
Key facts.
- AgentDojo (97 tasks, 629 security tests, NeurIPS 2024) found prompt-injection attacks succeed against the best agents in under 25% of cases, falling to about 8% with defenses.source
- Agents solve under 66% of AgentDojo tasks even with no attack, so utility and security both have headroom and trade against each other.source
- A support agent summarizing customer records handles exactly the sensitive data that regulations like GDPR and HIPAA govern, raising the stakes of any leak.source
Why is a data-reading support agent a compliance event?
AgentDojo shows injection landing near 8% with defenses; a more capable model inherits the breach, the rework is yours. (arXiv:2406.13352)
Support agents read data. That's a privacy risk. Not because the agent is poorly designed. Because reading data and exfiltrating data use the same access path. AgentDojo ran 629 security tests against real agent setups and found injection attacks land under 25% of the time with no defenses. Drop to 8% with defenses active. That's from arXiv 2406.13352 (NeurIPS 2024). Eight percent isn't small when the data is health records. GDPR doesn't have a clause for "the model was tricked." Neither does HIPAA.
The same test found agents complete under 66% of tasks without any attack at all. So you're not choosing between a secure agent and an unsafe one. You're choosing where to draw the line on what the agent can reach and what it can send back out.
Scope the read access to what the task actually needs. Treat everything in a customer record as potentially hostile input. Validate what leaves before it leaves. That combination narrows the blast radius from 25% down toward 8%, and it means when an injection does land, and some will, the attacker hit a small target, not an open one.

How do you contain it?
Contain it. Scope access. Validate output. Customer record content is untrusted. When a hijack lands, limit what it can reach. AgentDojo says some will always land. You want that to mean a small target with limited damage, not open access with nothing checking what goes out the other side.
| Posture | If an injection lands |
|---|---|
| Broad access, unvalidated output | Sensitive data can be exfiltrated |
| Scoped access, validated output | Reach and damage are bounded |
Scoping access and validating output to those patterns is part of what VibeModel does as the Pattern Intelligence Layer. We model the patterns of a support task's legitimate data access and its safe outputs. The agent reads only what it needs and cannot be steered into leaking what it touched.
Frequently asked questions
Can I just trust customer-provided text?
No. Treat it as untrusted; it can carry hidden instructions. AgentDojo shows injection through tool data succeeds at meaningful rates.
Do defenses make the agent safe?
They cut attack success substantially, to roughly 8% in AgentDojo, but not to zero. Pair them with scoped access and output validation.
Whose compliance problem is a leak?
The company's. Regulations govern the data regardless of how the agent was tricked into exposing it.

