system: OPERATIONAL
EN FR ES ZH
← back to all hacks
DEFENSE MEDIUM NEW

Parallax: putting agent safety in the architecture, not the prompt

A position paper published April 14, 2026 argues prompt-level guardrails fail the moment an agent's reasoning is compromised, and proposes structurally separating the part that thinks from the part that acts.

2026-06-16 // 7 min affects: llm-agents, autonomous-ai-agents, ai-copilots

What is this?

Parallax is a defensive design paradigm laid out in a position paper, “Parallax: Why AI Agents That Think Must Never Act”, posted to arXiv on April 14, 2026 (arXiv:2604.12986, by independent researcher Joel Fokou). Its argument is blunt: the dominant way teams try to make agents safe — writing safety instructions into the system prompt — operates at the same abstraction level as the attacks it is meant to stop, and therefore cannot hold once the model is manipulated. The paper proposes moving the safety boundary out of natural language and into the system’s architecture, and ships an open-source reference implementation (OpenParallax, written in Go) to show what that looks like in practice.

The piece is a single-author proposal with a prototype and a self-run evaluation, not an independently reproduced result. We cover it because it crisply names a gap that recurs across almost every agent incident: when the reasoning component is compromised, controls that live inside that component disappear with it.

How it works

Parallax starts from a distinction the paper insists is one of kind, not degree. A conversational LLM produces content; an agent produces actions — file writes, shell commands, API calls, database changes. Safety training answers “is the model producing the right thing?” Agent safety has to answer “is the system doing the right thing?” — even when the model has already been talked into doing the wrong one.

The paper’s three-part critique of prompt guardrails is worth restating because each point maps to attacks we have covered:

  • Same substrate as the threat. Instructions and untrusted data flow through one attention mechanism with no structural separation — the root condition that makes prompt injection possible in the first place.
  • They degrade over long context. Cumulative history shifts the model’s effective constraint boundary, and memory poisoning can implant instructions that persist across sessions.
  • They don’t survive multi-agent propagation. Once one model’s output becomes another’s input, a single injection rides through every downstream layer.

Against that, Parallax proposes four principles, all borrowed from long-settled systems-security practice rather than invented for AI:

  1. Cognitive–Executive Separation. The component that reasons about an action is made structurally unable to perform it, and the component that performs actions is unable to reason. This is privilege separation (Provos et al.) applied to agents: the boundary lives in process isolation, not in the model’s own restraint.
  2. Adversarial Validation with Graduated Determinism. An independent, multi-tiered validator sits between reasoning and execution and decides whether a proposed action is allowed. Crucially, the validator is immutable with respect to the thing it validates — the same trust-anchor logic as a TPM or HSM.
  3. Information Flow Control. Data-sensitivity labels propagate through the workflow (a Bell-LaPadula-style policy), so the system can catch context-dependent threats like “read this private file, then make an outbound request” — the lethal trifecta expressed as a flow rule.
  4. Reversible Execution. State is captured before any destructive action so the system can roll back when validation fails.

The single-sentence version, from the paper: the system that reasons about actions must be structurally unable to execute them, and the system that executes actions must be structurally unable to reason about them, with an independent, immutable validator interposed between the two. No exploit is reproduced here — the contribution is an architecture, not an attack.

Why it matters

The most useful idea in the paper is its evaluation method, Assume-Compromise Evaluation: instead of testing whether the model can be jailbroken, the authors assume it already has been, bypass the reasoning system entirely, and inject malicious tool calls straight at the execution boundary. This is the right question for production agents, because it stops grading the part of the system everyone already knows is unreliable and starts grading the part that is supposed to contain the damage.

Under that test — 280 adversarial cases across nine attack categories — the reported reference implementation blocks 98.9% of attacks with zero false positives in its default configuration, and 100% in a maximum-security configuration. Treat those as prototype self-reported numbers, not a settled benchmark. The structural claim underneath them is the durable part: a prompt-level guardrail offers zero protection when the reasoning system is compromised, because it exists only inside the compromised system. An architectural boundary holds regardless of what the model has been convinced to attempt.

This lands in a moment when the industry has openly conceded that prompt injection may not be fully solvable at the model level — the same conclusion reached, by very different routes, in work arguing that agents may always fall for prompt injection and in the systems-problem framing of agent security. Parallax is one more vote for the same shift: stop trying to make the model perfectly trustworthy, and design so that an untrustworthy model can’t cause irreversible harm. It rhymes directly with Agents’ Rule of Two and with task-based tool authorization.

Defenses

Parallax is a defense proposal, so the takeaways are architectural patterns you can apply without adopting its specific implementation:

  • Separate the planner from the executor. Do not let the component that ingests untrusted content be the same component that holds execution privileges. Put a process or trust boundary between “decide” and “do”.
  • Interpose an independent validator that the agent cannot edit. Whatever checks an action must not share state, prompt, or memory with the reasoning loop — otherwise a compromise of the reasoner is a compromise of the check. This is the same logic behind provably-bounded guardrails.
  • Make destructive actions reversible. Snapshot before writes, deletes, and config changes so a bad action is an incident you roll back, not a breach you discover later.
  • Track data flow, not just individual calls. Label sensitive data and block flows that combine private reads with outbound channels — the trifecta is a property of the path, not any single step.
  • Assume compromise when you test. Evaluate your boundary by injecting actions past the model, not only by trying to jailbreak it. If your safety story collapses when the model is assumed hostile, the safety story was the model.

A caveat the paper itself raises: architectural enforcement adds latency and engineering cost, and a validator that is too coarse will block legitimate work. The point is not that Parallax’s numbers are final, but that the boundary belongs in the architecture.

Status

ItemValue
SourcearXiv:2604.12986v1, “Parallax: Why AI Agents That Think Must Never Act”
AuthorJoel Fokou (independent researcher)
PublishedApril 14, 2026
TypePosition paper + open-source reference implementation (OpenParallax, Go)
Core claimAgent safety must be enforced architecturally; prompt-level guardrails fail under a compromised reasoner
Reported result98.9% of 280 adversarial cases blocked, 0 false positives (default); 100% (max-security) — prototype, self-reported
MaturitySingle-author proposal; not yet independently reproduced

Sources