How do you defend against prompt injection?

Defenses include separating system from user input clearly with delimiters, validating outputs against expected formats, using structured output, running content filters on inputs and responses, sandboxing tool execution, limiting model permissions, treating all retrieved content as untrusted, and monitoring for unusual behavior. There is no perfect defense; use defense in depth.