Comment by mickayz
5 days ago
Thanks for the feedback! One small bit of clarification, the framework would describe access to any sensitive system as part of the [B] circle, not only private systems or private data.
The intention is that an agent that has removed [B] can write state and communicate freely, but not with any systems that matter (wrt critical security outcomes for its user). An example of an agent in this state would be one that can take actions in a tight sandbox or is isolated from production.
Thanks for that! I've updated my post to link to this clarification and updated my screenshots of your diagram to catch the new "lower risk" text as well: https://simonwillison.net/2025/Nov/2/new-prompt-injection-pa...