← All posts

Problem-Aware

114 posts on problem-aware.

Indirect Prompt Injection: How RAG and Tool-Use Pipelines Get Compromised Through Retrieved Content

Indirect prompt injection is the attack pattern where adversarial content reaches the model through a retrieved document, a tool result, or any other source the model treats as part of its context. The attacker never interacts with the application directly. The injection succeeds when the model executes the embedded instructions on the next retrieval or the next agent loop iteration. RAG pipelines and tool-using agents are exposed by construction. This piece walks through the attack mechanics, the surface area in production deployments, why the model alone cannot defend, and the request-boundary controls that produce a defensible posture.

indirect-prompt-injectionragtool-usellm-securityai-securityinline-enforcement
Read post →

AI Security for RAG Systems: The Inspection Layer Between the Retrieval Output and the Model Call

Retrieval-augmented generation systems read documents from a vector store or a search backend into the model context window before the model reasons. The retrieval step is the point where the system pulls content of varying provenance, authorization, and trustworthiness into the prompt. The security boundary sits at the HTTP path between the retrieval output and the model call. This piece walks through the threat model RAG opens, the identity and authorization decisions the inspection layer commits, the audit record for retrieval-derived content, and the indirect prompt injection surface the retrieved documents expose.

ragai-securityindirect-prompt-injectionidentity-awareaudit-logsretrieval
Read post →

AI Security for Internal Copilots: The Identity, Data, and Audit Controls a Production Deployment Has To Run

Internal copilots reach across the organization with the user identity that opens the copilot session and the application identity that calls the model. The boundary between the two identities is where the security and audit obligations sit. This piece walks through the request-time data the copilot reads, the identity-aware policy decisions the deployment has to commit, the audit record format that survives EU AI Act and HIPAA review, and the architectural pattern that closes the post-authentication gap most internal copilots leave open.

internal-copilotai-securityidentity-awareaudit-logsinline-enforcementpost-authentication-gap
Read post →

AI Security for Customer Support Bots: The Inspection Layer Between the Bot and the Customer Data

Customer support bots reach customer records, payment data, account history, and PII at request time through tool calls and retrieval. The bot reads customer data into the LLM context window, the LLM reasons over it, and the bot acts on the result. The security boundary sits at the HTTP path between the bot and the upstream LLM and tool APIs. This piece walks through the data flows the bot exercises in production, the identity and authorization decisions the inspection layer commits, the audit record the customer auditor and the regulator consume, and the prompt-injection surface that retrieved customer content opens.

customer-support-botai-securityidentity-awareaudit-logsindirect-prompt-injectionpii
Read post →

AI Audit Logs: The Format Spec That Survives EU AI Act, DORA, and Fannie Mae Review

AI audit logs that survive regulatory review carry a specific set of fields the EU AI Act Article 12, DORA Article 19, Fannie Mae LL-2026-04, NIST AI RMF, and HIPAA all expect on the same record. The fields cover identity, decision provenance, model identity, policy state, and integrity metadata. The format has to support per-record retrieval and per-series replay. The write path has to sit outside the application so the application cannot modify the record. This piece walks through the field-level format specification, the integrity model, the storage characteristics, and the deployment pattern that produces records the regulator and the customer auditor will accept.

ai-audit-logsaudit-logseu-ai-actdoracomplianceinline-enforcement
Read post →

The Accountability Gap in Agentic AI Pipelines: Who Owns the Decision When the Agent Acts

Agentic AI pipelines compose multiple model calls, tool invocations, and external retrievals into a single autonomous workflow. The compositional structure produces an accountability gap: the record series the application keeps shows the workflow outcome, the record series the model provider keeps shows the inference call, and neither shows who authorized the agent to act with whose authority at the moment of action. This piece walks through where the gap appears in production pipelines, the structural reason application logs cannot close it, and the inspection-layer record series that produces a defensible answer.

agentic-aiai-agent-accountabilityaudit-logsinline-enforcementnist-ai-rmfai-security
Read post →