"LLMs collapse the boundary between data and control. Here's how to reconstruct separation before generative systems become un-auditable attack surfaces.”
"Once an AI system treats external artifacts as instructions, every artifact becomes part of the control plane."
— A reader, responding to our previous analysis of steganographic attacks on engineering AI.
That comment crystallized a problem larger than poisoned blueprints or malicious DDL comments. It named the architectural rot beneath the surface: Large Language Models have no data plane. Everything in the context window is simultaneously evidence, instruction, and executable code. When context becomes command, the control plane leaks into every artifact the model touches—and traditional security engineering has no vocabulary for the breach.
This article is for infrastructure engineers, security architects, and ML operators who are being asked to deploy LLM agents against production systems. It is not about prompt injection as a bug. It is about separation of concerns as a collapsed abstraction—and how to rebuild it.
