Why it matters

Prompt isolation defends injection. Foundation for LLM app security.

Advertisement

The architecture

System prompt: trusted.

User input: untrusted, delimited.

Parser distinguishes.

Prompt isolation flowSystem prompttrustedDelimit + escapeuser inputLLM enforcesboundaryProvider role separation (system + user + tool) is minimum; add explicit delimiters
Prompt isolation.
Advertisement

How it works end to end

Provider roles: system, user, tool.

Delimiter: XML tags, structured JSON.

Signal untrusted content clearly.

Instruction hierarchy models.