Built-in safety filters fail when attackers use obfuscation, multi-turn escalation, or indirect prompt injection to change the model’s interpretation of allowed behaviour. The result is that the session still looks valid while the output or action becomes unsafe. Enterprises then lose visibility into the coercion path until data has already moved.
Why This Matters for Security Teams
Built-in safety filters are useful, but they are not a complete security boundary for autonomous or semi-autonomous assistants. They judge text in the moment; they do not reliably understand the full chain of intent, prior turns, hidden instructions, or the trustworthiness of the data source. That gap matters because attackers do not need to “beat” the filter in a single prompt. They can shape the session over time, smuggle instructions through retrieved content, or coerce the model into treating unsafe actions as allowed workflow steps. NIST’s NIST Cybersecurity Framework 2.0 is clear that governance must account for risk management across the full lifecycle, not just visible output checks. For AI-specific governance, current guidance is moving in the same direction through NIST Cybersecurity Framework 2.0 and the NIST AI risk work, which both imply that control points must exist before, during, and after model invocation. NHIMG research on DeepSeek breach shows why exposed data and hidden secrets can turn an assistant into an attacker’s amplifier once the model starts consuming untrusted material. In practice, many security teams encounter the failure only after an assistant has already leaked data, executed a tool action, or embedded unsafe instructions into a legitimate workflow.
How It Works in Practice
When safety filters are the only control, the model becomes a policy engine by implication, which is exactly where things go wrong. A safer pattern is to separate content filtering from authorisation and identity. The assistant should authenticate as a workload, receive just-in-time credential provisioning for a single task, and operate under short-lived secrets rather than standing access. That is the operational direction reflected in agentic guidance from NIST Cybersecurity Framework 2.0 and the emerging AI governance thinking behind NIST Cybersecurity Framework 2.0. The security decision should be made at request time using intent-based, context-aware authorisation, not only at prompt time.
- Use workload identity so the platform knows what the agent is, not just what token it holds.
- Issue ephemeral credentials per task, then revoke them automatically on completion or timeout.
- Enforce role-based access as a floor, but make runtime policy the real decision point for tools, data, and actions.
- Inspect retrieval inputs, tool outputs, and system messages as separate trust zones because indirect prompt injection often enters through those channels.
- Log the coercion path, including prompts, retrieved content, tool calls, and authorisation decisions, so responders can reconstruct how behaviour changed.
NHIMG’s DeepSeek breach coverage is a useful reminder that once sensitive material is exposed, an assistant can be manipulated into helping with reconnaissance or data movement even when the original user session still appears valid. These controls tend to break down when the assistant has broad tool access across multiple systems because the model can chain actions faster than a human operator can notice the escalation.
Common Variations and Edge Cases
Tighter control of assistants often increases latency, workflow friction, and engineering overhead, so organisations have to balance safety against usability and operational cost. There is no universal standard for this yet, but best practice is evolving toward layered control rather than relying on a single model-side filter. In lower-risk chat use cases, content moderation may be enough. In higher-risk environments, especially where assistants can write code, query production data, or trigger tickets and deployments, policy must live outside the model and be evaluated in real time. That is the direction suggested by NIST Cybersecurity Framework 2.0 and reflected in the governance expectations of DeepSeek breach analysis, where exposure and trust failures compound quickly.
Edge cases usually appear when teams mix autonomous behaviour with legacy IAM. Static RBAC assumes predictable access patterns, but agentic systems are goal-driven and may reach the same outcome through different tools, APIs, or service accounts. That makes zero standing privilege, just-in-time access, and runtime policy evaluation far more important than a single approval at session start. Guidance is also less mature for multi-agent pipelines, where one agent can inherit context from another and unintentionally inherit its trust assumptions. Current guidance suggests treating those handoffs as security boundaries, not just workflow steps. When assistants operate across untrusted content, external tools, and privileged back-end systems at once, built-in filters alone are too shallow to prevent misuse.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Targets prompt injection and unsafe agent actions. |
| CSA MAESTRO | M1 | Covers governance for autonomous AI agents and tool use. |
| NIST AI RMF | Addresses AI risk governance across the full lifecycle. |
Add pre, in-flight, and post-action controls instead of relying on output filters.
