AI agents, particularly those interacting with external data or tools, face a growing threat: indirect prompt injection. This attack vector allows malicious actors to compromise an agent's behavior by embedding harmful instructions within seemingly innocuous data. Now, a new system called AL-MUNAA aims to provide a collective defense, acting as a shared immune system for multiple AI agents.

Developed by Farhan Ward for OpenAI Build Week, AL-MUNAA introduces a local security layer that scrutinizes AI agents at critical junctures: before they process untrusted content, before they execute tools, and before they transmit output. The core innovation lies in its ability to share threat intelligence across agents without revealing the raw prompts, private conversations, or any sensitive information that might have been exposed during an attack.

The Four Gates of Defense

AL-MUNAA operates through a series of four distinct security gates, each designed to intercept and analyze potential threats. This layered approach ensures that security is considered at multiple points in an agent's operational lifecycle.

Input and Memory Scanning

The first line of defense involves scanning both incoming data (inputs) and the agent's stored memory. This gate actively looks for patterns indicative of prompt injection attempts, where an attacker tries to override the agent's original instructions. It also scans for exfiltration patterns, attempting to detect if the agent is being tricked into revealing sensitive information.

Tool/Action Gate

Before an AI agent can execute potentially dangerous actions, such as accessing the shell, manipulating files, or making network requests, it must pass through a dedicated tool or action gate. This gate acts as a critical control point, preventing unauthorized or malicious operations that could lead to system compromise or data breaches. It ensures that only approved and safe actions are performed.

Output Verification

Once an agent has processed information and is ready to generate output, a final verification gate scrutinizes the content. This is particularly important when the agent is about to send information back to a user or another system. The gate ensures that no sensitive data has been inadvertently included or that the output has not been maliciously altered.

Threat Antibody Protocol

The most novel aspect of AL-MUNAA is its Threat Antibody Protocol. This mechanism enables cross-agent immunity. When one agent detects an indirect prompt injection, it doesn't just protect itself. Instead, it generates a 'Threat Antibody'— a cryptographically signed fingerprint of the detected threat. This antibody is not the malicious text itself, nor does it contain any sensitive data. It is a compact, bounded HMAC fingerprint derived from normalized character shingles of the detected malicious pattern. This fingerprint is signed using Ed25519, a strong public-key algorithm, ensuring its authenticity and integrity. Other agents can then verify this antibody through an explicit trusted-peer mechanism, allowing them to preemptively guard against similar attacks without ever seeing the original malicious prompt or any associated sensitive data.

Diagram illustrating the four gates of AL-MUNAA protecting AI agents.

How Threat Antibodies Work

The concept of a 'Threat Antibody' is central to AL-MUNAA's collective defense. Imagine a scenario where Agent A receives an untrusted document. Within this document is a hidden instruction designed to make Agent A reveal a secret API key. Agent A's input scanner detects this pattern.

Instead of simply alerting its human operator or logging the event, Agent A leverages the Threat Antibody Protocol. It normalizes the detected malicious instruction (e.g., by removing irrelevant whitespace or normalizing case) and then creates character shingles—overlapping sequences of characters. An HMAC (Hash-based Message Authentication Code) is computed over these shingles, creating a unique, fixed-size fingerprint. This HMAC is then signed with Agent A's private Ed25519 key.

This signed fingerprint, the 'antibody,' is then broadcast to other agents within the AL-MUNAA network. Agent B, for instance, might receive this antibody. If Agent B later encounters a similar untrusted input, it can use the received antibody to check if the new input matches the known threat pattern. Crucially, Agent B does not need the original malicious prompt; it only needs the signed antibody. The Ed25519 signature ensures that the antibody truly originated from a trusted peer (Agent A, in this case) and has not been tampered with. This allows Agent B to block the input or flag it for closer inspection, effectively immunizing itself based on another agent's experience.

The strength of this approach lies in its privacy preservation. The antibody is a digest, not the data itself. This means that even if an agent is compromised and an attacker tries to extract its 'knowledge' of threats, they can only get these cryptographically secured fingerprints, which are useless without the corresponding private keys or the original attack vector. This is akin to a biological immune system recognizing a pathogen's signature without needing to re-expose the entire body to the disease.

Implications for AI Agent Security

The proliferation of AI agents, especially in enterprise environments where they might interact with sensitive internal data or external web services, makes robust security paramount. Indirect prompt injection is a particularly insidious threat because it doesn't rely on direct user interaction. An agent could be compromised simply by processing a webpage, a PDF document, or an email.

AL-MUNAA addresses this by moving beyond individual agent-level security to a collective, distributed defense. When one agent encounters a novel threat, that knowledge is rapidly and safely disseminated to others. This significantly reduces the 'attack surface' for prompt injection across a fleet of agents. It's like having an early warning system where the detection of a single infected individual immediately triggers protective measures for the entire community.

The system's reliance on cryptographic signatures and normalized fingerprints ensures that the threat intelligence shared is both verifiable and anonymized, respecting the privacy of the agent that first detected the threat and the data it was processing. This is a crucial distinction from simpler methods that might involve sharing raw logs or prompts, which could inadvertently leak sensitive information.

For developers building applications with multiple interacting AI agents, AL-MUNAA offers a framework to enhance security posture significantly. It provides a mechanism to build resilience against sophisticated attacks without compromising the operational integrity or data privacy of the agents involved. The challenge ahead will be in the seamless integration of such security layers into existing AI agent architectures and ensuring the scalability of the threat antibody verification process across a large number of agents.