Why LLMs are easy to attack
Every traditional security boundary is built on the distinction between data and code. Your SQL has parameters; your shell has argument escaping; your HTML has output encoding. LLMs erase this distinction. There's no special channel for "instructions" โ the model treats everything in the context window as text to interpret, and any text can sound like an instruction.
That's the whole vulnerability. An attacker who can get text in front of the model โ through a user message, a document being summarised, a search result, an email โ can attempt to redirect the model's behaviour. There is no syntactic boundary to prevent it. Prompt injection isn't a bug in any particular model; it's a property of the architecture.
