But who will have thought about something not being a SaaS but rather on-premises...
If there's nothing to access, there's only limited value in using an LLM in the first place.
If your LLM is prevented from accessing anything other than the prompt, the only use is interactive use by the user; no automatic work done on any workflow items.
In this post's example, the agent would be limited by the author's scope inside the organization and, therefore, be incapable of exposing any unwanted file.
No.
> In this post's example, the agent would be limited by the author's scope inside the organization and, therefore, be incapable of exposing any unwanted file.
That still allows prompt injection to exfiltrate the authors files. That's the whole exploit - files that the author has, that he doesn't want exfiltrated.
You have a set of apis that user can access to do something, the llm uses those same apis. How is that limiting usefulness? By not invoking apis user is not allowed to?