AI Insights · Agents & Sub-Agents

Treat AI Inputs Like Untrusted Code, Not Harmless Text

If your agent reads email, webpages, tickets, or code, the risky part may be what it reasons about after the input arrives.

  1. Separate Reading From Acting

    Do not let one model both inspect untrusted content and execute business actions from the same context. Use a two-step workflow: one pass extracts structured facts, then a separate pass decides what to do using only those facts. The second pass should never see the raw email, webpage, code, or API response unless a human approves it.

  2. Use Schemas As A Firewall

    Convert outside content into a strict schema before it reaches an agent with tools. For example, turn a customer email into fields like sender, request_type, account_id, requested_action, and risk_flags. Drop everything that does not fit the schema, especially instructions aimed at the assistant.

  3. Add A Quarantine Step For Code Review

    Code review is not just text analysis. The model may mentally simulate behavior, including strings and generated output. When reviewing external code, ask first for a neutral parse of functions, inputs, outputs, side effects, and suspicious instruction-like strings, then run a second prompt to evaluate the bug or patch.

  4. Limit Tool Authority By Source

    Agents should earn permissions based on where their context came from. Content from your CRM can trigger low-risk drafts, but content from the open web should not trigger sends, purchases, deletes, database writes, or credential use. Make the source of the information part of the agent's policy, not an afterthought.

  5. Filters Are Not Enough

    Keyword blocks and regex checks only inspect what is visible before reasoning starts. The dangerous instruction may appear only after the model interprets, simulates, or summarizes the input. Build workflows that reduce raw context exposure instead of depending on one big prompt to resist everything.

Why it matters

Small businesses are starting to connect AI to inboxes, support queues, spreadsheets, websites, and internal tools. That is useful, but it also means random external content can influence systems with real authority. The practical fix is not paranoia. It is designing small boundaries: extract before acting, restrict tools by source, and keep raw untrusted text away from high-permission agents.