Prompt-injection defence

Input quarantine, output schemas, tool allow-lists.

Why it matters

Untrusted content reaches the model via retrieval, tools and user input. Defence-in-depth means treating every one of those channels as adversarial.

Where this sits in the stack

Prompt-injection defence is one of the load-bearing decisions in a KG/RAG/agent system: choices made here propagate to retrieval quality, agent reliability, cost per query, and the on-call burden of whoever ships it. Teams that name this trade-off explicitly ship faster than teams that leave it implicit.

Prompt-injection defence is the building-code of this layer. You can ignore building codes on a shed, but the moment you put two storeys on top of the same foundation they decide whether the structure stands or falls. In a KG/RAG/agent stack, the equivalent of 'two storeys' is the second feature you ship on top of this primitive — GraphRAG on top of chunking, supervisor agents on top of state machines, regression CI on top of metrics. The cost of cutting the wrong corner now is paid by every later layer, with interest.

Untrusted content reaches the model via retrieval, tools and user input. Defence-in-depth means treating every one of those channels as adversarial.