Sink-Time Validation

Sink-time validation is the security practice of checking the exact side effect an AI system is about to cause at the moment of execution, not earlier in the planning or prompt stage. In practical terms, this means validating the final command, file path, recipient, router, spender, payload, or calldata immediately before the sink fires.

This concept exists because agentic systems are mutable between planning and execution. A model may generate one apparent intent, then replan after receiving tool output, retrieving memory, or serializing work to a queue. If validation only happens on a summary of the action — for example “run tests” or “swap funds” — the dangerous details can still drift before the runtime executes.

Sink-time validation is therefore a stronger control than broad approval or prompt filtering alone. It works as an independent guardrail against prompt injection, tool misuse, and authority creep by constraining the exact high-impact artifact that reaches the sink. In a coding agent, this can mean allowlisting executable paths, blocking shell metacharacters, and validating file-write targets. In a DeFi agent, it can mean enforcing canonical router addresses, trusted recipient mappings, token allowlists, maximum spend limits, and transaction-policy checks against the final payload.

For auditors, the presence of sink-time validation is a major scoping and severity factor. If a system has prompt exposure but enforces strong sink-time policy, the reachable blast radius may be containable. If sink-time validation is absent, even modest model influence can become a direct path to code execution, data exfiltration, or financial loss.