How stateful contextual policies block a prompt injection attack where individual steps look harmless
by Nishith Sinha and Matei Zaharia
• The attack: An indirect prompt injection breaks data theft into ordinary steps: read a document, read another, write a summary, and send it out. No single agent or model can catch this, because each step is within its permissions and looks fine in isolation. The attack is only visible across the whole session.
• The defense: A single contextual policy implemented with Omnigent tracks risk across the session and blocks the outbound step once the agent has read too much sensitive material. We show it stopping the attack live, with no other change to the agent.
• Tamper resistance: The agent cannot override the guard or switch it off. It has no tool to remove or weaken a policy; adding one requires human approval, and when policies combine, any denial wins.







