The context window of a large language model has no architectural separation between commands and data. This paper argues that prompt injection vulnerability and context degradation share the same cause, representational uniformity, and proposes a native architecture that addresses both. The security argument is grounded in independent evidence. A joint cross-lab study (Nasr et al., 2025; OpenAI, Anthropic, Google DeepMind) tested 12 published defences against adaptive attacks and bypassed all of them at above 90% success rates. The instruction hierarchy (Wallace et al., 2024, ICLR 2025) was among the defence classes that collapsed under adaptive pressure. If behavioural defences fail under motivated adversaries, the response must be structural. The author's own preliminary findings in the Confidence Curriculum series are presented as corroborating observations consistent with the independent evidence, not as foundational premises. The proposed architecture separates context into three tiers. L1 (command space) is the only tier with directive authority. L2 (active data) contains the model's working knowledge. L3 (reference storage) holds raw content, garbage-collected first under memory pressure. In the security-first mode, all content enters L3 by default. Promotion to L1 requires passing evaluation and summarisation gates. The model manages its own data tiers post-inference using understanding developed during the current turn. Five contributions are presented. First, the unified architecture deriving command/data separation, default-deny triage, tiered retention, and post-inference management from a single security requirement.Second, default-deny triage as a pre-inference security mechanism.Third, architectural requirements for separated processing pathways. Fourth, a verification inversion where unmanaged context structurally penalises fact-checking, making context management a prerequisite for default verification behaviour. Fifth, a reframe of the entanglement problem from weight-level disentanglement to contextual mode-setting and training-time separation, grounded in empirical precedents (DRIP, ASIDE) and the observation that entanglement was never designed but emerged from training (Ouyang et al., 2022; Zverev et al., 2024). If de-instructionalised data pathways are achieved, the two-gate promotion pipeline becomes structurally secure rather than probabilistically secure. This is an architectural proposal and design argument, not an implementation report. Native Memory Paper 2. 43 references, 14 sections.
Ivan "HiP" Phan (Tue,) studied this question.