Prompt Injection Is the New SQL Injection
And we are about ten years behind where we should be on defenses.
SQL injection was solved structurally by parameterized queries — a design pattern that removed the attack surface rather than papering it over. Prompt injection currently has no equivalent. Every mitigation in the field today is heuristic: input filtering, output sanitization, dual-LLM checks, sandboxed tool execution. None of them are sufficient on their own.
The most serious risk class is not jailbreaking the model. It is exfiltrating data through downstream tools the agent legitimately has access to. The recent string of indirect injection incidents — malicious instructions embedded in webpages, emails, calendar invites — has demonstrated that the threat model many teams use is one generation out of date.
Defense-in-depth is currently the only credible posture: assume any context the model sees may be adversarial and design tool access accordingly.