Prompt injection isn't the whole story: secure what the model hands back

Here is the rule I wish I'd started with: the output of an LLM is untrusted input. Not "mostly clean because a model wrote it." Untrusted, the same as a string a user typed or a response that came bac