Cross prompt injection is an attack where hostile instructions are hidden inside content an AI system is asked to process, such as an email, document, or chat message. The model treats attacker text as input and may follow it during summarisation, retrieval, or response generation, even though the user never intended that content to become an instruction.
Expanded Definition
Cross prompt injection is a prompt-instruction collision problem: untrusted content is ingested by an AI agent, summarizer, or retrieval pipeline and is later treated as if it were operational guidance. In NHI security, the risk is not limited to text generation. It can influence tool calls, data exfiltration, permission use, and downstream actions when the model has execution authority.
Definitions vary across vendors, but the core issue is consistent: attacker-controlled content crosses a trust boundary and survives long enough to affect reasoning or action. That makes it different from simple jailbreaks, because the malicious instruction is embedded in ordinary content such as a ticket, PDF, chat thread, or knowledge base record. The OWASP Agentic AI Top 10 treats this as a major agentic risk because the model may preserve, reinterpret, or execute the hidden instruction during later steps.
The most common misapplication is assuming content filters alone prevent abuse, which occurs when organisations scan for obvious malicious phrases but fail to separate untrusted data from instructions inside multi-step agent workflows.
Examples and Use Cases
Implementing prompt-injection controls rigorously often introduces friction in retrieval and summarisation flows, requiring organisations to weigh safer processing against reduced automation speed and more review overhead.
- A customer support agent summarizes incoming email, but a hidden instruction inside the message tells the model to ignore prior policy and reveal internal case notes.
- An enterprise knowledge assistant retrieves a document that contains malicious metadata or embedded text designed to redirect the model toward another data source.
- An AI coding assistant reads a repository issue and follows attacker-written instructions to modify build steps or expose environment secrets.
- An agent with tool access ingests a chat transcript and then uses its calendar, ticketing, or file-access tools in a way the user never approved.
- Security teams reviewing the attack class in the OWASP Agentic Applications Top 10 often map the issue to retrieval pipelines, where untrusted content is repeatedly reintroduced into context.
In practice, organisations also compare this with the broader OWASP framing in the OWASP Agentic AI Top 10 when deciding how to classify agent exposure paths and content sanitation requirements.
Why It Matters in NHI Security
Cross prompt injection matters because it can turn ordinary business content into a control channel for attacker intent. When an AI system has access to NHIs, APIs, files, or approval workflows, the hidden instruction can become a path to secrets exposure, unauthorized transactions, or privilege misuse. The security failure is not only model quality; it is also weak separation between untrusted inputs and authoritative action paths.
NHI Management Group data shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why prompt-injection paths deserve the same governance attention as credential theft. The issue becomes especially dangerous when agents inherit standing access or can chain actions across systems without step-up verification. That is why NHI controls, tool permissions, and content trust boundaries should be designed together rather than reviewed separately. The same risk model also aligns with the OWASP view of agentic exposure in the OWASP Agentic Applications Top 10.
Organisations typically encounter the consequence only after an assistant summarizes a poisoned document, calls the wrong tool, or leaks data, at which point cross prompt injection becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Prompt Injection | Directly covers malicious instructions embedded in agent inputs. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Secret exposure paths and unsafe handling of agent inputs intersect with NHI secret management. |
| NIST CSF 2.0 | PR.DS | Protects data integrity and limits misuse of content processed by automated systems. |
Restrict secret access in agent workflows and isolate untrusted content from credential-bearing actions.
Related resources from NHI Mgmt Group
- What is the difference between prompt injection risk and identity abuse in agents?
- What is the difference between prompt injection and credential theft for agents
- What is the difference between prompt injection and tool poisoning?
- How should security teams reduce indirect prompt injection risk in AI systems?
