# Unexpressible, Not Filtered — a structural approach to AI-agent safety

> Source: <https://discuss.huggingface.co/t/unexpressible-not-filtered-a-structural-approach-to-ai-agent-safety/177006#post_1>
> Published: 2026-06-20 14:03:51+00:00

Most defenses against prompt injection are probabilistic: a filter tries to catch the bad action after the agent authors it. A probabilistic check over a probabilistic policy always leaks.

The Network Intent Layer (NIL) takes a structural route instead: the agent never issues an action — it can only *propose* intent against operations a backend has explicitly declared. An undeclared action isn’t blocked; it’s *unexpressible*. The security perimeter collapses from every reasoning step O(n) to one intent-to-effect boundary O(1), independent of the model.

On InjecAgent (4,216 indirect prompt-injection cases, two models): unauthorized writes through NIL = **0.00%**, benign task-success **100%** — and because the guarantee is architectural, the number doesn’t move when the model changes.

Open standard + reference implementation, with a formal soundness model and honest limitations in the paper.

Paper (DOI): [Unexpressible, Not Filtered: A Structural Framework for Governing AI-Agent Actions — the Network Intent Layer | Zenodo](https://doi.org/10.5281/zenodo.20774131)

Code: [GitHub - nilscript-org/NILScript: The neutral standard for connecting systems to agents — Network Intent Layer (NIL) + the nilscript DSL. USB for software. · GitHub](https://github.com/nilscript-org/nilscript)