How do you prevent prompt injection in RAG systems?

Prevent prompt injection by treating retrieved content as untrusted data, not as instructions. Use system prompts that clearly separate instructions from retrieved context, for example with explicit delimiters and statements that the model must not follow instructions in the context. For untrusted corpora like public web pages, consider using a smaller model for a classification pass that flags suspicious content before passing to the main generator. No defense is perfect, so limit the blast radius by restricting what actions the generated output can trigger.