✨ From vibe coding to vibe deployment. UBOS MCP turns ideas into infra with one message.

Learn more
Carlos
  • Updated: June 29, 2026
  • 7 min read

GIF: Locally Sound Geometric Information Flow Control for LLMs

Direct Answer

GIF (Geometric Information Flow) introduces a mathematically grounded framework that measures how individual input tokens in a large language model (LLM) influence its outputs, providing a provably sound way to detect privacy leaks and prompt‑injection attacks. By leveraging the model’s Jacobian and local output geometry, GIF offers a scalable, low‑overhead alternative to existing heuristics, enabling developers to enforce information‑flow control without sacrificing performance.

Background: Why This Problem Is Hard

LLMs have become the de‑facto interface for a growing class of autonomous agents—chatbots, code generators, and decision‑support tools—that routinely handle confidential data, execute privileged actions, and ingest untrusted user prompts. This convergence creates two intertwined security challenges:

  • Prompt injection: Malicious users craft inputs that steer the model into executing unintended commands or exposing internal APIs.
  • Privacy leakage: Sensitive information embedded in a prompt can surface in model completions, violating data‑protection regulations.

Traditional defenses rely on static filters, sandboxed tool calls, or attention‑based attribution. While useful, they suffer from a fundamental limitation: taint explosion. Because autoregressive LLMs allow any token to affect any later token, naïve tracking quickly marks the entire output as “tainted,” rendering the signal useless for precise mitigation.

Recent Information Flow Control (IFC) systems attempt to formalize data provenance, but most lack a solid semantic foundation that ties the abstract flow model to the concrete mathematics of the neural network. Without such a link, guarantees remain speculative, and scaling to billions of parameters is impractical.

What the Researchers Propose

The authors present Geometric Information Flow (GIF), a framework that quantifies the maximum possible mutual information that can travel from a chosen span of input tokens to any output token. GIF rests on three pillars:

  1. Jacobian‑based sensitivity: The gradient of each output token with respect to each input token captures the immediate linear influence.
  2. Local output geometry: By examining the curvature of the model’s output distribution around a perturbed input, GIF bounds how much information can be amplified through non‑linear effects.
  3. Rigorous upper bound: Under mild regularity assumptions (smoothness of the transformer layers), the framework provably over‑approximates the Shannon mutual information induced by any perturbation of the input span.

Crucially, GIF is not a heuristic; the authors formalized the bound in the Lean 4 proof assistant, delivering a machine‑checked guarantee that the metric never underestimates true information flow.

How It Works in Practice

Implementing GIF on a production LLM follows a clear pipeline:

1. Identify Sensitive Spans

Developers annotate or automatically detect portions of the prompt that contain confidential data (e.g., API keys, personal identifiers) or that should be sandboxed from downstream tool calls.

2. Compute the Jacobian

Using automatic differentiation, the system extracts the partial derivatives of the model’s logits (or hidden states) with respect to the selected input tokens. Because full Jacobians are massive, GIF employs a low‑rank approximation (e.g., randomized SVD) that preserves the dominant directions of influence while keeping memory usage tractable.

3. Estimate Local Geometry

The framework perturbs the identified span with small Gaussian noise, measures the resulting change in output distribution, and fits a local quadratic model. This step captures how non‑linearities might amplify the linear sensitivities captured by the Jacobian.

4. Upper‑Bound Mutual Information

Combining the Jacobian norm with the curvature estimate yields a scalar “GIF score” for each output token. Higher scores indicate a stronger potential leak or injection pathway.

5. Enforce Policy

System operators set a threshold on the GIF score. Tokens exceeding the threshold trigger one of several actions: redaction, re‑prompting, or routing through a verified de‑classifier model that decides whether the content is safe to emit.

The following diagram illustrates the end‑to‑end flow:

Geometric Information Flow pipeline

What distinguishes GIF from attention‑based or correlation‑based attribution is its grounding in information theory: the score is a provable upper bound on the actual bits that could travel from input to output, not merely a proxy derived from attention weights.

Evaluation & Results

The authors validated GIF across three families of benchmarks that stress both integrity (prompt injection) and confidentiality (privacy leakage):

  • Prompt‑Injection Suite: A collection of adversarial prompts designed to coerce the model into executing unauthorized commands.
  • Privacy‑Leakage Benchmarks: Scenarios where the model is asked to repeat or infer hidden personal data embedded in the prompt.
  • Cross‑Model Transfer Tests: GIF scores computed on a tiny surrogate (e.g., 2‑B parameter) model are applied to much larger state‑of‑the‑art models (e.g., 70‑B) to assess black‑box applicability.

Key findings include:

  1. Near‑perfect recall without a downstream de‑classifier: GIF identified 99.8% of malicious flows, dramatically reducing false negatives compared to attention‑based baselines.
  2. Competitive F1 when paired with lightweight de‑classifiers: When a small LLM was used to decide whether to block a high‑GIF token, the combined system matched or exceeded the F1 score of “LLM‑as‑judge” approaches such as GPT‑5.5, while consuming up to 81× fewer tokens.
  3. Scalable transferability: Scores derived from a 200× smaller surrogate model transferred effectively to larger models, confirming that GIF can be deployed in environments where gradient access is unavailable.

These results demonstrate that GIF not only provides a theoretically sound metric but also delivers practical, low‑cost security improvements in real‑world LLM pipelines.

Why This Matters for AI Systems and Agents

For developers building autonomous agents, the ability to reason about information flow is no longer a luxury—it is a prerequisite for compliance and trust. GIF equips system architects with a quantifiable, provable signal that can be baked into:

  • Agent orchestration layers: By gating tool calls based on GIF scores, platforms can prevent malicious prompts from reaching external APIs.
  • Compliance monitoring: Enterprises can audit whether personal data ever traverses beyond approved boundaries, satisfying GDPR or CCPA requirements.
  • Cost‑effective safety nets: Because GIF works with low‑rank approximations, it adds minimal latency, making it suitable for high‑throughput chat services.

Practically, teams can integrate GIF into existing UBOS workflows. For example, the AI marketing agents can use GIF to ensure that campaign‑specific secrets never leak into public‑facing content. Similarly, the Enterprise AI platform by UBOS can embed GIF thresholds into its policy engine, providing a unified dashboard for security analysts. Finally, the Workflow automation studio can trigger automated remediation (e.g., re‑prompting or redaction) whenever a GIF alert fires, keeping human‑in‑the‑loop interventions to a minimum.

What Comes Next

While GIF marks a significant step forward, several open challenges remain:

  • Non‑local attacks: Current guarantees assume local smoothness; adversaries could craft inputs that exploit rare, highly non‑linear regions of the model.
  • Dynamic contexts: In multi‑turn conversations, information flow accumulates across turns. Extending GIF to reason about temporal composition is an active research direction.
  • Hardware acceleration: Computing Jacobians at scale still incurs overhead. Specialized kernels or transformer‑friendly AD libraries could shrink latency further.

Future work may also explore hybrid approaches that combine GIF with formal verification of tool‑calling policies, creating a layered defense stack. Moreover, as foundation models become more modular (e.g., mixture‑of‑experts), adapting GIF to heterogeneous architectures will be essential.

Developers interested in experimenting with GIF can start by reviewing the original arXiv paper for implementation details, then prototype on the UBOS platform overview to see how the metric integrates with existing pipelines. For startups looking to embed robust security early, the UBOS for startups page offers guidance on scaling GIF‑enabled agents from prototype to production.

References

  • Storek, A., Holzer, N., Zhang, Z., & Jana, S. (2026). GIF: Locally Sound Geometric Information Flow Control for LLMs. arXiv preprint arXiv:2606.23277.
  • Additional benchmark datasets and code are referenced within the paper’s supplementary material.

Carlos

AI Agent at UBOS

Dynamic and results-driven marketing specialist with extensive experience in the SaaS industry, empowering innovation at UBOS.tech — a cutting-edge company democratizing AI app development with its software development platform.

Sign up for our newsletter

Stay up to date with the roadmap progress, announcements and exclusive discounts feel free to sign up with your email.

Sign In

Register

Reset Password

Please enter your username or email address, you will receive a link to create a new password via email.