A failure mode where an agent is steered away from its approved objective and begins pursuing a different one, often through manipulated inputs or chained context. For autonomous or semi-autonomous systems, the risk is not only misuse of a tool but the redefinition of the mission itself.
Expanded Definition
Goal hijack describes a situation where an AI agent, workflow agent, or other NHI is nudged away from its approved objective and begins optimising for a different one. In practice, this usually happens through prompt injection, contaminated retrieved context, manipulated tool output, or a chain of instructions that quietly overrides the original mission. The core issue is not simple error, but objective drift: the system still appears to be “following instructions,” yet the instructions it is following are no longer the ones governance approved.
Definitions vary across vendors because some teams treat goal hijack as a subset of prompt injection, while others use it more broadly to include execution-layer manipulation and corrupted agent memory. In NHI governance, the distinction matters because the defensive response is different from ordinary access control. A secure NIST Cybersecurity Framework 2.0 approach must account for instruction provenance, tool authorization, and state integrity, not just identity authentication.
The most common misapplication is assuming the agent has been “compromised” only when credentials are stolen, which occurs when teams overlook instruction-level manipulation inside trusted context flows.
Examples and Use Cases
Implementing goal-hijack defenses rigorously often introduces extra verification steps and tighter context controls, requiring organisations to weigh agent flexibility against the risk of mission drift.
- An internal support agent is instructed to resolve tickets, but a malicious email in the knowledge base inserts instructions that redirect it toward data exfiltration.
- A procurement agent uses retrieved policy text from a poisoned document store and starts prioritising a vendor relationship objective that conflicts with approved buying rules.
- An incident-response assistant receives chained tool output that causes it to ignore containment steps and continue exploring adjacent systems.
- A finance workflow agent inherits stale memory from a prior task and carries forward an outdated approval goal into a new transaction cycle.
- NHIMG’s Ultimate Guide to NHIs is useful for mapping the identity and lifecycle controls that reduce the blast radius when an agent’s objective is manipulated, while NIST Cybersecurity Framework 2.0 helps anchor the governance response.
Why It Matters in NHI Security
Goal hijack is especially dangerous in NHI environments because the system may retain valid credentials while acting on an invalid mission. That makes detection harder than a straightforward account takeover: logs may show authenticated activity, approved tools, and normal-looking API calls, even though the agent’s intent has been redirected. This is why NHI security must cover secrets, permissions, context boundaries, and execution policy together. NHIMG reports that 71% of NHIs are not rotated within recommended time frames, and long-lived credentials make a hijacked objective more dangerous because the agent may keep operating long after the original trust assumption has failed.
For governance teams, the practical risk is cascading misuse: a hijacked agent can approve, relay, or transform data at machine speed before a human notices the behaviour change. This is why controls around instruction filtering, provenance checks, least privilege, and constrained tool use are increasingly central to agentic AI governance. Organisations typically encounter the impact only after an unexpected transaction, data leak, or unsafe automation event, at which point goal hijack becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Addresses prompt injection and agent objective manipulation as core agentic AI risks. | |
| OWASP Non-Human Identity Top 10 | NHI-05 | Goal hijack often exploits insecure context and authorization boundaries around NHIs. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access limits damage when an agent's objective is redirected. |
Restrict agent permissions and review entitlements so redirected behavior cannot reach sensitive assets.
