Unexpressible, Not Filtered — a structural approach to AI-agent safety

The Network Intent Layer (NIL) prevents prompt injection in AI agents by making undeclared actions structurally unexpressible, rather than relying on probabilistic filters. In tests against 4,216 injection cases, NIL achieved 0% unauthorized writes and 100% benign task success, with guarantees that hold across model changes. The open standard and reference implementation are available on GitHub and Zenodo.

Most defenses against prompt injection are probabilistic: a filter tries to catch the bad action after the agent authors it. A probabilistic check over a probabilistic policy always leaks. The Network Intent Layer NIL takes a structural route instead: the agent never issues an action — it can only propose intent against operations a backend has explicitly declared. An undeclared action isn’t blocked; it’s unexpressible . The security perimeter collapses from every reasoning step O n to one intent-to-effect boundary O 1 , independent of the model. On InjecAgent 4,216 indirect prompt-injection cases, two models : unauthorized writes through NIL = 0.00% , benign task-success 100% — and because the guarantee is architectural, the number doesn’t move when the model changes. Open standard + reference implementation, with a formal soundness model and honest limitations in the paper. Paper DOI : Unexpressible, Not Filtered: A Structural Framework for Governing AI-Agent Actions — the Network Intent Layer | Zenodo https://doi.org/10.5281/zenodo.20774131 Code: GitHub - nilscript-org/NILScript: The neutral standard for connecting systems to agents — Network Intent Layer NIL + the nilscript DSL. USB for software. · GitHub https://github.com/nilscript-org/nilscript