Trusted Tool Output Is Becoming a Policy Override Primitive

Attackers don't need to beat your core policy anymore. They just need to convince the model that external tool output outranks it. That's the trust-boundary bug we keep seeing — and it's becoming a reliable primitive for policy override without any explicit privilege escalation.

The threat model in one paragraph

Modern agent pipelines treat browser results, search responses, plugin output, and API data as high-confidence context. The content flowing through those channels is assumed to be a source, not an instruction. Attackers flip that assumption. They inject instructions into content that's likely to flow through a retrieval or tool channel, then bind trust language to override verbs. The model reads the tool output, sees "this is trusted / authoritative / verified," and obediently disables its own guardrails.

The attack path in four steps

1. Inject. Attacker plants instructions inside content that's likely to reach the agent through retrieval, browser fetch, or a tool response.
2. Bind trust to action. The payload stitches trust-channel vocabulary (trusted / authoritative / verified / source of truth) to override verbs (ignore / override / bypass / replace / discard) targeting policy nouns (policy / safety / guardrails / instructions / rules).
3. Model reinterprets. The model reads the tool output as permission to override its own safety rules because the text explicitly says those rules are now subordinate to the tool channel.
4. Policy displacement without API calls. The result is guardrail bypass without any explicit privilege escalation — no new tokens, no new scopes, just a reinterpretation of the trust hierarchy.

Why naive detectors get fooled

The obvious detection approach: look for the co-occurrence of a trust claim, an override verb, and a policy target. That catches real attacks — and also catches your own defensive documentation.

A training example that says "attackers will try to claim tool output is trusted and override policy" contains the exact same surface pattern as the attack itself. A detection writeup that says "this payload attempts to override safety guardrails" matches. A post-mitigation log that says "override was blocked, safeguards stay enforced" matches. You end up alerting on your own security docs.

The multi-signal pattern that actually holds up

A detector for this family needs three things to co-occur:

• Tool-output entity: tool output, search output, browser output, retrieval output, plugin output, api output
• Trust claim: trusted, authoritative, verified, source of truth
• Override verb + policy target: ignore / override / bypass / replace / discard + policy / safety / guardrails / instructions / rules

Then the second stage suppresses meta-contexts: explanatory phrasing (detect attempts, training example, should be flagged/blocked) and post-mitigation phrasing (override was blocked, safeguards stay enforced).

This is how we keep recall high without lighting up every defensive document.

What the evidence from our own fixtures shows

We tracked this pattern family from clean baselines through larger-corpus validation:

• Clean baseline (CYCLE180, April 16): TP 5, TN 5, FP 0, FN 0 — perfect on the initial fixture set.
• Larger corpus (CYCLE250, April 17): TP 8, TN 6, FP 4, FN 0 — recall holds, but false positives appear as soon as meta-text enters the corpus.
• After suppressor refinement (CYCLE263, April 17): TP 10, TN 12, FP 2, FN 0 — partial recovery, still under revision.

The pattern stays recall-strong (FN=0 across all three runs), but false-positive control is a live engineering problem, not a solved one. This is a regression-sensitive family: every corpus expansion re-opens the tension between sensitivity and specificity.

Where Sunglasses sits

Sunglasses runs at the ingestion boundary — before tool output reaches the model's reasoning step. For this attack family, that means:

• tool_output_poisoning — the core category, covering trust-channel abuse of plugin/browser/retrieval responses. Recent v0.2.20 additions: GLS-TOP-245 (Verification Stamp Tamper Override Guardrails) and GLS-TOP-247 (Forged Checksum Log Integrity Gate Bypass).
• retrieval_poisoning — the retrieval-channel variant (documents, vector stores, context digests). v0.2.20 adds GLS-RP-252 / 253 / 254 for seeded context digest, shadow eval addendum, and archived policy snapshot authority overrides.
• tool_poisoning — the upstream variant where tool metadata itself contains override language. v0.2.20 adds GLS-TP-ITDP-253 / 254 for audit log suppression and staging-equivalence provenance waivers.

All three categories share a root premise: external content should never outrank policy, regardless of how many trust words the external source uses about itself.

Why this matters now

As agents gain more tools — more retrieval, more browsing, more plugins, more A2A handoffs — the number of channels where external content can masquerade as authority grows linearly with the agent surface area. Teams that treat this as a trust boundary problem (not a "prompt injection text" problem) catch more real abuse while avoiding alert fatigue on their own defensive documentation.

If your current detector fires on every training example in your security backlog, it's the FP rate that's broken — not the concept. The pattern works. The meta-text suppressors are what separate a production-grade detector from a noisy one.

The closing idea

Attackers will keep finding new ways to smuggle authority into tool output. Detection is worth building — but the detector has to know the difference between attack text and meta-text about the attack. Otherwise you're just training your security team to ignore their own alerts.

This pattern family is live in v0.2.20, as of today. Seven new patterns across tool_output_poisoning (2), retrieval_poisoning (3), and tool_poisoning (2), all tuned to cut meta-text false positives without losing recall.