If the action is decided by code based on metadata - then what is really the LLM task? And if you say that it is only the type of action that is decided by code - then this is maybe a mitigation - but the llm still can do a lot of harm. And also it is very limiting - using the llm to decide the action is very useful. This is different from SQL injection - where the action is determined by the code and the injection is really making a code parsing error.
It might still be the way to go - but calling it 'the real solution' is overselling it.
It might still be the way to go - but calling it 'the real solution' is overselling it.