Prompt injection is not the problem. Context authority is.
The industry is still asking whether text looks malicious. Agent security has to ask a harder question: which sources of context are allowed to influence which actions?
- Prompt injection is the visible symptom; context authority is the deeper failure.
- AI agents mix trusted instructions, untrusted content, retrieved data, memory, and tool output in the same loop.
- The dangerous question is not only whether text looks malicious, but whether a source should be allowed to influence an action.
- A context firewall enforces source-to-sink policy across memory, RAG, MCP, tools, egress, and approvals.
- The useful proof artifact is an exploit replay showing the path before and after enforcement.
Prompt injection is real. It is also the wrong centre of gravity. Once an AI system can read tickets, browse sites, retrieve documents, call tools, update memory, and change business systems, the failure is no longer just that a model saw a bad sentence. The failure is that an untrusted source was allowed to carry authority into an action path.
That distinction matters because prompt filters and jailbreak detectors are built around content. They ask whether a string resembles an attack. A Context Firewall is built around authority. It asks whether this source should be allowed to influence this sink.
This is the category shift Ultra13 is built around: agent security is source-to-sink control for context, not vibes-based scoring of suspicious language.