The article highlights a significant blind spot in AI agent security, focusing on the gap between theoretical models and practical implementations. It emphasizes that while security research is advancing—citing works like Simon Willison’s prompt injection model and Microsoft’s FIDES—actual agent frameworks often overlook a critical vulnerability: the trust boundary where LLM (Large Language Model) outputs are treated as secure inputs. When an LLM generates a tool call, such as reading a file, it directly trusts the user’s input without adequate validation, which can lead to security breaches. An example shows how an attacker can manipulate an LLM to access restricted files by embedding malicious instructions in seemingly benign inputs. The article critiques the effectiveness of probabilistic defenses, like classifiers that attempt to detect prompt injections. While these tools may provide some level of monitoring, they rely on uncertain thresholds and can create false positives or negatives, complicating user experience and security. The traditional approach of validating input strings fails to account for the actual intent behind those inputs. This discrepancy between what the system checks (the "Map") and what it executes (the "Territory") mirrors long-standing vulnerabilities in Unix systems, specifically the Time-of-Check-Time-of-Use (TOCTOU) issue. Concrete examples of vulnerabilities highlight this pattern in production frameworks, particularly within the LangChain library. Various CVEs (Common Vulnerabilities and Exposures) illustrate how attackers have exploited these trust boundary gaps, such as allowing Server-Side Request Forgery (SSRF) through improper input validation. The article stresses that validation should occur in the same semantic context as execution; it shouldn't merely check the string but rather what the string represents within the system. The author suggests that moving beyond regex and implementing semantic validation can help close these security gaps effectively.