What is a prompt injection attack?

By Expel team

Last updated: July 7, 2026

A prompt injection attack is a technique where an attacker supplies malicious instructions to an AI system—either directly through an interface or hidden in content the AI processes—causing the AI to execute the attacker’s commands instead of its intended instructions. As AI systems gain access to sensitive data and the ability to take actions on behalf of users, prompt injection has become a critical attack vector that security teams need to understand—and defend against.

Google’s Threat Intelligence team scanned billions of web pages and found a 32% increase in malicious prompt injection attempts between November 2025 and February 2026. (Source: Google Security Blog, April 2026)

Key takeaways

  • Prompt injection is a recognized vulnerability class—not theoretical. OWASP lists it as the number one LLM application risk.
  • Direct injection happens through the AI interface; indirect injection is hidden in content the AI retrieves—emails, documents, web pages.
  • The more an AI agent can do, the higher the prompt injection risk. Capability and attack surface grow together.
  • LLM jailbreaking targets model safety guardrails. Prompt injection targets deployed applications and the actions they take.
  • Defenses require architectural decisions—privilege separation, approval gates, output filtering—not just model updates.

 

Direct vs. indirect prompt injection

A direct prompt injection is the simpler form: an attacker inputs malicious instructions directly into an AI interface, overriding the system’s intended behavior. Think of it as a user telling an AI chatbot “ignore all previous instructions” and having the model comply.

Indirect prompt injection is more dangerous and increasingly relevant as AI agents proliferate. The attacker doesn’t interact with the AI directly. Instead, they embed malicious instructions in external content—an email, a document, a web page—that an AI agent retrieves and processes in the course of doing its job. The AI encounters those instructions, treats them as legitimate, and executes them. The user may never know it happened.

Indirect prompt injection matters most when AI agents have real capabilities: access to email, the ability to search the web, file system access, or the ability to make API calls. The more an AI agent can do, the more damage a successful indirect injection can cause.

 

Why prompt injection matters for security teams

Traditional injection attacks—SQL injection, command injection—exploit the boundary between data and instructions in software systems. Prompt injection exploits the same boundary in AI systems: data the AI is supposed to process becomes instructions the AI executes.

Direct injection is a real risk even in basic AI interfaces. An attacker who can manipulate what an AI says or does—bypassing its system instructions, extracting confidential context, or producing outputs users trust as legitimate—has already compromised something meaningful, regardless of what else the AI can act on.

The risk compounds as capability increases. An agentic AI agent that can read email, query internal systems, browse the web, or take actions on behalf of users has dramatically more exposure—because a successful injection can reach everything the agent can reach. Agentic AI deployments—where AI systems execute multi-step workflows with meaningful system access—represent the highest-risk surface of all.

Security teams need to treat AI systems with action capabilities the same way they treat any privileged system: model the attack surface, identify trust boundaries, implement controls, and monitor for anomalous behavior.

 

How prompt injection differs from traditional injection attacks

SQL injection and command injection exploit parsers: they work because applications don’t properly distinguish between data and code when processing structured input. The fix involves input sanitization, parameterized queries, and strict parsing rules.

Prompt injection is structurally different. Language models are designed to process natural language instructions—that’s the feature, not a bug. There’s no clean parsing boundary to enforce. An attacker exploiting SQL injection is subverting a technical parsing failure; an attacker exploiting prompt injection is using the model’s core capability against it.

This makes prompt injection harder to eliminate through traditional patching. Defenses require architectural controls—privilege separation, output filtering, human oversight—not just input sanitization.

 

Real-world examples of prompt injection

iagram showing two prompt injection attack paths: direct injection through an AI interface and indirect injection through external content an AI agent retrieves and processes.

 

The clearest real-world examples involve AI assistants integrated with email and productivity tools. An attacker sends a target an email with instructions hidden in the body—written for the AI assistant to read, not the human recipient. When the victim’s AI assistant summarizes or acts on the email, it encounters the injected instructions and executes them: forwarding sensitive emails, responding with attacker-controlled content, or exfiltrating data.

Similar attacks have been demonstrated against web-browsing AI agents: malicious instructions embedded in a web page redirect the agent’s behavior when it retrieves that page as part of a research or summarization task.

As organizations deploy agentic AI for internal workflows—security investigations, code review, document processing—each new deployment with system access becomes a potential indirect prompt injection surface.

 

Prompt injection vs. LLM jailbreaking

These terms get conflated but describe different attack types with different threat models.

LLM jailbreaking targets an AI model’s safety guardrails—it’s an attempt to get a model to produce content or behavior it’s designed to refuse. The target is what the model will say or generate, typically to extract harmful content or bypass policy restrictions.

Prompt injection targets deployed AI applications and the actions they can take. The goal is to redirect the AI’s behavior in ways that serve the attacker’s objectives, by manipulating what the AI does in a real application with real system access.

From a security standpoint, prompt injection is the higher operational concern. LLM jailbreaking is primarily a model governance issue. Prompt injection is a vulnerability in deployed systems—one that can lead to data exfiltration, unauthorized actions, and lateral movement within AI-integrated workflows.

 

How to defend against prompt injection

No single control eliminates prompt injection risk, but layered defenses significantly reduce it.

Privilege separation: Don’t give AI agents more access than their specific function requires. An AI that summarizes documents doesn’t need email send permissions. An AI that answers customer questions doesn’t need database write access. Least-privilege architecture limits what prompt injection can achieve even when it succeeds.

Input validation and content filtering: Validate and sanitize inputs before they reach the AI system. Flag or strip content matching patterns associated with instruction injection. This is imperfect—natural language makes hard rules difficult—but it reduces the attack surface.

Output filtering: Review AI outputs before they execute as actions. An AI that proposes actions a human must approve before execution breaks the direct path from injected prompt to harmful action.

Human approval gates: For high-impact AI actions—sending external communications, modifying files, accessing sensitive systems—require human authorization. Human approval gates are the most reliable defense against agentic prompt injection in high-stakes contexts.

Monitoring and anomaly detection: Monitor AI system inputs and outputs for patterns that suggest injection attempts. Behavioral anomalies—an AI agent making unusual API calls, accessing data outside its normal scope, or producing outputs inconsistent with its task—are detectable signals.

Red-team testing: Treat AI deployments like any other privileged system: actively test for prompt injection vulnerabilities before deployment and on an ongoing basis. 

 

Expel’s take

Prompt injection isn’t a theoretical concern at Expel—it’s a design constraint we work through as we build and deploy agentic AI capabilities in our own SOC operations. Any AI agent with system access and the ability to process external content is a potential indirect prompt injection target. Our approach starts with the same principle we apply everywhere else: don’t grant AI authority it hasn’t earned, and keep humans in the loop for actions that matter. That’s exactly what our Trust vs. Impact Matrix captures—calibrating how much autonomous authority AI gets based on demonstrated reliability and the blast radius of getting it wrong. 

 

Frequently asked questions

What is the difference between direct and indirect prompt injection? 

Direct prompt injection occurs when an attacker directly inputs malicious instructions into an AI system (e.g., via a chat interface). Indirect prompt injection is more dangerous—the attacker embeds malicious instructions in external content (emails, documents, web pages) that an AI agent retrieves and processes, causing it to take unintended actions.

Is prompt injection a security vulnerability? 

Yes. Prompt injection is a recognized security vulnerability in AI systems, listed in the OWASP LLM Top 10 and covered in the NIST AI Risk Management Framework. It’s particularly critical for agentic AI systems with access to sensitive data or the ability to take actions on behalf of users.

How does prompt injection differ from LLM jailbreaking? 

LLM jailbreaking attempts to bypass an AI model’s safety guardrails through clever prompting (getting the model to ignore its instructions). Prompt injection is an attack on AI systems deployed in real applications, using malicious content in the environment to redirect the AI’s behavior—often without the user’s knowledge.

How can organizations defend against prompt injection attacks? 

Defenses include input validation and sanitization, output filtering before AI actions execute, privilege separation (limiting what AI agents can access and do), human approval gates for high-impact actions, monitoring AI system outputs for anomalous behavior, and regular red-team testing of AI deployments.

What cybersecurity frameworks address prompt injection? 

The OWASP LLM Top 10 identifies prompt injection as the number one risk for LLM applications. NIST AI Risk Management Framework (AI RMF) addresses AI-specific risks including adversarial manipulation. MITRE ATLAS catalogs adversary tactics and techniques against AI systems.