AI Governance in Regulated Industries: Where to Start
Most organizations know AI governance matters but few know where to begin. Here are the first three questions every CISO should answer before scaling AI.
The security conversation around large language models has shifted decisively.
We are no longer primarily debating whether a chatbot might produce biased or toxic output. The more urgent question is whether an autonomous agent will read a malicious instruction hidden in an email or tool response, execute actions it was never authorized to perform, or manipulate another agent into exfiltrating sensitive data — all without any human clicking a malicious link.
This is the agentic era, and prompt injection has evolved to match it.
Many early prompt injection defenses were built on a simplifying assumption: the user’s direct query is trusted, while retrieved documents, tool outputs, and external data are not.
In single-turn or simple RAG applications, this boundary was often workable. Agentic systems destroy that clean separation.
Modern agents maintain persistent memory, engage in multi-turn reasoning, and call tools with real-world side effects. They increasingly participate in dynamic multi-agent networks.
When one agent can send messages to another — or when the output of a tool becomes part of the next prompt — the attack surface expands dramatically. An injected instruction no longer needs to override a single response. It can hijack an entire workflow or chain of agents.
Recent research published in late June 2026 makes these new realities concrete and points toward architectural solutions rather than purely prompt-based ones.
Several papers from the last week highlight how quickly both attacks and defenses are advancing beyond traditional chat interfaces.
Sensory-vector prompt injection on embodied agents (RIPA, arXiv:2606.28649, June 26, 2026) demonstrated successful attacks delivered through non-text channels in LLM-controlled robotic systems built on ROS 2. As organizations begin deploying agents that interact with physical systems or complex sensor streams, entirely new injection vectors become relevant.
Dual-firewall architectures for dynamic LLM agentic networks propose one of the more promising structural defenses. Rather than relying solely on the model to resist manipulation, the architecture projects only the minimal necessary context across agent boundaries and places trusted firewall components on both sides of inter-agent communication. This creates hard guarantees that are difficult for an attacker to bypass through linguistic tricks alone.
Adaptive evaluation of out-of-band defenses (arXiv:2606.26479, June 25, 2026) moves beyond input filtering and output scanning. These approaches introduce reference monitors and privilege control mechanisms capable of evaluating whether a proposed tool call or action is consistent with the current task context and security policy — even when the surrounding prompt has been adversarially manipulated.
A broader taxonomy of threats in retrieval-augmented generation reinforces the same pattern: retrieval poisoning, context manipulation, and indirect prompt injection through documents or tool outputs are now recognized as first-class risks. Model-level alignment alone cannot fully contain them.
Many production systems still lean heavily on carefully crafted system prompts, few-shot examples, output parsing, and allow/deny lists. These techniques remain useful as part of a defense-in-depth strategy, but they have clear limitations in agentic environments.
An attacker who can influence tool output, inter-agent messages, or retrieved context can often work around or directly undermine prompt-based guardrails.
The research increasingly shows that durable security requires architectural and system-level controls that enforce boundaries the model cannot easily override.
Your agent framework should not treat every piece of text it encounters as equally trustworthy. It needs mechanisms to enforce least privilege on tool use, isolate context between different tasks or agents, and verify high-impact actions through channels an attacker cannot fully control.
Drawing directly from the defensive research published in the last week, here are practical patterns security architects should evaluate for production agentic systems.
1. Context Projection and Minimal Necessary Context
Before any information enters an agent’s active context — whether from another agent, a tool response, or a RAG retrieval — project it down to only what is strictly required for the current task. This dramatically reduces the attack surface available to injected instructions.
2. Dual-Firewall Inter-Agent Communication
For multi-agent systems, introduce trusted intermediary components that sit between agents. These firewalls can enforce capability-based scoping and prevent a compromised agent from issuing arbitrary or high-privilege instructions to peer agents. The dual-firewall model places controls on both the sending and receiving side of the communication channel.
3. Out-of-Band Action Verification and Reference Monitors
For any tool call or action with meaningful side effects, require verification through a separate trusted channel or reference monitor that the language model itself cannot directly influence. This breaks the assumption that controlling the prompt is sufficient to control behavior.
4. Capability-Based and Least-Privilege Tool Access
Move away from broad tool permissions granted to agents. Instead, grant fine-grained capabilities that are explicitly scoped to the task at hand and can be dynamically limited or revoked. Combine this with taint tracking or information-flow controls where feasible.
5. Continuous, Tool-Use-Focused Red Teaming
Static prompt injection testing is insufficient. Invest in ongoing adversarial evaluation that specifically targets multi-turn interactions, memory poisoning, tool misuse, and inter-agent manipulation. Frameworks such as enhanced versions of PyRIT and comprehensive scanners like Augustus are becoming essential parts of the security toolkit.
Teams building internal productivity agents face different constraints than those shipping customer-facing agent platforms or integrating agents into operational technology environments.
However, the core principle remains consistent: structural boundaries beat linguistic defenses alone.
In regulated industries, these architectural patterns also provide clearer auditability and policy enforcement points. This becomes increasingly important as policy scrutiny on frontier AI capabilities continues to tighten.
The organizations most at risk are those deploying increasingly powerful agentic systems while still treating security primarily as a prompt engineering and output filtering problem.
The research emerging in June 2026 shows there is a viable path that combines thoughtful system architecture with rigorous, continuous adversarial testing.
These patterns are not yet ubiquitous. This means there is still a meaningful window to implement them before the next wave of agent deployments.
If you are designing, reviewing, or securing agentic AI systems this year, the question has evolved. It is no longer simply “How do we stop prompt injection?” It is “How do we design systems where successful prompt injection has limited and containable impact because the surrounding architecture enforces real, enforceable boundaries?”
That architectural work is the most important security investment many teams can make right now.
This post is grounded in research and developments from the last 48 hours, including arXiv preprints on sensory-vector attacks (RIPA), dual-firewall agent architectures, adaptive out-of-band defenses, and RAG threat taxonomies.
Trent Leis
AI security consultant specializing in governance frameworks for regulated industries.
About the author →Most organizations know AI governance matters but few know where to begin. Here are the first three questions every CISO should answer before scaling AI.
Book a free 30-minute discovery call — no slides, just conversation.