Table of Contents
Fetching ...

Toward Trustworthy Agentic AI: A Multimodal Framework for Preventing Prompt Injection Attacks

Toqeer Ali Syed, Mishal Ateeq Almutairi, Mahmoud Abdel Moaty

TL;DR

The paper tackles the vulnerability of multimodal, agentic AI systems to prompt injection attacks by proposing a Cross-Agent Multimodal Provenance-Aware Defense Framework. The framework deploys a four-agent defense pipeline (text sanitizer, visual sanitizer, main task model, and output validator) with a shared provenance ledger to sanitize inputs, validate outputs, and track cross-agent influence. Experimental results show a 94% detection rate, a 70% reduction in cross-modal trust leakage, and 96% task accuracy on benign inputs, demonstrating secure, low-overhead protection for LangChain/GraphChain-style workflows. This work advances end-to-end, provenance-conscious security for multi-agent AI ecosystems, enabling more trustworthy and understandable agentic systems in practical deployments.

Abstract

Powerful autonomous systems, which reason, plan, and converse using and between numerous tools and agents, are made possible by Large Language Models (LLMs), Vision-Language Models (VLMs), and new agentic AI systems, like LangChain and GraphChain. Nevertheless, this agentic environment increases the probability of the occurrence of multimodal prompt injection (PI) attacks, in which concealed or malicious instructions carried in text, pictures, metadata, or agent-to-agent messages may spread throughout the graph and lead to unintended behavior, a breach of policy, or corruption of state. In order to mitigate these risks, this paper suggests a Cross-Agent Multimodal Provenanc- Aware Defense Framework whereby all the prompts, either user-generated or produced by upstream agents, are sanitized and all the outputs generated by an LLM are verified independently before being sent to downstream nodes. This framework contains a Text sanitizer agent, visual sanitizer agent, and output validator agent all coordinated by a provenance ledger, which keeps metadata of modality, source, and trust level throughout the entire agent network. This architecture makes sure that agent-to-agent communication abides by clear trust frames such such that injected instructions are not propagated down LangChain or GraphChain-style-workflows. The experimental assessments show that multimodal injection detection accuracy is significantly enhanced, and the cross-agent trust leakage is minimized, as well as, agentic execution pathways become stable. The framework, which expands the concept of provenance tracking and validation to the multi-agent orchestration, enhances the establishment of secure, understandable and reliable agentic AI systems.

Toward Trustworthy Agentic AI: A Multimodal Framework for Preventing Prompt Injection Attacks

TL;DR

The paper tackles the vulnerability of multimodal, agentic AI systems to prompt injection attacks by proposing a Cross-Agent Multimodal Provenance-Aware Defense Framework. The framework deploys a four-agent defense pipeline (text sanitizer, visual sanitizer, main task model, and output validator) with a shared provenance ledger to sanitize inputs, validate outputs, and track cross-agent influence. Experimental results show a 94% detection rate, a 70% reduction in cross-modal trust leakage, and 96% task accuracy on benign inputs, demonstrating secure, low-overhead protection for LangChain/GraphChain-style workflows. This work advances end-to-end, provenance-conscious security for multi-agent AI ecosystems, enabling more trustworthy and understandable agentic systems in practical deployments.

Abstract

Powerful autonomous systems, which reason, plan, and converse using and between numerous tools and agents, are made possible by Large Language Models (LLMs), Vision-Language Models (VLMs), and new agentic AI systems, like LangChain and GraphChain. Nevertheless, this agentic environment increases the probability of the occurrence of multimodal prompt injection (PI) attacks, in which concealed or malicious instructions carried in text, pictures, metadata, or agent-to-agent messages may spread throughout the graph and lead to unintended behavior, a breach of policy, or corruption of state. In order to mitigate these risks, this paper suggests a Cross-Agent Multimodal Provenanc- Aware Defense Framework whereby all the prompts, either user-generated or produced by upstream agents, are sanitized and all the outputs generated by an LLM are verified independently before being sent to downstream nodes. This framework contains a Text sanitizer agent, visual sanitizer agent, and output validator agent all coordinated by a provenance ledger, which keeps metadata of modality, source, and trust level throughout the entire agent network. This architecture makes sure that agent-to-agent communication abides by clear trust frames such such that injected instructions are not propagated down LangChain or GraphChain-style-workflows. The experimental assessments show that multimodal injection detection accuracy is significantly enhanced, and the cross-agent trust leakage is minimized, as well as, agentic execution pathways become stable. The framework, which expands the concept of provenance tracking and validation to the multi-agent orchestration, enhances the establishment of secure, understandable and reliable agentic AI systems.
Paper Structure (24 sections, 3 figures, 2 tables, 4 algorithms)

This paper contains 24 sections, 3 figures, 2 tables, 4 algorithms.

Figures (3)

  • Figure 1: Overall architecture of the proposed agentic multimodal prompt-injection defense pipeline. All inputs from users, tools, external documents, and other agents are sanitized before entering LangChain/GraphChain nodes, and LLM outputs are validated before being passed to downstream agents or MCP tool actions.
  • Figure 2: Sequence of interactions in the agentic multimodal prompt-injection defense pipeline. Every request is sanitized before entering the LangChain/GraphChain agent and again before reaching the LLM; every LLM response is validated before being routed back to the agent or used to trigger MCP/tool actions.
  • Figure 3: Comparative performance across baseline defenses and the proposed multimodal provenance-aware framework.