Saved in:
Bibliographic Details
Main Authors: Garby, Zac, Gordon, Andrew D., Sands, David
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2602.20064
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866918351139241984
author Garby, Zac
Gordon, Andrew D.
Sands, David
author_facet Garby, Zac
Gordon, Andrew D.
Sands, David
contents A conversation with a large language model (LLM) is a sequence of prompts and responses, with each response generated from the preceding conversation. AI agents build such conversations automatically: given an initial human prompt, a planner loop interleaves LLM calls with tool invocations and code execution. This tight coupling creates a new and poorly understood attack surface. A malicious prompt injected into a conversation can compromise later reasoning, trigger dangerous tool calls, or distort final outputs. Despite the centrality of such systems, we currently lack a principled semantic foundation for reasoning about their behaviour and safety. We address this gap by introducing an untyped call-by-value lambda calculus enriched with dynamic information-flow control and a small number of primitives for constructing prompt-response conversations. Our language includes a primitive that invokes an LLM: it serializes a value, sends it to the model as a prompt, and parses the response as a new term. This calculus faithfully represents planner loops and their vulnerabilities, including the mechanisms by which prompt injection alters subsequent computation. The semantics explicitly captures conversations, and so supports reasoning about defenses such as quarantined sub-conversations, isolation of generated code, and information-flow restrictions on what may influence an LLM call. A termination-insensitive noninterference theorem establishes integrity and confidentiality guarantees, demonstrating that a formal calculus can provide rigorous foundations for safe agentic programming.
format Preprint
id arxiv_https___arxiv_org_abs_2602_20064
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle The LLMbda Calculus: AI Agents, Conversations, and Information Flow
Garby, Zac
Gordon, Andrew D.
Sands, David
Programming Languages
Artificial Intelligence
Cryptography and Security
D.3.1; I.2.5
A conversation with a large language model (LLM) is a sequence of prompts and responses, with each response generated from the preceding conversation. AI agents build such conversations automatically: given an initial human prompt, a planner loop interleaves LLM calls with tool invocations and code execution. This tight coupling creates a new and poorly understood attack surface. A malicious prompt injected into a conversation can compromise later reasoning, trigger dangerous tool calls, or distort final outputs. Despite the centrality of such systems, we currently lack a principled semantic foundation for reasoning about their behaviour and safety. We address this gap by introducing an untyped call-by-value lambda calculus enriched with dynamic information-flow control and a small number of primitives for constructing prompt-response conversations. Our language includes a primitive that invokes an LLM: it serializes a value, sends it to the model as a prompt, and parses the response as a new term. This calculus faithfully represents planner loops and their vulnerabilities, including the mechanisms by which prompt injection alters subsequent computation. The semantics explicitly captures conversations, and so supports reasoning about defenses such as quarantined sub-conversations, isolation of generated code, and information-flow restrictions on what may influence an LLM call. A termination-insensitive noninterference theorem establishes integrity and confidentiality guarantees, demonstrating that a formal calculus can provide rigorous foundations for safe agentic programming.
title The LLMbda Calculus: AI Agents, Conversations, and Information Flow
topic Programming Languages
Artificial Intelligence
Cryptography and Security
D.3.1; I.2.5
url https://arxiv.org/abs/2602.20064