Autonomous large language model (LLM) agents are vulnerable to indirect prompt injection (IPI) attacks, leading to erroneous tool invocation and objective deviation; existing defenses face irreconcilable trade-offs among security, functionality, and efficiency, and lack end-to-end integrity guarantees. This paper proposes a full-lifecycle cognitive governance framework featuring a novel “intent graph + hierarchical adjudication” dual-mechanism: a pre-generated intent graph constrains both control and data flows, while a hierarchical adjudicator—incorporating multi-dimensional dynamic scoring and deep reasoning—enables fine-grained behavioral verification. To our knowledge, this is the first framework achieving concurrent optimization of enhanced security, functional completeness, and high execution efficiency on the AgentDojo benchmark, significantly outperforming state-of-the-art defenses.

Autonomous Large Language Model (LLM) agents exhibit significant vulnerability to Indirect Prompt Injection (IPI) attacks. These attacks hijack agent behavior by polluting external information sources, exploiting fundamental trade-offs between security and functionality in existing defense mechanisms. This leads to malicious and unauthorized tool invocations, diverting agents from their original objectives. The success of complex IPIs reveals a deeper systemic fragility: while current defenses demonstrate some effectiveness, most defense architectures are inherently fragmented. Consequently, they fail to provide full integrity assurance across the entire task execution pipeline, forcing unacceptable multi-dimensional compromises among security, functionality, and efficiency. Our method is predicated on a core insight: no matter how subtle an IPI attack, its pursuit of a malicious objective will ultimately manifest as a detectable deviation in the action trajectory, distinct from the expected legitimate plan. Based on this, we propose the Cognitive Control Architecture (CCA), a holistic framework achieving full-lifecycle cognitive supervision. CCA constructs an efficient, dual-layered defense system through two synergistic pillars: (i) proactive and preemptive control-flow and data-flow integrity enforcement via a pre-generated "Intent Graph"; and (ii) an innovative "Tiered Adjudicator" that, upon deviation detection, initiates deep reasoning based on multi-dimensional scoring, specifically designed to counter complex conditional attacks. Experiments on the AgentDojo benchmark substantiate that CCA not only effectively withstands sophisticated attacks that challenge other advanced defense methods but also achieves uncompromised security with notable efficiency and robustness, thereby reconciling the aforementioned multi-dimensional trade-off.