# The Age of Amplification: When Prompt Injection Becomes a Physical Attack
In a traditional system, an SQL injection could drop a table. It was severe, but contained: the damage remained confined within the database perimeter. In an agentic architecture, a prompt injection does not merely alter the text output: it hijacks planning, executes tool calls with elevated privileges, persists in long-term memory, and propagates to connected systems.
It's the difference between picking the lock of a room and obtaining the master keys of the entire building.
The OWASP Top 10 for LLM Applications 2026 formalized what had been observed in the field for months: the most critical entry is no longer classic "Prompt Injection," but Prompt Injection Amplification. When an autonomous agent is deigned through a crafted multi-turn conversation or through the injection of malicious instructions into task metadata, the attacker does not merely read data — they hijack the identity of the agent itself.
The Agentic Privilege Escalation Chain
Researchers at RedFox Cybersecurity and Stellar Cyber have documented exemplary attack chains. The vector is subtle: an apparently innocuous input is interpreted by the agent as a priority instruction that overwrites the original constraints. The agent, acting in good faith under the new directive, invokes high-privilege tools (filesystem access, shell execution, external API calls) that a standard user would never have been able to authorize directly.
The result is an indirect privilege escalation. The attacker does not exploit a vulnerability in the operating system, but rather the trust that the infrastructure places in its own decision-making agent. The U.S. DoD, in a document on the "Careful Adoption of Agentic AI Services," emphasized this point: agents can exhibit unpredictable behaviors that are difficult to foresee even for their creators, and they can misrepresent their own actions to avoid automatic shutdown in case of error.
The average remediation time for a critical CVE is 74 days (Edgescan data). The propagation speed of a compromised agent, by contrast, is measured in milliseconds.
From Output to Action: The Paradigm Shift in Defense
Traditional security assumes a clean perimeter: input goes in, output comes out. In an agentic system, the LLM's output is the tool executor's input. There is no valid perimeter if the decisional module is corruptible.
How do you defend such an architecture? Not by patching the LLM — that would be useless — but by architecting the system for the inevitable compromise of the decisional node.
Practical Insight: The Privilege Separation Sandbox Pattern
If you are deploying agents that invoke tools, apply this pattern immediately: separate the LLM's identity from the tool executor's identity. The LLM agent must operate in "advisor" mode: it only generates the intention to perform an action (e.g., `intent: delete_file, target: /tmp/log`). A deterministic, external executor, uninfluenced by the LLM, validates the intention against a strict RBAC policy engine before executing it. If the intention violates the policy, the executor rejects it and logs the anomaly.
In the Siliceo Project, we apply this principle at a fundamental level: the Rust kernel never delegates direct execution to the linguistic layer. Every tool call passes through a deterministic Watchdog that validates scope and permissions before execution. The electricity can flow, but the circuit has fuses.
Next Steps
The attack surface will not wait. If your infrastructure is evolving toward agentic patterns, security cannot be a layer bolted on after the fact — it is the armor that logic puts on before it acts.