Why is defending LLMs described as a "cat-and-mouse game," and what defense strategy follows from that?
Adversarial prompts evolve faster than defenses, and no statistical model can give logical guarantees about adversarial inputs — so you fall back on defense-in-depth: architecture, detection, and response.
The hard truth: adversarial prompts evolve constantly, new bypasses emerge faster than defenses ship, and — fundamentally — no statistical model can provide logical guarantees about adversarial inputs. There is no "patch" that ends prompt injection.
So the realistic strategy is defense in depth across three pillars:
- Architecture — minimize the attack surface: minimize sensitive context, least-privilege capabilities, isolate untrusted data, enforce structure.
- Detection — layer multiple mechanisms: input screening, output monitoring / structural validation, behavioral analysis, red teaming.
- Response — user accountability, human-in-the-loop escalation, rate limiting, automated circuit breakers.
Real deployments (OpenAI, Anthropic) use multiple protection layers and improve over time — but no deployed system offers complete protection yet.
Tip: Accept you can't prevent injection; design so that a successful injection can't do much damage (least privilege, isolation) and gets caught and attributed (detection, accountability).