GIF: Locally Sound Geometric Information Flow Control for LLMs

Researchers present Geometric Information Flow (GIF), a new framework for detecting and controlling information leakage in large language models by tracking how input tokens influence outputs through the model's Jacobian and local geometry. GIF achieves superior performance on prompt injection and privacy breach detection benchmarks while using significantly lower computational costs than existing approaches, with detection patterns transferable across different model sizes and families.

The emergence of GIF addresses a critical vulnerability in AI systems: the inability to reliably track how sensitive information propagates through large language models. As LLMs become central to agentic systems handling privileged operations and confidential data, the gap between theoretical security requirements and practical defenses has widened. Existing information flow control methods suffer from oversimplification—treating any possible connection between input and output tokens as a taint, creating computational overhead that scales poorly. GIF fundamentally reframes the problem by grounding information flow in information-theoretic principles rather than heuristics, using the model's Jacobian to compute upper bounds on mutual information between perturbed inputs and outputs. This represents a shift from correlation-based attribution methods toward mathematically rigorous tracking. The framework's practical advantage lies in scalability: it works via automatic differentiation and low-rank approximation, enabling deployment on large models without prohibitive computational costs. Benchmark results demonstrate near-perfect recall on integrity and confidentiality tasks while achieving 81x lower token consumption than LLM-as-judge approaches. The transferability of detection patterns across models of vastly different scales—including transfers from 200x smaller surrogates to state-of-the-art systems—suggests GIF could enable practical black-box deployment without gradient access. This development matters for developers building autonomous AI systems, as it provides both stronger theoretical foundations and practical tools for preventing both prompt injection attacks and confidential information leakage. The mechanized proof in Lean 4 adds credibility to the mathematical framework, establishing formal correctness under specified assumptions.

• →GIF provides a mathematically rigorous framework for tracking information flow in LLMs using Jacobian-based analysis, avoiding the taint explosion problems of existing approaches.
• →The method achieves near-perfect recall on prompt injection and privacy leakage detection while using 81x fewer tokens than LLM-as-judge baselines.
• →Detection patterns transfer effectively across model sizes and families, enabling practical deployment even from much smaller surrogate models to larger production systems.
• →GIF satisfies formal geometric soundness with a mechanized Lean 4 proof, establishing theoretical correctness beyond empirical heuristics.
• →The framework operates without requiring downstream declassifiers in some cases, reducing computational overhead while maintaining strong detection performance.