| title | Dual LLM Pattern | |||
|---|---|---|---|---|
| status | emerging | |||
| authors |
|
|||
| based_on |
|
|||
| category | Orchestration & Control | |||
| source | https://arxiv.org/abs/2506.08837 | |||
| tags |
|
When the same model both reads untrusted content and controls high-privilege tools, a single prompt-injection path can convert benign context into privileged actions. This coupling collapses trust boundaries and makes it hard to reason about where dangerous behavior originated.
Split roles:
- Privileged LLM: Plans and calls tools but never sees raw untrusted data.
- Quarantined LLM: Reads untrusted data but has zero tool access.
- Pass data as symbolic variables or validated primitives; privileged side only manipulates references.
Use an explicit contract between the two models: the quarantined model may only emit typed values (or opaque handles), while the privileged model may only operate over approved schemas and tools. This preserves capability while preventing raw untrusted text from entering high-authority reasoning paths.
var1 = QuarantineLLM("extract email", text) # returns $VAR1
PrivLLM.plan("send $VAR1 to boss") # no raw text exposure
execute(plan, subst={ "$VAR1": var1 })
Email/calendar assistants, booking agents, API-powered chatbots, or any system handling untrusted user input with privileged actions (e.g., database writes, external API calls, file system operations).
- Pros: Clear trust boundary; compatible with static analysis.
- Cons: Complexity; debugging across two minds.
- Willison, Dual LLM Pattern (Apr 2023); adopted in Beurer-Kellner et al., §3.1 (4).
- Primary source: https://arxiv.org/abs/2506.08837