All posts
June 18, 20263 min read

Nested agents: what they mean for your prompt-injection risk (on GCP)

A common misconception is that simply isolating large language models from each other eliminates prompt-injection risk. In reality, when one model invokes another, what we call a nested agent, the outer model can embed malicious prompts that the inner model blindly executes. Teams building AI‑driven pipelines on GCP often connect agents directly to cloud services, share service‑account keys, and rely on the platform’s default IAM boundaries. The outer agent receives a user’s request, crafts a f

Free White Paper

Prompt Injection Prevention + Risk-Based Access Control: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

A common misconception is that simply isolating large language models from each other eliminates prompt-injection risk. In reality, when one model invokes another, what we call a nested agent, the outer model can embed malicious prompts that the inner model blindly executes.

Teams building AI‑driven pipelines on GCP often connect agents directly to cloud services, share service‑account keys, and rely on the platform’s default IAM boundaries. The outer agent receives a user’s request, crafts a follow‑up query, and forwards it to a second model without any additional verification. Because the inner model trusts the outer call as if it were a legitimate user, any crafted prompt can cause the inner model to leak data, exfiltrate secrets, or perform prohibited actions. The risk is amplified when the outer model is exposed to untrusted input, such as a public chatbot endpoint.

Why nested agents amplify prompt-injection risk

Nested agents create a two‑step trust chain. The first step authenticates the user to the outer model; the second step trusts the outer model to act on behalf of the user when it talks to the inner model. If the outer model is compromised, or if an attacker learns how to influence its prompt construction, the inner model receives a malicious instruction that appears to come from a trusted source.

This pattern leaves three gaps:

  • Uninspected payloads: The inner model never sees the original user context, so it cannot validate that the request aligns with policy.
  • Credential exposure: Shared service‑account keys give each agent unrestricted access to downstream resources, making it easy for a compromised outer agent to act everywhere.
  • No audit trail: Without a central observation point, teams cannot tell which prompts caused which downstream actions, hindering forensic analysis.

Addressing these gaps requires a control point that sits between the agents and the resources they reach. The control point must be able to see every request, enforce policy, and record outcomes before the request reaches the target.

What a gateway can enforce

When a gateway sits in the data path, it becomes the only place where enforcement can happen. The gateway can:

  • Record each session: hoop.dev logs the full request and response stream for every agent interaction, giving teams a replayable audit trail.
  • Mask sensitive fields: hoop.dev can redact secrets or personally identifiable information from responses before they are returned to the outer model.
  • Require just‑in‑time approval: For high‑risk operations, hoop.dev can pause the request and route it to a human approver, preventing accidental leakage.
  • Block dangerous commands: hoop.dev can inspect the payload and reject any instruction that matches a denylist, such as attempts to read environment variables or invoke privileged APIs.

All of these outcomes exist only because hoop.dev occupies the data path. Without the gateway, the outer agent would talk directly to the inner model or to GCP services, and none of the above controls would be enforceable.

Continue reading? Get the full guide.

Prompt Injection Prevention + Risk-Based Access Control: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How hoop.dev fits into the GCP architecture

In a typical GCP deployment, agents run in Cloud Run, GKE, or Compute Engine and authenticate with a service‑account key. To insert hoop.dev, you deploy the gateway as a sidecar or as a separate service that the agents must call to reach any downstream target, whether that target is another LLM endpoint, a Cloud SQL database, or a GCS bucket.

The flow becomes:

  1. Agent obtains an OIDC token from the corporate IdP (Okta, Azure AD, etc.).
  2. Agent presents the token to hoop.dev.
  3. hoop.dev validates the token, reads group membership, and decides whether the request is allowed.
  4. If allowed, hoop.dev forwards the request to the inner model or GCP service, applying masking, approval, or blocking as configured.
  5. hoop.dev records the full interaction for later replay.

Because hoop.dev holds the credential used to talk to the downstream service, the agent never sees the secret. This satisfies the principle of least privilege: the agent only needs a token that proves its identity, while hoop.dev enforces fine‑grained policies on every call.

Importantly, hoop.dev does not replace the identity provider. The IdP still decides who may start a session (the setup layer). hoop.dev is the data path that actually enforces the policy, and the enforcement outcomes, recorded sessions, masked data, JIT approvals, are only possible because hoop.dev sits in that path.

Practical steps to reduce prompt-injection risk with nested agents

Even without code examples, the high‑level approach is clear:

  • Deploy hoop.dev as the sole egress point for all agent‑to‑agent and agent‑to‑service traffic.
  • Configure policies that require approval for any request that includes code execution or secret retrieval.
  • Enable inline masking for fields that contain credentials, tokens, or personal data.
  • Ensure every session is recorded so that a post‑mortem can trace the exact prompt chain that led to an incident.

These measures close the three gaps identified earlier and transform a blind trust chain into a verifiable, auditable workflow.

Getting started

For a quick deployment on GCP, follow the getting‑started guide. The documentation explains how to configure OIDC authentication, define policies, and attach the gateway to your existing services. Detailed feature descriptions are available in the learn section.

Explore the source code and contribute on GitHub: hoop.dev repository.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot