Prompt injection attacks represent a serious vulnerability for large language models (LLMs). These attacks consist of tricking the AI, prompting it to perform actions that would normally be blocked. ## How Attacks Work A malicious user can formulate a request in such a way as to bypass the protections built into the LLM. For example, they might request system passwords, private data, or prohibited instructions. The precise wording of the request is able to override the security measures, leading the AI to obey. ## The Difficulty of Protecting LLMs AI vendors can block specific prompt injection techniques once they are discovered, but general safeguards are impossible with today's LLMs. There are an endless number of such attacks waiting to be discovered, and they cannot be prevented universally. This is because LLMs flatten multiple levels of context into simple textual similarity, seeing only "tokens" and not hierarchies or intentions. ## The Importance of Human Context Unlike humans, LLMs do not learn defenses through repeated interactions and remain disconnected from the real world. Humans assess context on multiple levels: perceptual, relational, and normative, weighing these levels against each other. Furthermore, they possess an interruption reflex that leads them to re-evaluate the situation when something seems "off". ## The Limits of AI Agents The problem of prompt injection attacks gets worse when AI agents are given tools and asked to act independently. The lack of understanding of context, combined with overconfidence, can lead to incorrect and unpredictable decisions. ## Possible Solutions Some researchers believe that improvements can be achieved by integrating AI into a physical environment and providing it with "world models." This could help the AI develop a more robust and fluid notion of social identity and real-world experience that helps it overcome its naivety. Ultimately, we may be faced with a security trilemma when it comes to AI agents: fast, smart, and secure are the desired attributes, but you can only get two.