Malicious instructions hidden in retrieved documents, web-search results, tool outputs, or persisted memory are processed by an agent and hijack its decision-making, escalate privileges, trigger unauthorized actions, or exfiltrate data, which is especially dangerous in automated multi-agent workflows.
AI/ML / Multi Agent Refarch / Threats / DEV
Indirect prompt injection via retrieved or processed content
CCC.MARefArc.TH12
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.MARefArc.CP12 | Authoritative knowledge source bases | Internal and external repositories of structured data, unstructured documents, and graph-based representations that provide authoritative information for grounding. |
| CCC.MARefArc.CP13 | Vector-based semantic retrieval | Vector databases providing semantic search and grounding so agents can find relevant information from large text corpora. |
| CCC.MARefArc.CP08 | Built-in trusted tools | A collection of bundled, trusted tools providing fundamental capabilities: the MCP client bridge to the external MCP layer, a sandboxed shell, workspace I/O, and web search. |
| CCC.MARefArc.CP09 | Agent memory | Short-term in-session context management (trimming and summarization to control length, cost, and latency) and durable long-term memory across sessions, including session summaries and user/task personalization. |
Related Controls
| ID | Title | Description |
|---|---|---|
| CCC.MARefArc.CN02 | User, Application, and Model Firewalling | Establish enforced trust boundaries between the user, the application, and the models and tools by routing all traffic through the agent, LLM, and MCP gateways where guardrails inspect and constrain requests and responses. |
| CCC.MARefArc.CN10 | AI Firewall Implementation and Management | Implement and operate an AI firewall within the guardrail components that inspects prompts, content, and responses for injection, sensitive data, and policy violations. |
| CCC.MARefArc.CN12 | Tool Chain Validation and Sanitization | Validate tool selection, sanitize tool-call parameters, and constrain tool sequencing within the runtime and MCP guardrails to prevent manipulation of agent tool use. |
External Mappings
| Framework | ID | Remarks |
|---|---|---|
| air-vec | AIR-SEC-010-02 |