM agent reads from external sources, rather than in the user's own input. They nstrated attacks against Bing Chat, GitHub Copilot, and a range of plugin-enabled systems.