arXiv:2606.27567v1 Announce Type: cross Abstract: Prompt injection is the top security risk for LLM-integrated applications, yet every defense proposed so far has been broken. We prove this is not a coincidence: in shared-embedding architectures that lack enforced control-data separation, perfect prompt-injection prevention is mathematically impossible. We formalize prompted systems as Prompted Action Models whose outputs include control-authoritative actions: refusal decisions, tool authorization, policy routing, and memory writes. We define Semantic-Faithful Control (SFC), the property that
This research provides a foundational mathematical proof relevant to a pervasive security vulnerability in emerging AI systems, prompted by ongoing industry efforts to mitigate prompt injection.
A strategic reader should care because this fundamental limitation impacts the security and reliability of all LLM-integrated applications, suggesting that current defense strategies are inherently flawed.
The understanding of AI security changes from a solvable engineering problem to one with inherent architectural constraints, forcing a re-evaluation of system design principles for LLM applications.
- · AI architecture researchers
- · Hardware developers for secure enclaves
- · Specialized control plane software vendors
- · Developers relying solely on prompt engineering defenses
- · Companies with significant prompt-injection vulnerable applications
- · AI models lacking control-data separation
System designers will need to implement more robust architectural separation between instructions and data in AI models to achieve better security.
This could drive innovation in new AI model architectures that inherently support control-data separation, potentially leading to specialized hardware.
Increased adoption of secure by design principles might slow down rapid deployment of some AI applications but ultimately lead to more trustworthy and resilient AI systems across critical infrastructure.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at arXiv cs.LG