Catch prompt injection the moment it's written
Inbound email, scraped pages, and tool output routinely carry "ignore previous instructions." Governed Memory scores and taints untrusted content on write — long before it can ever reach a prompt.
The risk
Inbound email, scraped web pages, and tool output are untrusted by definition — yet most memory pipelines store them with the same standing as a verified CRM record. Any of them can carry an "ignore previous instructions" payload disguised as ordinary text.
Once that text is in your vector store looking like every other memory, it's one retrieval away from being pulled into a prompt and acted on. The defense has to happen on the way in, not by hoping a downstream model notices.
How Governed Memory handles it
- 01Untrusted by default
Content from email, the web, and tool output is treated as untrusted the moment it arrives, regardless of how the calling code labels it.
- 02Scored on write
A heuristic scanner and a trained injection classifier score the content; a high score is tainted and quarantined before the write completes.
- 03Held out of retrieval
Quarantined memory is excluded from ordinary retrieval, so it can't be pulled into a prompt unless something explicitly and deliberately asks for it.
- 04Nothing trusts a label
A
trusted_systemsource field buys no exemption. Content is judged on what it contains, not on what it claims to be.