SAF-M-21: Output Context Isolation

June 1, 2026 ยท View on GitHub

Overview

Mitigation ID: SAF-M-21
Category: Architectural Control
Effectiveness: High
Implementation Complexity: Low
First Published: 2025-01-09

Description

Output Context Isolation uses special delimiters or structured formatting (such as XML-style tags) to clearly separate tool outputs from system instructions in the LLM context. This architectural pattern ensures that data returned by tools cannot be interpreted as instructions by implementing clear boundaries between different types of content. For example, wrapping tool outputs in <tool-output>...</tool-output> tags helps the LLM maintain context awareness.

Mitigates

  • SAF-T1102: Prompt Injection (Multiple Vectors)
  • SAF-T1103: Indirect Prompt Injection
  • SAF-T1112: Sampling Request Abuse โ€” nested sampling/createMessage output must be held logically separate from planner state until reviewed, logged, and policy-checked, so a malicious server's sampling response cannot directly seed subsequent reasoning

Technical Implementation

[TO BE COMPLETED]

References

[TO BE COMPLETED]

  • SAF-M-1: Architectural Defense - Control/Data Flow Separation
  • SAF-M-5: Content Sanitization

Version History

VersionDateChangesAuthor
0.12025-01-09Initial documentationFrederick Kautz