I believe you've covered some working solutions in your presentation. They limit LLMs to providing information/summaries and taking tightly curated actions.

There are currently no fully general solutions to data exfiltration, so things like local agents or computer use/interaction will require new solutions.

Others are also researching in this direction; https://security.googleblog.com/2025/06/mitigating-prompt-in... and https://arxiv.org/html/2506.08837v2 for example. CaMeL was a great paper, but complex.

My personal perspective is that the best we can do is build secure frameworks that LLMs can operate within, carefully controlling their inputs and interactions with untrusted third party components. There will not be inherent LLM safety precautions until we are well into superintelligence, and even those may not be applicable across agents with different levels of superintelligence. Deception/prompt injection as offense will always beat defense.