# Prompt Injection Defenses for Tool-Using Agents
Status: public
Confidence: medium (0.725) (verified)
Last verified: 2026-06-02
Generation: ai_structured


## TL;DR

Prompt injection defenses for tool-using agents prevent untrusted text from overriding instructions, stealing secrets, or causing unauthorized tool calls.

## Core Explanation

Tool use raises the stakes of prompt injection. A malicious web page, email, ticket, code comment, or retrieved document can ask the agent to ignore instructions, exfiltrate data, or call a tool with harmful parameters.

Defenses need layers: separate instructions from data, mark untrusted content, restrict tool permissions, validate tool inputs, add human approval for risky actions, monitor outputs, and test attacks continuously. The model can help detect suspicious content, but the runtime should enforce the policy boundary.

## Source-Mapped Facts

- OWASP's LLM Prompt Injection Prevention Cheat Sheet describes prompt injection as a vulnerability where malicious input changes an LLM application's intended behavior. ([source](https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html))
- OWASP's 2025 LLM01 risk page identifies prompt injection as a top LLM application security risk. ([source](https://genai.owasp.org/llmrisk/llm01-prompt-injection/))
- Microsoft Azure AI Content Safety documentation describes Prompt Shields for detecting user prompt attacks and document attacks. ([source](https://learn.microsoft.com/en-us/azure/ai-services/content-safety/concepts/jailbreak-detection))

## Further Reading

- [OWASP prompt injection prevention cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html)
- [OWASP LLM01 prompt injection](https://genai.owasp.org/llmrisk/llm01-prompt-injection/)
- [Azure Prompt Shields](https://learn.microsoft.com/en-us/azure/ai-services/content-safety/concepts/jailbreak-detection)