![[2602.22724] AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.22724] AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification
Summary
AgentSentry introduces a novel framework to mitigate indirect prompt injection (IPI) in LLM agents, enhancing their security while maintaining task performance.
Why It Matters
As LLM agents increasingly interact with external tools, they become vulnerable to indirect prompt injection attacks that can manipulate their actions. AgentSentry addresses this critical security gap by providing a robust defense mechanism that preserves user intent and task efficiency, making it highly relevant for developers and researchers in AI safety and security.
Key Takeaways
- AgentSentry is the first framework to model multi-turn IPI as a temporal causal takeover.
- It employs controlled counterfactual re-executions to identify and mitigate takeover points.
- The framework achieves an average Utility Under Attack (UA) of 74.55%, significantly improving performance over existing methods.
Computer Science > Cryptography and Security arXiv:2602.22724 (cs) [Submitted on 26 Feb 2026] Title:AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification Authors:Tian Zhang, Yiwei Xu, Juan Wang, Keyan Guo, Xiaoyang Xu, Bowen Xiao, Quanlong Guan, Jinlin Fan, Jiawei Liu, Zhiquan Liu, Hongxin Hu View a PDF of the paper titled AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification, by Tian Zhang and 9 other authors View PDF HTML (experimental) Abstract:Large language model (LLM) agents increasingly rely on external tools and retrieval systems to autonomously complete complex tasks. However, this design exposes agents to indirect prompt injection (IPI), where attacker-controlled context embedded in tool outputs or retrieved content silently steers agent actions away from user intent. Unlike prompt-based attacks, IPI unfolds over multi-turn trajectories, making malicious control difficult to disentangle from legitimate task execution. Existing inference-time defenses primarily rely on heuristic detection and conservative blocking of high-risk actions, which can prematurely terminate workflows or broadly suppress tool usage under ambiguous multi-turn scenarios. We propose AgentSentry, a novel inference-time detection and mitigation framework for tool-augmented LLM agents. To the best of our knowledge, AgentSentry is the first inference-time defense ...
