Your agent looked fine in the demo. Then it started reading real PDFs, tickets, fetched pages, and tool outputs. Nothing looked obviously malicious.
No one typed “ignore all previous instructions.” Still, the workflow drifted. The model began to treat external text as policy, the context got noisier, and tool execution became harder to trust. That is the uncomfortable part of building agents on li