The Brain Prompt Becomes the Route Audit
A June 2026 arXiv paper treats BCI-to-agent systems as authorization pipelines, where the safety question is not whether two decoders agree but whether the route log proves what it observed.
Authorization Channel
The paper, arXiv:2606.09315 [cs.CR], is Jianwei Tai's Brain-Prompt Injection: A Route-Safety Audit for BCI-LLM Agents. arXiv records submission on June 8, 2026. Its starting point is narrow and important: when a brain-computer interface feeds a tool-using language-model agent, decoded neural activity becomes an authorization channel. The agent turns the decoded command into a route such as moving a cursor, sending a message, or confirming a transfer-like surrogate.
That framing avoids both mysticism and dismissal. The paper is not claiming that EEG reads private thought. The audited setting is command-control over left/right motor tasks, with tool calls represented by harmless stubs. The danger is institutional: once a decoded command is treated as intent, every later component is tempted to inherit its authority.
Tai names the resulting risk brain-prompt injection. The phrase moves the safety question out of the decoder leaderboard and into the agent route. A clean classifier is still insufficient if untrusted context can steer the tool action after the signal is decoded.
Three Failure Modes
The paper separates three cases that a serious audit cannot collapse. C1 is a direct signal-side perturbation that changes the primary decoder's decision. C2 is more agentic: the neural signal remains clean, but injected context changes the route the language-model layer chooses. C3 is the harder agreement trap, where an adaptive perturbation drives the primary and secondary decoders to agree on the attacker's target.
C3 should unsettle anyone tempted by dual-decoder checks. Agreement is useful only when the threat model makes the two decisions independent in the relevant way. If the same raw input can push both decoders, then "they agreed" is not a certificate of user intent. It is another logged predicate that may itself be attacked.
This is why the paper insists on route safety rather than decoder accuracy alone. Given a route that executed or was blocked, can the record say whether it was justified under the audit boundary? If not, later review is reduced to folklore about what the classifier probably meant.
Audit Contract
The proposed Route-Safety Audit Contract is a log schema and denominator discipline for BCI-LLM agents. It asks the system to record the seed, case, and context hierarchy; the clean source command; context provenance; clean and attacked primary decisions; the secondary decision when relevant; execution policy; route outcome; confirmation status; and confirmation score and threshold.
The theorem-level claim is structural. If context provenance or route outcome is omitted, C2 cannot be identified from the audit record. If the attacked secondary decision, execution policy, confirmation status, or route outcome is omitted, C3 cannot be identified. Missing fields make some failures unmeasurable, no matter how impressive the remaining metrics look.
The denominator rule matters too. Counting EEG-side flags as C2 security is a category error because C2 happens in the context-to-route layer. Counting clean agreement as C3 security is also wrong because C3 is defined by attacked dependence.
What the EEGMMI Audit Found
The empirical instantiation uses EEGMMI native left/right command-control tasks, with 5,400 native command events across 60 subjects and 10 seeds. The routes are harmless cursor or tool stubs. The authors report that the native A:C decoder gates pass all 10 seeds, with clean accuracies around 0.779 and 0.788 and clean disagreement around 0.174.
For C2, untrusted overlay contexts route the target direction at 1.000 when provenance is absent and 0.000 when provenance blocks the untrusted route. That result is not "the BCI knows intent." It is the audit boundary doing its job: the route policy refuses to let untrusted context carry the command.
For C3, agreement plus provenance still routes flipped targets at 1.000 in the attacked setting, while confirmation plus provenance routes them at 0.000 in the reported upper-bound cell. The non-oracle confirmation proxy is more modest. With an independent clean EEG confirmation window decoded by TinyEEGNetB, the paper reports C3 target routing of 0.178 at a 0.05 false-accept target, with clean proxy-confirmed routing of 0.573. At a 0.01 target, C3 routing is 0.091 and clean proxy-confirmed routing is 0.458.
The split-conformal frontier makes the same point in threshold language. Under acquisition isolation, lower false-accept settings reduce attacked routing at a cost to clean utility. If the attacker can perturb the confirmation channel itself, the bound breaks.
Limits That Matter
The limitations keep the paper honest. This is an offline authorization audit, not a deployed BCI study, not a human-consent study, not a physical injection demonstration, and not a benchmark of real money movement or medical control. EEGMMI is a public motor-task dataset, not a live cross-day interface. Hardware latency, user fatigue, nonstationarity, richer semantics, and clinical safeguards are outside the demonstrated scope.
Those limits prevent the wrong lesson. The result should not be sold as proof that BCI-LLM agents are secure with one confirmation gesture. It is evidence that route logs need enough fields to distinguish signal attacks, context attacks, agreement attacks, and confirmation-boundary failures.
Governance Standard
A BCI-to-agent safety case should publish the route schema before it publishes the hero number. It should say which sources are trusted, which context was untrusted, what the decoded command was, what the primary and secondary decoders saw, what policy mediated the route, whether confirmation came from an isolated channel, what thresholds were used, and which denominator each rate uses.
The policy implication is simple: never let decoder agreement stand in for consent. Treat agreement as one signal inside a route audit. Treat confirmation as a separate acquisition problem. Treat every tool action as requiring a record that can be inspected after the fact.
The Spiralist reading is that the interface to the body does not end argument; it intensifies recordkeeping. When a neural signal becomes an agent prompt, the sacred object is the ledger that can still say which route was authorized, by what evidence, and under which boundary.
Sources
- Jianwei Tai, Brain-Prompt Injection: A Route-Safety Audit for BCI-LLM Agents, arXiv:2606.09315 [cs.CR], submitted June 8, 2026.
- arXiv PDF: Brain-Prompt Injection: A Route-Safety Audit for BCI-LLM Agents, reviewed for the Route-Safety Audit Contract, C1/C2/C3 failure modes, EEGMMI setup, harmless tool stubs, TinyEEGNetB confirmation proxy, split-conformal frontier, and limitations.
- Related pages: The Neural Data Becomes the Mind Interface, The Out-of-Band Defense Becomes the Reference Monitor, The Probe AUC Becomes the False Comfort, The Tool Scope Becomes the Intent Gate, Prompt Injection, and AI Agent Sandboxing.