The Future of Voice Security: Encrypted AI Conversation Agent Instructions?

Hi all,

TLDR: AI Conversation agent instructions are the linchpin to our successful HA integrations. A hacker could quickly modify AI instructions to change system functionality without ever writing code…or even know how to code. Should we be considering how these instructions are kept, accessed, modified and/or transmitted?

Good AI conversation instructions are like having GPS turn-by-turn navigation when driving somewhere new. A bad set of instructions, or worse, no instructions are a bit like telling five different people to drive from point A to point B, 50 miles away. Each person is left to potentially interpret the route, timing and location in a completely different way.

The ABSOLUTE KEY to a good AI integration is creating a solid set of AI instructions in your conversation agent. Period. When an agent has not been provided specific instruction, I have been amazed at the depths which AI will dig into the system to accomplish the task set in front of it. The agent will absolutely scour every bit of code and every entity to find a working solution.

Likewise, the agent’s workflow is a bit like water. It follows the path of least resistance. If it does not have a good framework for accomplishing a task, AI integrations are trained to make educated guesses on how to proceed if not given a specific flow chart and error handling instructions. Therein lies the importance of limiting access to entities and scripts the AI agent does not need access to, but that is a different conversation.

It is for this reason that I chose such a lengthy background to state my biggest concern. Again, good AI instructions are key. Those instructions, with little manipulation or awareness from the owner, are and easy target for immense nefarious damage with little effort.

For this reason, is it maybe time that we consider how security is handled for these instructions?

You’re talking about a prompt injection attack. Yes it can be an issue

No you don’t need to ‘worry’ about that specific issue immediately because essentially, the same things that compromise your prompts compromise any other subsystem ha has. They compromise the same way… That’s just good security practices to protest those.

There are other unique ai<>ai vectors of course, but there are techniques such as not letting your Frontline agent also do things like search the web (that’s where prompt inject happens most often btw… Reads something with malicious instruction and pop… )

Yes there are some new vectors to consider no most of the things you need to do are things you should already do.

…And consider if you reeeeeeeally want your Frontline agent that has ‘control this instance with Assist’ turned on to also able to search the web.

(hint: probably not… have it ask another agent specifically setup for search…)

If it helps think about your security scopes from the agents perspective… ‘If I am now a bad guy what can I do?’ and it starts to show you where you have issues. And you’ll realize everything a ai can do is either protected by other controls or mitigated by proper security allowance to the accounts your ai actually uses.

Which brings me back tonwhatbwe should do? Role based access. Everyone who runs as a user in HA can see everything ELSE in HA… That ultimately WILL need to change. But that’s deep core juju that takes a lot of work the community has to believe is important. (I personally do)