Instructions And Data Are The Same Thing
It is worth being plain about the uncomfortable part: prompt injection has no complete solution today, and anyone who tells you otherwise is selling something. The problem is structural. Traditional injection flaws such as SQL injection were ultimately solved by separating code from data - the parameterised query, where the database is told unambiguously which part is instruction and which is value. A language model has no equivalent. There is at present no way to mark a region of the context window as "untrusted data, never to be obeyed" and have the model reliably honour it. Some day, we may be able to mark each token as "code" or "data", analogous to the W^X protections that modern operating systems enforce. But this is not possible with current models, and implementing it would likely require training new masked-attention models from scratch.
Every defence is therefore partial - string filters against known-bad prompts, sentiment analysis on all untrusted text, delimiters in the context, an instruction hierarchy the model usually respects, and multi-agent setups like the Dual LLM pattern. We test these defences honestly, but our realistic conclusion is that while prompt injection can be made more or less difficult, it cannot be made impossible. Realistic security must thus rely on containment, not prevention, and it is contained by limiting what an injected model can reach and do - the domains of our Data Disclosure and Agent Security assessments.