Operationalizing CaMeL: Strengthening LLM Defenses for Enterprise Deployment

TL;DR

This paper enhances the CaMeL framework for LLM security by addressing its limitations, introducing new mechanisms like prompt screening, output auditing, a tiered-risk model, and a verified intermediate language to improve enterprise deployment safety.

Contribution

The paper proposes engineering improvements to CaMeL, expanding its threat coverage and operational usability for enterprise LLM deployment.

Findings

Enhanced threat mitigation with prompt screening and output auditing

Balanced usability and security through a tiered-risk access model

Formal guarantees achieved via a verified intermediate language

Abstract

CaMeL (Capabilities for Machine Learning) introduces a capability-based sandbox to mitigate prompt injection attacks in large language model (LLM) agents. While effective, CaMeL assumes a trusted user prompt, omits side-channel concerns, and incurs performance tradeoffs due to its dual-LLM design. This response identifies these issues and proposes engineering improvements to expand CaMeL's threat coverage and operational usability. We introduce: (1) prompt screening for initial inputs, (2) output auditing to detect instruction leakage, (3) a tiered-risk access model to balance usability and control, and (4) a verified intermediate language for formal guarantees. Together, these upgrades align CaMeL with best practices in enterprise security and support scalable deployment.