All use cases
Prompt injection defense

Catch prompt injection the moment it's written

Inbound email, scraped pages, and tool output routinely carry "ignore previous instructions." Governed Memory scores and taints untrusted content on write — long before it can ever reach a prompt.

Sourcesemail · web · tools
Write Governorscore · taint
Retrievalprivilege gate
Agent promptcontext window
Untrusted content is scored and tainted at the Write Governor. Quarantined memory is held out of ordinary retrieval, so an injected instruction never reaches the model in the first place.

The risk

Inbound email, scraped web pages, and tool output are untrusted by definition — yet most memory pipelines store them with the same standing as a verified CRM record. Any of them can carry an "ignore previous instructions" payload disguised as ordinary text.

Once that text is in your vector store looking like every other memory, it's one retrieval away from being pulled into a prompt and acted on. The defense has to happen on the way in, not by hoping a downstream model notices.

How Governed Memory handles it

  1. 01
    Untrusted by default

    Content from email, the web, and tool output is treated as untrusted the moment it arrives, regardless of how the calling code labels it.

  2. 02
    Scored on write

    A heuristic scanner and a trained injection classifier score the content; a high score is tainted and quarantined before the write completes.

  3. 03
    Held out of retrieval

    Quarantined memory is excluded from ordinary retrieval, so it can't be pulled into a prompt unless something explicitly and deliberately asks for it.

  4. 04
    Nothing trusts a label

    A trusted_system source field buys no exemption. Content is judged on what it contains, not on what it claims to be.

Read the full technical walkthrough → Self-host it