IVIS
Patterns/Defense Architecture

Defense Architecture

Prompt injection is not reliably detectable by pattern-matching, because malicious content is contextually — not structurally — identifiable. Classifiers are defense in depth; the durable fixes are architectural. This category ranks the 2025–2026 state of the art by leverage, from re-architecture down to scanners.

The organizing lens is the lethal trifecta: exfiltration only becomes catastrophic when an agent simultaneously has (1) access to private data, (2) exposure to untrusted content, and (3) an external communication channel. Remove any one leg and a successful injection can't do damage. Every pattern below either breaks a leg of the trifecta or reduces the probability that an injection reaches a sensitive action.

No single control is sufficient (OWASP LLM01, 2025). Defense in depth is the whole game: separate untrusted content, constrain outputs, minimize privilege, and keep a human on the high-risk writes.

Patterns in this category