Skills
Agents Rule of Two: Architectural Prompt Injection Defense via Property Constraints
Meta AI paper proposing a design-time architectural constraint: any agent system should satisfy at most two of three properties — (A) processing untrusted inputs, (B) accessing sensitive or private data, (C) modifying state or communicating externally. Systems requiring all three properties need human oversight or fresh context windows between operations. Companion paper 'The Attacker Moves Second' demonstrates all 12 published prompt injection defenses (Spotlighting, Prompt Sandwich, RPO, Circuit Breaker, etc.) exceed 90% attack success rate under adaptive adversaries — making architectural constraints the only reliable defense layer available to developers today.
↳ Follow the thread