LLM Decides, Code Executes 45 Agentic 2026 Security Untrusted Input Schema Extraction LLM Reasoning Tool Router Service Account Audit Log 1 extract 2 typed struct 3 JSON intent 4 scoped call 5 write 6 tool result 7 observe P_
LLM Decides, Code Executes Agentic 2026 Security 45 Pydantic/Zod extraction runs first — the LLM sees typed structs, never raw input 2 It emits JSON; a deterministic switch routes to scoped tools 3 Service accounts enforce least-privilege. Like SQL injection: structure beats caution. FIELD NOTES All models fail to recognize malicious instructions StruQ: separate instruction/data channels provably blocks injection Tools = structured output; code routes, not LLM (12-Factor) P_ atd.postindustria.com/45

How It Works

`Pydantic`/`Zod` extraction runs first — the LLM sees typed structs, never raw input [2] It emits JSON; a deterministic switch routes to scoped tools [3] Service accounts enforce least-privilege. Like SQL injection: structure beats caution.

Field Notes

  • All models fail to recognize malicious instructions
  • StruQ: separate instruction/data channels provably blocks injection
  • Tools = structured output; code routes, not LLM (12-Factor)

Questions about LLM Decides, Code Executes?

Get expert guidance from our team. We'll help you implement it.