Prompt Injection Defence in Depth 2026: Six-Layer Architecture for LLM Security

Q: What does Layer 1 (input sanitisation and normalisation) actually deliver, and what are its known limitations?

Layer 1 normalises the input into a canonical form and strips the channel-level vectors. Three engineering deliverables. Unicode and encoding normalisation: the input is normalised to NFC or NFKC depending on the application context; the homoglyph attacks (Cyrillic substituted for Latin to evade regex filters, mathematical alphanumeric symbols substituted for ASCII letters), the bidirectional-control character attacks (right-to-left override embedded to obscure what the user is approving), and the zero-width character attacks (joiners and non-joiners inserted to break pattern matching) are addressed at this layer. Length and structural validation: inputs above the application's defined maximum are rejected before consuming LLM context; structurally-typed inputs (JSON against schema, YAML parsed and re-emitted in canonical form, query inputs against the application's permitted grammar) are validated, removing the smuggling vectors that depend on parser-disagreement between the validation layer and the downstream LLM. Known-pattern stripping for the injection-pattern catalogue: published collections of jailbreak prompts, the application's own incident-derived patterns, threat-intelligence-fed patterns are matched and either stripped, escaped, or rejected. The layer's known limitations are deliberate — catalogue-based filtering does not catch novel patterns, and the architectural intent is for Layer 1 to be the easy-to-evade frontline whose role is to catch trivial attacks and keep the more expensive layers below their attack volume. The engineering investment is modest; the layer's value is the consistency of the normalised input the layers below see. Teams that skip Layer 1 ship the application that produces inconsistent behaviour as the input format varies, which is a quality issue regardless of the security framing.