LLMs have no concept of privilege. Instructions, retrieved docs, user input: same token stream. No way to distinguish a trusted command from a malicious instruction in an uploaded PDF.
That's prompt injection. Not a model bug. An architectural one.
Affects every #rag pipeline, tool-using agent, internal copilot, and workflow automation system.
The fix: enforcement outside the model, not a smarter system prompt.
https://www.pgedge.com/blog/preventing-prompt-injection-attacks-in-your-llm-application