Most defenses against prompt injection are probabilistic: a filter tries to catch the bad action after the agent authors it. A probabilistic check over a probabilistic policy always leaks.
The Network Intent Layer (NIL) takes a structural route instead: the agent never issues an action — it can only propose intent against operations a backend has explicitly declared. An undeclared action isn’t blocked; it’s unexpressible. The security perimeter collapses from every reasoning step O(n) to one intent-to-effect boundary O(1), independent of the model.
On InjecAgent (4,216 indirect prompt-injection cases, two models): unauthorized writes through NIL = 0.00%, benign task-success 100% — and because the guarantee is architectural, the number doesn’t move when the model changes.
Open standard + reference implementation, with a formal soundness model and honest limitations in the paper.
Paper (DOI): [Unexpressible, Not Filtered: A Structural Framework for Governing AI-Agent Actions — the Network Intent Layer | Zenodo](https://doi.org/10.5281/zenodo.20774131)
Code: [GitHub - nilscript-org/NILScript: The neutral standard for connecting systems to agents — Network Intent Layer (NIL) + the nilscript DSL. USB for software. · GitHub](https://github.com/nilscript-org/nilscript)