← Back to Library

Soft Instruction De-escalation Defense

Authors: Nils Philipp Walter, Chawin Sitawarin, Jamie Hayes, David Stutz, Ilia Shumailov

Published: 2025-10-24

arXiv ID: 2510.21057v1

Added to Library: 2025-11-14 23:08 UTC

Red Teaming

📄 Abstract

Large Language Models (LLMs) are increasingly deployed in agentic systems that interact with an external environment; this makes them susceptible to prompt injections when dealing with untrusted data. To overcome this limitation, we propose SIC (Soft Instruction Control)-a simple yet effective iterative prompt sanitization loop designed for tool-augmented LLM agents. Our method repeatedly inspects incoming data for instructions that could compromise agent behavior. If such content is found, the malicious content is rewritten, masked, or removed, and the result is re-evaluated. The process continues until the input is clean or a maximum iteration limit is reached; if imperative instruction-like content remains, the agent halts to ensure security. By allowing multiple passes, our approach acknowledges that individual rewrites may fail but enables the system to catch and correct missed injections in later steps. Although immediately useful, worst-case analysis shows that SIC is not infallible; strong adversary can still get a 15% ASR by embedding non-imperative workflows. This nonetheless raises the bar.

🔍 Key Points

  • Introduction of Soft Instruction Control (SIC), an iterative prompt sanitization loop to defend against prompt injection attacks in tool-augmented LLM agents.
  • SIC modularly processes untrusted input by rewriting, masking, or removing instructions, ensuring only safe commands reach the agent.
  • Empirical evaluations reveal that SIC achieves a 0% attack success rate (ASR) under a range of adversarial attacks, substantially reducing the risk of compromised agent behavior.
  • SIC maintains high utility on benign tasks while critically engaging with security-utility trade-offs; examples show careful balancing of benign instructions and attack prevention.

💡 Why This Paper Matters

The presented SIC method marks a significant advancement in the defense strategies against prompt injection attacks for Large Language Models integrated within autonomous systems. It provides a practical and effective solution that allows agents to operate securely while interacting with untrusted data, highlighting that security against adversarial inputs can be enhanced significantly without drastic compromises on performance.

🎯 Why It's Interesting for AI Security Researchers

This paper is crucial for AI security researchers as it addresses the emerging vulnerabilities faced by large language models in agentic systems, particularly the risks posed by prompt injection attacks. The systematic approach for mitigating these risks, along with empirical evaluations and comparative analyses against existing defenses, provides valuable insights for current and future research in AI security. It raises awareness about the necessity of robust defenses in deployed AI systems, especially as they become more autonomous and integrated into various applications.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF