Isolation as a First-Class Principle for LLM-Agent System Safety: Concepts, Taxonomy, Challenges and Future Directions
Quick Answer
This paper shows that This survey advocates for isolation as a core principle in LLM-agent system safety, addressing failures like prompt injection and tool misuse.
Quick Take
This survey advocates for isolation as a core principle in LLM-agent system safety, addressing failures like prompt injection and tool misuse. It proposes a boundary-centric taxonomy to identify where isolation is lost and how vulnerabilities propagate, guiding future research agendas.
Key Points
- Isolation separates user inputs, tool access, and execution channels to enhance safety.
- The taxonomy includes five boundaries: user-agent, agent-tool, agent-execution, agent-agent, and system-environment.
- Identifying failure paths helps in developing targeted defenses at each interface.
- The literature is fragmented, complicating the understanding of structural causes of failures.
- Future research should focus on isolation-by-construction in agent systems.
Paper Resources
📖 Reader Mode
~2 min readAuthors:Huihao Jing, Wenbin Hu, Shaojin Chen, Haochen Shi, Sirui Zhang, Hanyu Yang, Changxuan Fan, Zhongwei Xie, Hongyu Luo, Wun Yu Chan, Wei Fan, Haoran Li, Yangqiu Song
Abstract:The capability of LLM agents to function as the ``brain'' of a system fundamentally expands the scope of analysis beyond a standalone model. Consequently, safety is no longer only about input--output content alignment. It also concerns system behavior and real-world execution outcomes. However, the current literature is fragmented across attack types, applications, and benchmarks. This makes it hard to explain why failures such as prompt injection, tool misuse, and memory poisoning often share the same structural cause, and how they spread through an agent workflow. In this survey, we treat isolation as a first-class principle for LLM-agent system safety. By isolation, we refer to the separation of user inputs, tool access, execution channels, inter-agent communication, and environment-originated context. We organize the literature with a boundary-centric taxonomy of five boundaries: user-agent, agent-tool, agent-execution, agent-agent, and system-environment. This view helps identify where the loss of isolation first occurs, how compromise propagates across boundaries, and which defenses are most relevant at each interface. We also summarize cross-boundary failure paths, discuss open challenges, and outline a research agenda for isolation-by-construction in future agent systems.
| Subjects: | Artificial Intelligence (cs.AI) |
| Cite as: | arXiv:2607.12406 [cs.AI] |
| (or arXiv:2607.12406v1 [cs.AI] for this version) | |
| https://doi.org/10.48550/arXiv.2607.12406 arXiv-issued DOI via DataCite (pending registration) |
Submission history
From: Huihao Jing [view email]
[v1]
Tue, 14 Jul 2026 06:25:35 UTC (481 KB)
— Originally published at arxiv.org
Want this in your inbox every morning?
Daily brief at your local 8am — bilingual EN/中文, free.
More from arXiv cs.AI
See more →The Emerging Paradigm of Geospatial Foundation Models: From Pre-Training to Agentic Reasoning
The paper introduces Geospatial Foundation Models (GeoFMs), AI/ML models pre-trained on extensive geospatial datasets, enabling domain experts to fine-tune them for specific tasks. This paradigm shift democratizes access to advanced AI/ML while ensuring security, and proposes a framework for cost-effective adaptation strategies. The vision of Agentic Geospatial Reasoning is also presented, where Large Language Models orchestrate GeoFMs to automate complex analytical workflows.