"LLM systems are probabilistic by nature, meaning the same input can yield different outputs."

That's the sentence the entire industry is still catching up to. You've laid out the attack surface clearly — but the implication is bigger than most readers will catch on first read:

If the system is probabilistic, then any guardrail that operates within the probabilistic layer is also probabilistic. You can't enforce deterministic security with a probabilistic gate. The guardrail and the system it's guarding share the same vulnerability surface.

We've been working on this exact problem. Today we published a technical breakdown of 12 agent attack vectors and the architecture that intercepts all of them — through a deterministic enforcement layer running in a separate process from the agent. Not a better prompt. A structural boundary.

Looking forward to Part 2 — especially Excessive Agency. That's where the "dynamic attack surface" you described becomes a governance problem, not just a security one.