Was just at [Un]prompted conference where this was a live debate. The conversation is shifting but not fast enough. I've been screaming about this for a while: we can't win the prompt war, we need to move the enforcement out of the untrusted input channel and into the execution layer to truly achieve deterministic guarantees.

There are emerging proposals that get this right, and some of us are taking it further. An IETF draft[0] proposes cryptographically enforced argument constraints at the tool boundary, with delegation chains that can only narrow scope at every hop. The token makes out-of-scope actions structurally impossible.

Disclosure: I wrote the 00 draft

[0] https://datatracker.ietf.org/doc/draft-niyikiza-oauth-attenu...