Search papers, labs, and topics across Lattice.
This paper identifies the shortcomings of existing prompt injection defenses when applied to real enterprise documents, demonstrating that the leading defense method, paraphrasing, fails to significantly reduce attack success rates while compromising utility. The authors introduce PARSE (Provenance-Aware Retrieval Sanitization), a novel sanitization pipeline that effectively classifies sentences by injection likelihood and preserves factual integrity through a structured extraction and rewriting process. PARSE achieves a 15.6% attack success rate, a 38% reduction compared to the baseline, while maintaining 86.9% utility, underscoring the importance of evaluating defenses on real-world documents rather than synthetic benchmarks.
Real-world documents expose the inadequacy of traditional prompt injection defenses, with PARSE achieving a significant reduction in attack success while preserving utility.
Prompt injection defenses evaluated on synthetic benchmarks do not generalize to real enterprise documents, which are longer, denser, and interleave legitimate authority language with factual content. We demonstrate this gap with a real-document benchmark of 122 tasks across five professional domains (financial, legal, medical, scientific, DevOps) using actual SEC filings, Federal Register rules, PubMed abstracts, arXiv papers, and GitHub postmortems. Paraphrasing, the strongest defense on synthetic benchmarks, shows no statistically significant attack success rate reduction on real documents (p=0.500) while degrading utility from 91.8% to 82.8%. We introduce PARSE (Provenance-Aware Retrieval Sanitization), a domain-aware, fact-preserving sanitization pipeline that classifies each sentence by injection likelihood, extracts structured facts before rewriting, and verifies fact preservation via a consistency-checking loop. A directiveness gate routes 59% of real enterprise documents to a lightweight path, concentrating computational cost on high-risk documents. PARSE achieves 15.6% attack success rate -- a 38% reduction versus the 25.4% baseline -- at 86.9% utility, the only condition that is both statistically significant (p=0.014, adequately powered) and maintains near-baseline utility. Practitioners should evaluate defenses on domain-matched real documents, not synthetic proxies.