A new open-source authorization gateway blocks AI agents from acting on forged instructions, even when the model itself has already been fooled.
Researchers tested 15 language models against eight prompt-injection scenarios drawn from a corpus of real agent incidents. Refusal rates ranged from 100% down to 38%, and the most expensive model in the set refused only half the attacks despite costing roughly twenty times more than cheaper alternatives. The proposed fix, aiAuthZ, sidesteps the model's judgment entirely: before any tool call executes, an external gateway verifies the caller's identity using a per-message HMAC-SHA256 signature tied to a single-use nonce and a timestamp window. The agent never sees the policy and cannot modify it.
The key insight is architectural. Every major prompt-injection defense to date has tried to make models more skeptical — better system prompts, spotlighting, fine-tuning. aiAuthZ treats the model as an untrusted executor and enforces constraints outside it, the same way you would not trust application code to enforce its own database permissions. On the AgentDojo banking benchmark, the gateway blocked all seven attacker-directed tool calls while a spotlighting baseline allowed two injections to succeed.
The audit log — hash-chained with SHA-256 — and QR-code receipts suggest the researchers have enterprise and regulated-industry deployment in mind. Whether organizations building on hosted model APIs can slot an off-host gateway cleanly into their stacks is the open question the paper does not fully answer.