Prompt-to-Sink

Prompt-to-sink describes the full security path from an untrusted influence source to a real execution point. The “prompt” side of the path does not only mean user chat input. It can include repository comments, tickets, web pages, MCP tool output, retrieved documents, memory state, queue contents, or any other mixed-trust context that can shape model behavior. The “sink” side is where the system stops being conversational and starts causing side effects: a shell command, file write, API request, approval event, code change, or on-chain transaction.

This term matters because many AI security reviews stop too early. They identify prompt injection or context manipulation but do not trace whether that influence can actually reach something dangerous. For auditors, the decisive question is never just “can an attacker influence the model?” It is “what authority can that influence reach?”

Prompt-to-sink thinking is especially useful for coding agents, long-lived agents, and Agentic DeFi systems. In a coding agent, the sink may be a shell command, git mutation, or CI change. In a long-lived agent, it may be a queued task or delayed action that executes under stronger authority later. In a financial agent, the sink may be a wallet signing request, router selection, bridge destination, or approval to spend funds.

Using this lens changes how controls are evaluated. Filters at input time matter, but they are not enough. Auditors also need to inspect argument provenance, destination validation, permission attenuation, approval semantics, and sink-time policy enforcement. A system can survive some prompt injection exposure if the sink controls are strong. It can also fail catastrophically with mild prompt influence if the sink is overpowered and weakly constrained.