Comment by ozim
3 hours ago
Quite simple you make harness and loads of people are building harnesses as we speak.
Right now also a lot of people are building in a way where they give a sample data to LLM so that AI agent builds deterministic code for crunching data so that actual data doesn't go to LLM and is processd by regular code, only that code for processing is written by agent.
You can always process only descriptions that are in the list and ones that are not recognized "ask a human" so just an allowlist. I do believe normal person would have most transactions that would be mostly the same and then couple that would stand out so you also can make allowlist from last 2 years as a starting point, not to bother people too much (I think no one has prompt injection in their last 2 years banking history besides ultra nerds maybe).
I think by now it is common knowledge that "just dump all data at LLM and as some questions" or "let LLM process anything someone sends me in an e-mail" is silly.
In "the standoff" Pliny was trying to hack tszzl harness and it wasn't working an Pliny is notorious for jail breaking LLMs.
I’ve noticed that for task that require consistency across very large body of text, like translating strings of very large doc, the approach of letting the agent split and it up and programmatically do it bit by bit, is much worse quality than just dumping it all in a single llm context.
I guess someone is doing harness for that use case then. I was mostly thinking about payment transfer description that mostly would be more like a sentence. More about data lines like CSV as that would be what is used in banking.
Lots of known attacks can be found with static analysis of text, even in long text blocks, finding "unexpected characters", finding "white text on white background" will still prevent a lot of attacks I believe. If you find in a text any IOC just don't process the text, write it to log file, document and let some person make a decision.