SingularityNET Unveils PICO a New Transformer Framework Designed to Isolate System Prompts, Defend LLMs From Adversarial Prompt Injection, and Enable Safer Decentralized AI Applications

As large language models (LLMs) become central to modern AI systems, their security vulnerabilities grow more concerning. One of the most pressing threats is prompt injection, where malicious inputs manipulate a model into generating unintended outputs. This isn’t just a theoretical risk, real-world incidents have already demonstrated how easy it is to bypass standard safety measures by blending malicious instructions with legitimate prompts.

Most LLMs today process trusted system prompts and untrusted user inputs through the same channel. While this design simplifies the architecture, it creates a critical flaw: there’s no structural separation between what the model should always obey and what it can be tricked into executing. The result? Models that are alarmingly easy to exploit. Recognizing this gap, SingularityNET has introduced a transformative new solution called PICO (Prompt Isolation and Cybersecurity Oversight).

PICO is not just a patch or safety wrapper. It’s a fundamentally new secure transformer architecture designed from the ground up to isolate trust boundaries within the model. With its innovative design and integrated cybersecurity components, PICO offers a blueprint for building LLMs that can reliably defend themselves in adversarial scenarios.

What Makes Prompt Injection So Dangerous?

Prompt injection attacks don’t rely on breaking into systems, they manipulate the model from the inside. By cleverly crafting input strings, attackers can override initial system instructions, rewire model behavior, or leak confidential information. This type of vulnerability undermines the credibility and usability of AI, especially in sensitive domains like healthcare, finance, or defense. A particularly sophisticated attack known as Policy Puppetry disguises harmful instructions as legitimate configuration files, making detection harder. These are not just rare, academic scenarios, such techniques are evolving rapidly, and traditional LLMs are ill-equipped to defend against them.

How PICO Redefines Secure Transformer Architecture?

PICO introduces a structural innovation: complete separation of system and user inputs at the architectural level. This means trusted instructions are processed in one frozen, immutable channel, while user inputs flow through a separate, learnable channel. A gated fusion mechanism then merges the outputs from both channels. But here’s the key, this fusion is not equal. It’s dynamically weighted by a Security Expert Agent that evaluates the context and applies insights from a Cybersecurity Knowledge Graph. This ensures that under any circumstances, the trusted system instructions retain dominance during inference. This architectural upgrade delivers powerful benefits in prompt injection prevention without compromising model flexibility or performance.

How the Gated Fusion System Works? 

Instead of merging inputs blindly, PICO uses a smart gating mechanism to control how much influence user input can have. The Security Expert Agent, integrated into a Mixture-of-Experts (MoE) setup, detects red flags using a combination of learned heuristics and graph-based reasoning from the Cybersecurity Knowledge Graph. This gives PICO an adaptive shield, one that doesn’t rely on static rules but evolves to identify new adversarial patterns. It essentially embeds cybersecurity intelligence directly into the inference process.

Adversarial AI Defense Built Into the Core

PICO’s architecture isn’t just theoretical. It’s backed by a robust mathematical formulation that proves the dominance of the system prompt under adversarial conditions. This formal approach ensures that the trusted system path cannot be overpowered, a rare claim in today’s AI models. More importantly, the PICO team demonstrates how this approach holds up against real attack vectors, including Policy Puppetry. These insights make a strong case for why adversarial AI defense needs to move from reactive patching to proactive architectural redesign, exactly what PICO delivers.

Can Existing Models Adopt PICO?

While PICO is ideally trained from scratch, the research also introduces a cost-effective fine-tuning method. This allows developers and enterprises to retrofit existing LLMs with PICO’s safety layers. For organizations already using AI at scale, this is a practical pathway to significantly enhance system security without starting over. In this hybrid implementation, the system prompt channel remains immutable while the rest of the model adapts to safely handle potentially harmful inputs. It offers a balance between innovation and accessibility.

A New Standard for Safe AI

PICO represents a significant leap forward in AI safety. It shows that prompt injection prevention is not just a problem of better filtering, but of better design. By separating and prioritizing system-level instructions at the architecture level, and adding intelligent security oversight, PICO brings structural trust to transformer-based models. As the AI landscape evolves, solutions like PICO could become the new gold standard, not only for developers but for anyone relying on AI to make decisions, answer questions, or automate tasks. By making LLMs inherently more resistant to adversarial manipulation, PICO helps build a future where AI can be both powerful and safe.