Trusted Prompts (zero2data.substack.com)

Trusted Prompts is a proposed trust-boundary model for conversational agents that separates “trusted” instructions from “untrusted” payloads to reduce prompt-injection risk and make background agents enterprise-ready. In the UX/API flow a user explicitly creates a trusted prompt via an LLM endpoint, which returns a cryptographic hash the user signs; that prompt (and only prompts created this way) can make tool calls, access the filesystem, or trigger actions. Everything between trusted prompts—LLM responses and ordinary user input—is treated as payload and processed in a sandboxed context so it can never automatically execute tool calls. Providers would temporarily store hashes to detect tampering and enforce that trusted prompts are only created via user action (not via LLM or untrusted inputs). Technically this implies providers must couple sandboxing with a project/agent system that defines project variables, typed data schemas (think Typescript-like contracts) and expected payload formats so untrusted outputs are constrained to data, not instructions. That lets trusted contexts safely act on validated outputs (e.g., emailing top inventory deficits) while avoiding injection. The trade-offs are added development, inference and latency costs and architectural changes for LLM providers, but the security gains are positioned as essential for automating enterprise workflows and safe background agents.