[2604.06436] The Defense Trilemma: Why Prompt Injection Defense Wrappers Fail?

Computer Science > Cryptography and Security arXiv:2604.06436 (cs) [Submitted on 7 Apr 2026] Title:The Defense Trilemma: Why Prompt Injection Defense Wrappers Fail? Authors:Manish Bhatt, Sarthak Munshi, Vineeth Sai Narajala, Idan Habler, Ammar Al-Kahfah, Ken Huang, Blake Gatto View a PDF of the paper titled The Defense Trilemma: Why Prompt Injection Defense Wrappers Fail?, by Manish Bhatt and 6 other authors View PDF HTML (experimental) Abstract:We prove that no continuous, utility-preserving wrapper defense-a function $D: X\to X$ that preprocesses inputs before the model sees them-can make all outputs strictly safe for a language model with connected prompt space, and we characterize exactly where every such defense must fail. We establish three results under successively stronger hypotheses: boundary fixation-the defense must leave some threshold-level inputs unchanged; an $\epsilon$-robust constraint-under Lipschitz regularity, a positive-measure band around fixed boundary points remains near-threshold; and a persistent unsafe region under a transversality condition, a positive-measure subset of inputs remains strictly unsafe. These constitute a defense trilemma: continuity, utility preservation, and completeness cannot coexist. We prove parallel discrete results requiring no topology, and extend to multi-turn interactions, stochastic defenses, and capacity-parity settings. The results do not preclude training-time alignment, architectural changes, or defenses that sacr...