← Publications

ICML 2026 · Spotlight

Security-Fidelity Tradeoffs: The Hidden Cost of Prompt Injection Defense

SecFid reveals that prompt-injection defenses can gain security by suppressing untrusted text, trading away fidelity on tasks that must preserve it.

LLM SecurityPrompt InjectionEvaluation

This paper identifies a security-fidelity tradeoff in defenses against indirect prompt injection. Existing attack-success metrics treat faithfully processing an injection as data and simply ignoring it as equally secure, even though only one preserves the user’s intended task.

We introduce SecFid, a benchmark that distinguishes executing an injection, processing it as data, and suppressing it. Across 1,168 examples and 48 model-defense configurations, no evaluated configuration achieved both high security and high fidelity. The highest-fidelity model reached 96.5% fidelity at 47.8% security, while the most secure defenses reached 99.3% security at 71.0-73.9% fidelity.

The results show that a defense cannot be selected from security scores alone. The right operating point depends on the deployment-specific cost of a successful hijack relative to the cost of dropping legitimate content.