Indirect prompt injection is not just another vulnerability to patch. It is a structural reality of how large language models operate. This session explores how the context window, or "cram hole," contributes to the success of prompt injection exploits and why that reality fundamentally reshapes how we must think about trust, control, and data boundaries in AI systems.
Attendees will learn how system instructions, user inputs, retrieved content, and tool outputs blend into a single token stream. The model does not see trust levels or privilege boundaries. Because models cannot reliably distinguish between authoritative instructions and malicious content, and because nondeterminism makes simple refusal strategies brittle, relying on embedded guardrails alone is insufficient.
By reframing indirect prompt injection as an architectural risk management challenge, this session shifts the focus from patching to design. Participants will leave with practical guidance on designing resilient AI systems that assume compromise, limit blast radius, and build layered controls that reduce harm even when injection attempts succeed.
