The Defense TrilemmaWhy prompt-injection defense wrappers fail.

A geometric impossibility theorem for continuous, utility-preserving wrapper defenses on connected prompt spaces — mechanized in Lean 4, validated on three LLMs.

Read the theorems

End-to-end proof map

Defense trilemma

🔺

Three properties, pick two

Continuity + utility preservation + completeness cannot coexist on a connected prompt space. Every continuous wrapper that fixes safe inputs must leave some boundary input unremediated.

📐

A three-tier escalation

Boundary Fixation (pointwise) → ε-Robust Constraint (Lipschitz neighborhood) → Persistent Unsafe Region (positive-measure, under transversality).

🧮

Discrete and continuous

Same impossibility under both continuous topology (Tietze bridge) and pure counting arguments on finite sets — no topology required for the discrete dilemma.

🔁

Multi-turn, stochastic, pipelined

Impossibility recurs at every turn, survives randomization in expectation, and amplifies multiplicatively (Kⁿ) through agent tool-calls.

🧠

Representation-independent

A single meta-theorem unifies the continuous, discrete and stochastic paths: utility preservation + any form of regularity ⇒ Fix(D) ⊋ S.

✅

Machine-verified

46 Lean 4 files, ≈360 theorems, zero `sorry`, three standard axioms (propext, Classical.choice, Quot.sound). lake build is green.

The one-paragraph argument

Let $X$ be a connected Hausdorff space of prompts and let $f : X \to R$ be a continuous alignment-deviation score with threshold $τ$ . A wrapper defense is a continuous map $D : X \to X$ that leaves every safe prompt unchanged. Because $D$ is continuous and safe inputs are fixed, the fixed-point set $Fix (D)$ is a closed set containing the open safe region $S_{τ} = {f < τ}$ . In a connected space an open set cannot simultaneously be closed unless it is all of $X$ , so the closure of $S_{τ}$ must contain new points — points where $f (z) = τ$ exactly. Every such $z$ is fixed by $D$ , so $D$ passes them through unchanged with no remediation. The three successively stronger theorems (T1, T2, T3) upgrade this single fixed point first to a Lipschitz-constrained neighborhood and finally, under transversality, to a positive-measure region that remains strictly above $τ$ after defense.

End-to-end logical picture

Where to go next

If you want to…	Start at
See the three tiers side-by-side	Theorem index
Follow the five-step geometric proof	Boundary five-step proof
Understand the trilemma picture	The Defense Trilemma
See how discrete data connects to the continuous theorems	Discrete → continuous
Understand why pipelines make it worse	Pipeline Degradation
Inspect the Lean 4 proof structure	Lean artifact
Know what the theorem does not say	Limitations