Aman Bansal

The confused deputy rides again

· ai-security, prompt-injection, security-history

In 1988, the security literature described a failure mode called the confused deputy: a program with legitimate authority, tricked by a less-privileged party into misusing that authority on their behalf. The deputy isn’t malicious. It’s confused about who it’s actually working for.

That is exactly prompt injection.

The attack doesn’t target your permissions

Your agent has real permissions. The attacker doesn’t. So they don’t attack your permissions — they confuse your deputy. They slip an instruction into a document, a web page, a support ticket, a GitHub issue, and the agent, acting with your authority, carries it out.

Flow diagram: an attacker with no access hides an instruction in a support ticket; the agent reads it and, carrying your full authority, calls an internal API.

The capability-security community even worked out the governing principle four decades ago: authority and the instructions for using it must not travel through the same untrusted channel.

Then we built a class of software whose entire job is to take instructions from arbitrary text and act on them with full authority. We rebuilt the confused deputy on purpose — and acted surprised when it got confused.

We stopped teaching the old lessons

The uncomfortable question underneath this: how much of “AI security” is genuinely new, versus old problems we simply stopped teaching?

My running tally says: mostly the latter. The delivery mechanism is novel — natural language instead of crafted syscalls — but the failure mode, the threat model, and even the design principles were worked out before most of today’s AI engineers were born. We treat the 1970s–90s security literature as history. It’s actually a backlog.

Forty years of free answers

And that’s the good news. When a problem is genuinely new, you pay for every lesson in breaches. When it’s a 1988 problem in a 2026 outfit, the lessons are already bought and paid for — sitting in papers, post-mortems, and design patterns anyone can read this afternoon.

Capability discipline, least authority, separating the channel that designates what to act on from the channel that grants the right to act — these map directly onto agent architecture, today. The teams that mine that literature will ship safer agents faster than the teams rediscovering it one incident at a time.

The lesson was in the library the whole time. All we have to do is check it out.

← Back to blog