Causal attribution: an emerging defense against indirect prompt injection

What is this?

Indirect prompt injection (IPI) hides instructions inside content an agent reads — a web page, an email, a RAG document, a tool result — so the agent executes attacker text as if it were a legitimate instruction. Greshake et al. described the class in 2023 (arXiv 2302.12173), and it still sits at the top of the OWASP Top 10 for LLM Applications. What is new is the defensive angle.

Between February and April 2026, several research groups converged — from different directions — on the same idea: instead of trying to recognize malicious strings, ask whether a given tool call is causally explained by the user’s request, or by the untrusted content the agent just ingested. This article covers that emerging “causal attribution” line of defense, anchored on two representative papers — CausalArmor (arXiv 2602.07918, 8 Feb 2026) and AttriGuard (arXiv 2603.10749, 11 Mar 2026) — and the evaluation that explains why it is needed, “Your Agent is More Brittle Than You Think” (arXiv 2604.03870, Apr 2026).

How it works

The shared intuition is a counterfactual: a legitimate action should still be explained by the user’s instruction even if you remove or neutralize the untrusted observation. An action that only appears after the agent has read attacker-controlled content is suspect.

                       Action proposed by the agent
                                  |
                +-----------------+------------------+
                |                                    |
   Re-evaluate with untrusted          Action still produced?
   observation attenuated / removed     ├── yes → attributed to USER intent → allow
                                         └── no  → attributed to UNTRUSTED span → block / sanitize

CausalArmor implements this as lightweight leave-one-out ablation at privileged decision points. It scores how much each untrusted segment contributes to the next action and triggers sanitization only when an untrusted segment dominates the user’s intent, instead of paying for always-on filtering. It adds retroactive chain-of-thought masking so the agent does not keep acting on a reasoning trace already poisoned by injected text. The authors evaluate it on AgentDojo and DoomArena.

AttriGuard frames the same insight as action-level causal attribution via parallel counterfactual tests: for each proposed tool call, it re-runs the agent under a “control-attenuated” view of external observations and checks whether the call is still produced. Calls that survive are attributed to user intent; calls that vanish are attributed to the untrusted observation and stopped.

No payloads are reproduced here — the mechanism, not any specific injection string, is the point.

Why it matters

The brittleness paper supplies the urgency. Evaluating six defenses against four IPI attack vectors across nine LLM backbones in dynamic, multi-step tool-calling environments, it finds that defenses which look strong in single-turn benchmarks degrade in realistic agent loops. String-matching and classifier-based filters are routinely bypassed by reasoning-heavy or previously unseen payloads.

Causal attribution is attractive because it targets the mechanism — did untrusted content cause this action? — rather than the surface — does this text look malicious? An attacker can rephrase a payload to dodge a classifier far more easily than they can make an injected instruction look like it came from the user’s own request.

Two trade-offs are worth stating plainly. Cost: AttriGuard reports roughly 2× token cost from counterfactual re-execution; CausalArmor’s pitch is precisely to avoid always-on cost by acting only when attribution flags a dominant untrusted span. Coverage: the headline 0% attack-success-rate figures are reported under static attacks on specific benchmarks. Adaptive attackers who deliberately shape payloads to survive ablation — so the malicious action looks “necessary” even under attenuation — remain an open research question.

Defenses

Causal attribution is one layer, not a silver bullet. A practical stack:

1. Label provenance. Tag every span the agent reads (tool output, retrieved document, web page) as untrusted by default, and keep that label through the reasoning trace.
2. Add a counterfactual check at privileged actions. Before high-impact tool calls (send, delete, pay, exfiltrate), re-evaluate whether the action survives with untrusted observations attenuated, as CausalArmor and AttriGuard do.
3. Mask poisoned reasoning. Prevent the agent from continuing to act on a chain-of-thought already contaminated by injected text.
4. Keep least-privilege and the lethal trifecta in view. Attribution reduces risk; cutting an agent’s access to private data, untrusted content, or an exfiltration channel removes it.
5. Pair with provenance-graph defenses. Approaches like Argus track data flow; causal attribution reasons about action necessity. They complement each other.
6. Test in multi-step loops, not single-turn benchmarks. The brittleness result is the lesson: validate any IPI defense inside the dynamic tool-calling environment it will actually run in.

Status

Work	Reference	Date	Contribution
CausalArmor	arXiv 2602.07918	2026-02-08	Leave-one-out ablation + CoT masking; selective (not always-on) sanitization
AttriGuard	arXiv 2603.10749	2026-03-11	Action-level causal attribution via counterfactual re-execution; ~0% ASR (static), ~3% utility loss, ~2× tokens
Your Agent is More Brittle Than You Think	arXiv 2604.03870	2026-04	6 defenses × 4 IPI vectors × 9 LLMs in multi-step settings; shows single-turn defenses degrade in agent loops
Indirect prompt injection (origin)	arXiv 2302.12173	2023-02	First systematic description of the IPI class

The takeaway is not “IPI is solved.” It is that the defensive frontier is shifting from detecting malicious text to attributing each action to its cause — and that any defense you adopt should be measured inside a realistic, multi-step agent, because that is where the brittle ones fall over.