{
  "docId": "019dd923-5e88-73ef-bd5d-0d0f98caffe1",
  "docSlug": "5df6bd1b0447b5f6",
  "documentTitle": "2025 Air Street Capital The State of AI Report 2025",
  "authorId": "AirStreetCapital",
  "authorName": "Air Street Capital",
  "documentKindSlug": "consulting-deck",
  "documentKindLabel": "Consulting deck",
  "sourceTypeSlug": "vc_research",
  "sourceTypeLabel": "VC research",
  "presentationDate": null,
  "orientation": "landscape",
  "aspectRatio": 1.777,
  "pageNumber": 274,
  "pageCount": 313,
  "prevPage": 273,
  "nextPage": 275,
  "slideType": "diagnosis",
  "function": "present_solution",
  "density": "dense",
  "nDataPoints": 1,
  "notes": "The slide uses a diagram to explain the CaMeL architecture, showing how it mediates interactions between LLMs, tools, and data.",
  "elementsJson": [
    "headline_text",
    "bullet_list",
    "process_diagram",
    "other"
  ],
  "metadataConfidence": 1,
  "imagePath": null,
  "slideHref": "/slides/019dd923-5e88-73ef-bd5d-0d0f98caffe1/274",
  "deckHref": "/decks/019dd923-5e88-73ef-bd5d-0d0f98caffe1",
  "deckJsonHref": "/decks/019dd923-5e88-73ef-bd5d-0d0f98caffe1.json",
  "deckAnchorHref": "/decks/019dd923-5e88-73ef-bd5d-0d0f98caffe1#slide-274",
  "components": [
    {
      "bbox": null,
      "kind": "callout",
      "text": "In live red-teaming and benchmark tests, CaMeL blocked 100% of prompt injection attempts while maintaining near-baseline task success rates.",
      "attrs": null,
      "subkind": null,
      "toolName": "Visual emphasis",
      "toolSlug": "visual-emphasis",
      "confidence": null,
      "componentId": "019dd952-47c3-7407-8d09-994c5ec1fb41",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.35,
        "w": 0.45,
        "x": 0.52,
        "y": 0.38
      },
      "kind": "image",
      "text": "Diagram of CaMeL architecture showing user query, privileged/quarantined LLMs, data-flow graph, and security policies.",
      "attrs": null,
      "subkind": "infographic",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "eee35481-5a95-41fc-a8b7-b5d2282d3634",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.55,
        "w": 0.48,
        "x": 0.04,
        "y": 0.35
      },
      "kind": "list",
      "text": "CaMeL wraps the LLM in a tightly scoped execution environment, breaking tasks into minimal-privilege capability calls. Every interaction between the model, external tools, and sensitive data sources is mediated and auditable, preventing injected instructions from escalating privileges or exfiltrating data.\nIn live red-teaming and benchmark tests, CaMeL blocked 100% of prompt injection attempts while maintaining near-baseline task success rates.\nAs capable agents enter critical workflows, capability-based designs should become a safety baseline rather than an optional add-on. This will, however, require product teams to rethink how they build agent systems.",
      "attrs": null,
      "subkind": "bullet",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "11918377-bbf9-4c24-be94-c9cfb6901de5",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": null,
      "kind": "metric",
      "text": "prompt injection success rate: 100%",
      "attrs": null,
      "subkind": "primary",
      "toolName": "Quantification",
      "toolSlug": "quantification",
      "confidence": null,
      "componentId": "019dd952-47c3-7407-8d09-9cc69042b48e",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.12,
        "w": 0.96,
        "x": 0.02,
        "y": 0.21
      },
      "kind": "paragraph",
      "text": "Prompt injection remains one of the most persistent vulnerabilities in LLM-based systems, with current defenses relying on patchwork filtering or after-the-fact classifiers. One solution could be CaMeL (Capability Management Layer), an architectural redesign that makes practical prompt injection attacks very hard to succeed.",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "24dcee04-e2cf-41a6-8c88-1fcd42d6d642",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.05,
        "w": 0.75,
        "x": 0.02,
        "y": 0.14
      },
      "kind": "title",
      "text": "From filters to fortresses: prompt injection defense gets architectural",
      "attrs": null,
      "subkind": "headline",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "c1abf2ac-5d90-47b7-ba7d-ad47ce1ea4ec",
      "frameworkName": null,
      "frameworkSlug": null
    }
  ],
  "metrics": [],
  "tools": [
    {
      "name": "Defensive Design",
      "slug": "defensive-design",
      "agent": "Architect",
      "layer": "slide",
      "matchId": "7f90d52c-ee9c-469a-bbfb-cd6b02e32f95",
      "evidence": "paragraph/paragraph: Prompt injection remains one of the most persistent vulnerabilities in LLM-based systems, with current defenses relying on patchwork filtering or after-the-fact classifiers.",
      "confidence": 0.7
    }
  ],
  "frameworks": [],
  "arcBeats": [
    {
      "to": 282,
      "from": 190,
      "beatId": "019dd95a-0682-776c-8e35-a256fe16ea9c",
      "arcName": "The Triple Take",
      "arcSlug": "triple-take",
      "beatName": "The Implications (So What)",
      "beatSlug": "triple-take-the-implications-so-what",
      "evidence": "Sections 3-4 frame political and safety consequences of the technical/industry trends.",
      "position": 2,
      "confidence": 70,
      "parentBeatName": "Reflection",
      "parentBeatSlug": "reflection"
    },
    {
      "to": 282,
      "from": 190,
      "beatId": "019dd95a-0682-776c-8e35-b713af60bf88",
      "arcName": "The Onion",
      "arcSlug": "onion",
      "beatName": "Core Insight",
      "beatSlug": "onion-core-insight",
      "evidence": "Politics and Safety reveal the structural risks at the core.",
      "position": 4,
      "confidence": 45,
      "parentBeatName": "Turn",
      "parentBeatSlug": "turn"
    }
  ],
  "loops": [
    {
      "to": 282,
      "from": 247,
      "name": "Pre Mortem",
      "slug": "19-pre-mortem",
      "bestFor": "Project kick-offs, risk management, building trust with skeptical stakeholders",
      "matchId": "019dd95a-07fe-70ce-8d3e-bb4d43115ab4",
      "evidence": "Vibe hacking, AI psychosis, alignment faking, scheming, prompt injection — what could go wrong + mitigations.",
      "position": 12,
      "objective": "Surface AI safety failure modes before they become catastrophic",
      "structure": "The Future Disaster (Hypothetical) -> What Went Wrong -> The Prevention Plan",
      "confidence": 75,
      "description": "Build trust by anticipating failure modes before they happen and solving them in advance"
    }
  ],
  "imagePathAlt": null,
  "thumbSrc": null,
  "thumbSrcAlt": null,
  "locked": true
}