Isolation as a First-Class Principle for LLM-Agent System Safety: Concepts, Taxonomy, Challenges and Future Directions
Abstract
The capability of LLM agents to function as the ``brain'' of a system fundamentally expands the scope of analysis beyond a standalone model.
Consequently, safety is no longer only about input--output content alignment.
It also concerns system behavior and real-world execution outcomes.
However, the current literature is fragmented across attack types, applications, and benchmarks.
This makes it hard to explain why failures such as prompt injection, tool misuse, and memory poisoning often share the same structural cause, and how they spread through an agent workflow.
In this survey, we treat isolation as a first-class principle for LLM-agent system safety.
By isolation, we refer to the separation of user inputs, tool access, execution channels, inter-agent communication, and environment-originated context.
We organize the literature with a boundary-centric taxonomy of five boundaries: user-agent, agent-tool, agent-execution, agent-agent, and system-environment.
This view helps identify where the loss of isolation first occurs, how compromise propagates across boundaries, and which defenses are most relevant at each interface.
We also summarize cross-boundary failure paths, discuss open challenges, and outline a research agenda for isolation-by-construction in future agent systems.
이 뉴스, 어떠셨어요?
탭 한 번으로 반응 · 로그인 불필요