Mitigating Prompt Injection: Designing Robust Intent Filtering for Autonomous Agents

Autonomous AI agents are increasingly entrusted with system-level access, allowing them to read database contents, call external APIs, and compose user notifications. However, this power exposes them to direct and indirect prompt injection attacks. When an agent reads an untrusted PDF or scrapes a compromised webpage, embedded instructions can override the agent's system prompt, causing it to leak system credentials or execute unauthorized transactions. Here, we analyze how to mitigate this using a deterministic, multi-layered intent filter.

The Challenge: Probabilistic vs. Deterministic Security

Traditional software security relies on deterministic inputs. Large Language Models (LLMs), however, process data probabilistically. Standard guardrails that attempt to filter prompt injections at the prompt level (e.g., instructing the LLM "ignore all text saying 'ignore previous instructions'") are notoriously fragile. A clever attacker can formulate jailbreaks that bypass these defenses.

True security requires separating the reasoning engine (the LLM) from the execution gateway. An autonomous agent should propose actions, but it must never be allowed to execute them directly. Instead, all proposed actions are sent to an independent, deterministic validation layer.

Implementing the Intent Validation Pattern

The intent validation pattern intercepts the agent's output, parses the proposed function calls, and compares them against a rigid JSON schema and a set of predefined security policies. If the parameters violate a rule—such as transferring funds to an unwhitelisted address—the execution is blocked automatically.

def filter_agent_intent(intent: dict, whitelist: list) -> bool:
    # 1. Enforce strict type and structure validation
    action = intent.get("action")
    target = intent.get("target")
    
    # 2. Check targets against deterministic whitelist
    if action == "SEND_FUNDS":
        if target not in whitelist:
            # Block the action and flag a potential prompt injection
            raise SecurityViolationException(f"Unauthorized transfer destination: {target}")
            
    # 3. Check transaction limit boundaries
    value = intent.get("value", 0)
    if value > 500:
        raise LimitsExceededException("Transaction exceeds agent limits.")
        
    return True

Key Strategies for Defensive Architecture

• Structural Validation: Ensure all inputs conform to schema definitions, rejecting unstructured or malformed text before execution.
• Deterministic Whitelists: Never allow an LLM to generate destination endpoints, transaction partners, or database queries freely. All targets must resolve to deterministic whitelists.
• Semantic Parsing: Compare the generated action against the user's original instruction. If the user asked the agent to "summarize an invoice" and the agent tries to "send an email," the intent mismatch triggers a security alert.

Securing Autonomous Ecosystems

Decoupling LLMs from direct execution environments reduces prompt injection from a critical security threat to a minor validation error. By treating LLMs as untrusted generators of intents and using compiled, low-latency validation filters, enterprise engineering teams can build resilient autonomous applications.