A browser-side attack pattern where an extension or script reads, changes, or reuses a GenAI prompt inside the user’s session. The model itself may be healthy, but the interaction channel is compromised, allowing silent data extraction or instruction injection.
Expanded Definition
“Man in the prompt” describes an interaction-layer compromise in which a browser extension, injected script, or malicious local component manipulates the prompt before it reaches the GenAI service, or after it is returned to the user. The model may remain trustworthy, but the session is not.
In NHI security, this matters because prompts often contain secrets, operational instructions, and context that can be reused to impersonate an operator, trigger unsafe tool calls, or exfiltrate sensitive data. The pattern overlaps with browser injection and session hijacking, but it is narrower: the attack focus is the prompt channel itself, not the underlying model. Usage in the industry is still evolving, and definitions vary across vendors, so teams should treat the term as a practical shorthand rather than a formal control category. For broader identity governance context, see the NIST Cybersecurity Framework 2.0 and NHIMG’s Ultimate Guide to NHIs.
The most common misapplication is treating prompt compromise as a model-safety problem, which occurs when defenders ignore browser-side execution paths and session context.
Examples and Use Cases
Implementing prompt protection rigorously often introduces friction, requiring organisations to weigh user convenience and browser extensibility against stronger session integrity and data-loss controls.
- A browser extension quietly appends hidden instructions to a help-desk prompt, causing the AI agent to expose ticket metadata or internal steps.
- A local script copies a prompt containing API keys from a developer’s workflow and reuses it in another session, creating silent secret exposure.
- An injected webpage component rewrites a prompt before submission, steering an agentic tool call toward a different recipient or action.
- A customer-support copilot receives a prompt containing account data, and a malicious extension exfiltrates the text before the model response is even generated.
- A workstation compromise alters prompts used for code review, causing the assistant to recommend unsafe changes or reveal proprietary logic.
These scenarios align with the broader NHI risk patterns described in NHIMG’s Ultimate Guide to NHIs, where secret leakage and over-privileged workflows remain common. For implementation context, the NIST Cybersecurity Framework 2.0 is useful for mapping browser and session protections into broader governance.
Why It Matters in NHI Security
Man in the prompt is dangerous because it turns a trusted GenAI interaction into an untrusted control plane. Once prompts can be read or rewritten, defenders lose confidence in the provenance of instructions, the confidentiality of embedded secrets, and the integrity of any downstream tool execution. That is especially serious when prompts are used to generate API calls, create tickets, query internal systems, or approve changes on behalf of a user or agent.
NHIMG data shows the scale of the exposure: 96% of organisations store secrets outside secrets managers in vulnerable locations, and 79% have experienced secrets leaks, with 77% of those incidents causing tangible damage, according to the Ultimate Guide to NHIs. That makes prompt interception more than a privacy issue; it is a governance and incident-response problem tied to credential exposure, privilege misuse, and tool-chain abuse. Organisations typically encounter this consequence only after a prompt leak or unauthorized action is traced back to the browser session, at which point man in the prompt becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Covers prompt injection and tool abuse in agentic workflows. | |
| NIST CSF 2.0 | PR.AA-01 | Identity and access assurance support trusted interaction channels. |
| NIST AI RMF | GOVERN | Requires governance over AI system risks, including input integrity threats. |
Verify session integrity and restrict prompt-bearing workflows to authorized users and devices.
Related resources from NHI Mgmt Group
- What is the 'no prompt means no action' principle in Agentic AI security?
- What is the difference between prompt injection risk and identity abuse in agents?
- What is the difference between prompt-based control and runtime authorization for agents?
- What is the difference between prompt guardrails and identity controls for agents?
