A bug gets patched. A genre defines what is possible inside it. After eighteen months of trying to patch prompt injection out of LLMs, the OWASP 2026 report finally said the quiet part out loud, it is not a bug, it is the architecture. Two text streams, one trust level. Math, not negligence.
What the patch metaphor is hiding
On March 24, 2026, two versions of LiteLLM, the model gateway that sits underneath CrewAI, DSPy, Microsoft GraphRAG and most agent stacks worth naming, shipped to PyPI with a multi-stage payload. Credential harvesting, Kubernetes lateral movement, persistent backdoor. The vector was an AI-driven attacker, openclaw, that had already compromised a Trivy security scanner upstream and used it to steal the maintainer's PyPI credentials. The bad versions stayed online for three hours. LiteLLM gets pulled 3.4 million times a day.
This is not prompt injection in the classroom sense. It is the same architectural truth one level out. When the model and the data flow through the same pipe, every layer that pipe touches becomes part of the trust boundary. That includes the security scanner. Especially the security scanner.
Why the industry can't fix the underlying flaw
Large language models receive instructions and untrusted data as the same stream of tokens. There is no out-of-band channel that says "this came from the operator, that came from the customer, that came from the web". Researchers have been chasing the problem for two years with input filters, system-prompt fortresses, output validators. They all reduce risk, none of them remove the cause. Simon Willison has been writing this for three years, and the OWASP 2026 report stopped softening the language.
The defense surface is not the model. It cannot be.
A bug gets a CVE, a fix, a sprint. A genre gets a stack.
Where the defense actually lives
The defense lives in the harness. Sandbox, so a compromised tool call cannot escape the box. Tool whitelist, so the model cannot reach for arms it should not have. Output validation, so even a successful prompt injection has to push its conclusion through a structured gate before anyone trusts it. Action budget, retry strategy, fallback path. The stuff nobody puts on a sales slide because it does not demo.
Sixty-nine percent of enterprise leaders in a 2026 Okta survey said security is slowing their agent adoption. It is an honest answer, and it should be reframed. Security is not slowing adoption, adoption is racing past the security stack. The boards funding the agents are not funding the harness that contains them, because the harness does not have a logo and the model does.
Why this matters for your business
Two practical takeaways. First, in any procurement conversation about an agent system, ask what runs when the model gets prompt-injected. If the answer is "we filter the input", you are buying a bug treatment for a genre problem. Walk. Second, if you are running an agent in production today, your real attack surface is the supply chain of the harness, not the model. The LiteLLM episode was not an LLM bug, it was a Python package that an AI-driven attacker pushed through a poisoned scanner. The brain was fine. The body was the breach.
The model is sold to everyone. The genre is the same for everyone. The only thing that changes is who took the cage seriously.
— Pan