What defenses against prompt injection are actually production-tested?

We're building an agent that processes user-submitted documents. Anyone can craft a document designed to hijack the agent's behavior — exfiltrate context, skip validation steps, change the tool being called. Sandboxed execution helps but doesn't fully solve it. What input sanitization, output validation, and privilege separation patterns have teams deployed at scale and actually prevented real attacks?