TL;DR: Prompt injection is a security problem, not a content problem, and using one LLM to judge another creates a recursive defense that fails quietly under adaptive attack, according to Lakera. Security boundaries need deterministic enforcement, because the model being protected and the model making the decision share the same adversarial weakness.
NHIMG editorial — based on content published by Lakera: Stop Letting Models Grade Their Own Homework: Why LLM-as-a-Judge Fails at Prompt Injection Defense
Questions worth separating out
Q: How should security teams defend against prompt injection in AI systems?
A: Use deterministic controls outside the model to decide what can reach the application, tools, or memory.
Q: Why do LLM-based prompt defenses fail in real-world attacks?
A: They fail because the judge is exposed to the same adversarial techniques as the protected model.
Q: What breaks when a model is allowed to grade its own prompts?
A: The trust boundary breaks.
Practitioner guidance
- Move enforcement outside the model Use deterministic policy checks before prompts can reach a model that may call tools, retrieve data, or trigger actions.
- Test against indirect and adaptive injection Red-team long prompts, retrieved documents, and multi-step agent paths.
- Separate policy interpretation from policy enforcement Design the control stack so the system that explains behaviour is not the same system that authorises behaviour.
What's in the full article
Lakera's full article covers the operational detail this post intentionally leaves for the source:
- A fuller walkthrough of the recursive failure pattern behind LLM-as-a-judge and why it looks stable in demos.
- Examples of prompt injection defence patterns that use classifiers instead of generative models at the enforcement layer.
- A detailed comparison of runtime guardrails, offline evaluation uses, and where LLM judgement is still appropriate.
- Operational tradeoffs around latency, cost, and consistency when screening prompts at production speed.
👉 Read Lakera's analysis of why LLM-as-a-judge fails at prompt injection defense →
Prompt injection defense: why LLM judges break under attack?
Explore further
LLM-as-a-judge is a control-plane mistake, not just a model-quality mistake. The core failure is architectural: the same probabilistic system is being asked to interpret policy and enforce policy. That collapses the trust boundary and makes the defense attackable through phrasing, context, and retrieval. The implication is that prompt security cannot be built by layering more language interpretation on top of language interpretation.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How should teams decide where to place prompt injection controls?
A: Place hard controls at the point where untrusted text could influence tools, data, or execution. That means non-LLM enforcement before the model, plus separate governance for tool permissions and retrieval. If a control can be steered by the prompt it is meant to inspect, it is not a boundary.
👉 Read our full editorial: LLM-as-a-judge fails as prompt injection defense for AI systems