<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Prompt Injection on Control Plane by Karl McGuinness</title><link>https://notes.karlmcguinness.com/tags/prompt-injection/</link><description>Recent content in Prompt Injection on Control Plane by Karl McGuinness</description><generator>Hugo</generator><language>en-us</language><managingEditor>public@karlmcguinness.com (Karl McGuinness)</managingEditor><webMaster>public@karlmcguinness.com (Karl McGuinness)</webMaster><lastBuildDate>Mon, 06 Jul 2026 10:00:00 -0700</lastBuildDate><atom:link href="https://notes.karlmcguinness.com/tags/prompt-injection/index.xml" rel="self" type="application/rss+xml"/><item><title>Least Exposure Is Broader Than Least Privilege</title><link>https://notes.karlmcguinness.com/notes/least-exposure-is-broader-than-least-privilege/</link><pubDate>Mon, 06 Jul 2026 10:00:00 -0700</pubDate><author>public@karlmcguinness.com (Karl McGuinness)</author><guid>https://notes.karlmcguinness.com/notes/least-exposure-is-broader-than-least-privilege/</guid><description>Least privilege scopes what an agent may do, one tool call at a time. But a perfectly authorized agent can still be compromised by what it is allowed to see. Least exposure is the broader control: task-scoped minimal disclosure for prompt context, retrieved documents, tool schemas, secrets, business rules, approval context, memory, and downstream responses. Because the model is untrusted reasoning, every input is attack surface. A Mission should therefore bound both halves: the actions the agent may take and the working set it may reason over.</description></item></channel></rss>