Prompt injection is an infrastructure problem, not an AI problem

Every AI security conversation starts with prompt injection. And almost every team is defending against it in the wrong place.

The typical approach: add input filtering in the application layer. Check for known injection patterns. Sanitise the prompt before sending it to the model. Maybe add an output filter too.

This works for the injections you know about. It fails for the ones you do not.

The fix is to treat prompt injection as an infrastructure concern. The same way you treat SQL injection, XSS, and request smuggling. You do not defend against those in application code alone. You use WAFs, API gateways, and network-level controls.

• Rate limiting at the API gateway, scoped per user and per endpoint
• Request classification before the prompt reaches the model
• Token budget enforcement at the infrastructure level, not the application level
• Output sandboxing that prevents model responses from triggering downstream actions without validation
• Full request-response logging for forensic analysis

The teams getting this right are building AI security into their platform layer. They have a single gateway that all AI traffic flows through. That gateway handles authentication, rate limiting, input classification, token budgets, and audit logging. The application teams do not need to think about it.

The teams getting it wrong have every application team implementing their own prompt filtering. Different approaches, different quality, different gaps. One team's oversight becomes the whole organisation's vulnerability. If you have more than one AI-powered service, you need an AI gateway. Not because it is elegant. Because the alternative is unmanageable.