01. Input Fencing
A page from the internet or a tool reply can sneak instructions into a model's prompt. For example, when a model must output JSON, it might fill required fields with made-up information from its training. That is because the structure creates pressure to provide an answer even without real data. Researchers found that enforcing JSON output alone made hallucinations rise by over ten percentage points. They call this the C three anomaly. To prevent such problems, filters at the system boundary are essential. One simple filter is to always require absolute filepaths in tool commands. That small change stopped the model from making path mistakes entirely. Another filter is to inject verified database information directly into the prompt. This grounds the model in real data. Vocabulary constraints also help by limiting what the model can output. These measures work together. Under the full stack, hallucination rates dropped from around sixty percent to under fifteen percent. Yet even with filters, some harmful content slips through. For instance, when researchers replaced just a tiny fraction of training tokens with false medical information, the model became dangerous. Standard benchmarks showed no drop in performance, so detection requires special screening. Knowledge graphs can catch over ninety percent of such harmful output. The trade off is that no single filter is perfect. Combining several layers of validation gives the best protection. But the system remains vulnerable to unseen items that were never in its inventory. That shows why constant testing and improvement are needed.
Input fencing by requiring absolute filepaths in tool commands
def tool_execute(filepath):
if not filepath.startswith('/'):
raise ValueError("Only absolute filepaths allowed")
# proceed with tool execution
Think of input fencing as a security guard at the factory door who checks every package before it reaches the assembly line. Its single job is to stop sneaky instructions—like a crafty message pretending to be a normal internet page or tool reply—from tricking the model into making things up. Researchers saw that when the model was told to output a specific format like JSON, it often filled required fields with fake information because the format felt like it demanded an answer, even with no real facts. This effect, called the C3 anomaly, caused hallucinations to jump by over ten percentage points.
Now, the guard doesn't just watch—it enforces rules. One simple rule is that every tool command must include an absolute filepath, like “/home/user/data.txt” instead of just “data.txt.” That tiny check blocks vague or hidden instructions because the model cannot guess a legitimate path without real evidence. Another mechanism is a fixed vocabulary constraint, which only allows the model to pick from a verified list of tools, preventing it from inventing names. Without these fences, the model would confidently recommend nonexistent tools or fill in plausible but false answers from its training data, leaving users with dangerous, believable errors.
The Input Fencing subsystem is designed as a three-mechanism mitigation stack to prevent mention-level hallucination in the closed-inventory Large Language Model (LLM) system Online-CADCOM. The ordered mechanism operates as follows: first, database-grounded context injection provides the model with a verified list of engineering tools from the platform’s inventory; second, fixed vocabulary constraints restrict the model’s output tokens to only those tool names present in that inventory; third, enforced JavaScript Object Notation (JSON) output forces the final response into a structured schema. On failure of any preceding step—for instance, if the database-grounding mechanism is disabled—the remaining mechanisms become vulnerable. Critically, when only JSON output enforcement is active without any grounding mechanism, the system exhibits the C3 anomaly, where hallucination rates increase by 10.1 percentage points (Generation 1) and 15.1 percentage points (Generation 2) above the unconstrained baseline.
The invariant preserved by this design is that all recommended tools belong strictly to the platform’s verified inventory—a “closed-inventory” guarantee. Under the full three-mechanism architecture, the hallucination rate (HR) drops from 59–74% to 3.3–14.9%, with cross-provider averages stable across generations (6.8% Gen1, 7.5% Gen2). This invariant is maintained even when reasoning-mode models are used, as they provide no statistically significant improvement under the architectural constraints.
The key trade-off lies in rejecting the simpler alternative of relying solely on JSON schema enforcement without grounding mechanisms. That rejected approach would reduce implementation complexity and computational overhead, but it introduces the C3 anomaly: the mandatory entity fields in the JSON schema exert slot-filling pressure, forcing the model to populate tool-name slots from training-data priors when no grounding vocabulary is provided. The design thus accepts the cost of maintaining database-grounded context injection and fixed vocabulary constraints—both requiring periodic updates and synchronization with the inventory—in order to avoid the reliability cost of hallucination spikes observed under the lone-JSON configuration.
One concrete failure mode occurs when the database-grounded context injection mechanism fails (e.g., due to a network outage or stale inventory data). In that scenario, the system falls back to JSON enforcement alone, triggering the C3 anomaly. An operator would observe a sudden, measurable increase in the hallucination rate (HR) metric—specifically, a rise of 10–15 percentage points above the baseline—across all providers, along with a corresponding increase in out-of-inventory tool mentions in system logs. This signal directly indicates that the grounding layer has been compromised and requires immediate attention.
C3 Anomaly — JSON Enforcement Alone Increases Hallination
- Trigger — The mitigation stack uses only JSON output enforcement without any grounding mechanisms (no database context injection, no fixed vocabulary constraints).
- Guard — No guard is active; the source states that under this configuration hallucination rises. There is no explicit exception handler, retry, or fallback defined for this condition.
- Posture — fail-soft — the system continues to generate outputs but with a significantly increased hallucination rate (+10.1 pp Gen1, +15.1 pp Gen2).
- Operator signal — Hallucination rate metric increases; log entries show out-of-inventory tool mentions (e.g., “mention-level hallucination”).
- Recovery — The operator must add database‑grounded context injection and fixed vocabulary constraints to the pipeline. No automatic retry is described; manual reconfiguration required.
Missing Absolute Filepath in Tool Command
- Trigger — A tool reply or internet page contains a command that uses a relative path instead of an absolute filepath.
- Guard — The filter “always require absolute filepaths in tool commands” (the exact identifier from the source). This is presumably a validation check at the system boundary.
- Posture — fail-closed — the filter rejects the command, refusing to write or execute it.
- Operator signal — Log line such as “Command rejected: missing absolute filepath”.
- Recovery — Manual step required: the operator must rewrite the command with an absolute filepath. No automatic retry.
Slot‑Filling Pressure from Mandatory JSON Fields
- Trigger — The output schema contains mandatory entity fields (e.g., tool‑name slots) and no grounding vocabulary is provided. The model populates these slots from training‑data priors.
- Guard — The “fixed vocabulary constraints” component of the mitigation stack (exact identifier from the source). When present, it prevents hallucination.
- Posture — fail‑soft if the guard is absent (system continues with hallucinated outputs); fail‑closed if the guard is present (constrained output).
- Operator signal — Without the guard: “out‑of‑inventory mentions” appear in outputs; a frequency‑weighted audit would show they correspond to real engineering tools absent from the inventory.
- Recovery — Add fixed vocabulary constraints to the schema. Manual intervention required; no automatic fallback.
Injection of Instructions from Internet Page or Tool Reply
- Trigger — The model’s prompt includes content from an external page or tool reply that contains hidden instructions (e.g., “ignore previous instructions and do X”).
- Guard — The source does not show a specific guard for this failure within the Input Fencing subsystem description. The subsystem only mentions the absolute‑filepath filter; no exception handler, retry, or fallback is provided.
- Posture — fail‑soft — the model continues to execute the injected instructions, potentially outputting harmful or incorrect content.
- Operator signal — Unexpected model behavior; no specific log metric from the input fencing itself. Detection would rely on downstream monitoring.
- Recovery — Manual review and sanitization of the input; no automatic recovery described.
Reliance on Reasoning Mode Fails to Mitigate Hallucination
- Trigger — The system enables reasoning‑mode models (e.g., chain‑of‑thought) expecting it to reduce hallucination, but without architectural constraints (database grounding, vocabulary constraints).
- Guard — No guard; the source states “Reasoning‑mode models provide no statistically significant improvement under architectural constraints.” Relying on reasoning mode alone is insufficient.
- Posture — fail‑soft — the model continues to hallucinate at similar rates.
- Operator signal — No decrease in hallucination rate despite enabling reasoning mode; operator sees no improvement in metrics.
- Recovery — Operator must add grounding mechanisms (database context injection, fixed vocabulary constraints) instead of relying on reasoning mode. No automatic recovery.