Comment by bilekas
8 hours ago
I am not OP, but completely isolating the AI from any actions other than what's expected would be a start. IE a specific API only for the AI, in which there is not even any access for the prompt injection to even make sense. But just an idea from an onlooker.
I can recommend having a look at secure design patterns for LLM agents. Simon Willison has a great post on this: https://simonwillison.net/2025/Jun/13/prompt-injection-desig...
Now that you mention it, why don't we encrypt injectable data that comes from users and only decrypt it on the client?
You mean, use encryption (+base64 or something) as a "poor man's" string-escape? Interesting idea!
The issue is that certain questions may genuinely require the LLM to have the raw descriptions. For example, "List my grocery store transactions".