← Back to context

Comment by chrisandchris

13 hours ago

Partially, you could still deploy the AI in an isolated envirnoment. If there's nothing to access, there's no prompt injection.

But who will have thought about something not being a SaaS but rather on-premises...

> Partially, you could still deploy the AI in an isolated envirnoment. If there's nothing to access, there's no prompt injection.

If there's nothing to access, there's only limited value in using an LLM in the first place.

If your LLM is prevented from accessing anything other than the prompt, the only use is interactive use by the user; no automatic work done on any workflow items.

  • Honest question: couldn't this be solved by setting the authorization level of the agent the same as the user that prompted the question?

    In this post's example, the agent would be limited by the author's scope inside the organization and, therefore, be incapable of exposing any unwanted file.

    • > Honest question: couldn't this be solved by setting the authorization level of the agent the same as the user that prompted the question?

      No.

      > In this post's example, the agent would be limited by the author's scope inside the organization and, therefore, be incapable of exposing any unwanted file.

      That still allows prompt injection to exfiltrate the authors files. That's the whole exploit - files that the author has, that he doesn't want exfiltrated.

If you feed data to a LLM then there will always be a prompt injection. What you described is limiting the damage that the prompt injection can do, but also its usefulness.

  • Why is it limiting the usefulness?

    You have a set of apis that user can access to do something, the llm uses those same apis. How is that limiting usefulness? By not invoking apis user is not allowed to?

    • The only way to mitigate the damage an LLM can do because of prompt injection is to limit what that LLM can do in the first place. That’s what they mean by limiting its usefulness. If an LLM has access to an api and I want it to abuse that API in some way, I can attack its prompt and eventually get it to use the api the way I want

      2 replies →