A failure mode where malicious or misleading content enters an agent’s decision path and affects what it does next. In MCP environments, the injected context can alter tool selection, broaden data exposure, or trigger unsafe follow-on actions across multiple systems.
Expanded Definition
Context injection is a prompt and execution integrity failure, not just a content problem. In agentic systems, the agent may treat untrusted text from emails, tickets, documents, web pages, logs, or retrieved knowledge as if it were authoritative context, then carry that instruction into tool use and downstream decisions. The risk becomes sharper in MCP environments because the model can move from reading content to invoking tools, which means injected instructions can reshape tool selection, expand data access, or redirect the workflow itself. This is why context injection is increasingly discussed alongside NIST Cybersecurity Framework 2.0 concepts such as access control and response readiness, even though no single standard governs this term yet. NHI Management Group treats the issue as a governance and containment problem: the question is not whether the content is persuasive, but whether it is allowed to influence agent behavior at all. The most common misapplication is assuming the model will reliably distinguish instructions from data, which occurs when retrieved or user-supplied content is passed into an agent without isolation, provenance checks, or tool-policy enforcement.
Examples and Use Cases
Implementing defenses against context injection rigorously often introduces friction, requiring organisations to balance agent autonomy against tighter filtering, provenance controls, and tool gating.
- A support agent ingests a customer email that contains hidden instructions to reveal account data, then follows the malicious instruction because the message was merged into the working context.
- A RAG-enabled internal assistant retrieves a poisoned knowledge-base article and uses it to justify an unsafe tool action, showing how retrieval can become an attack path if provenance is weak.
- An MCP-connected agent reads a ticket with embedded directives that alter tool selection, leading it to query systems it would not normally access.
- A workflow agent processes log output or API responses as if they were guidance, causing follow-on actions to be based on attacker-controlled text rather than verified policy.
- A procurement agent summarises a document that includes prompt-like instructions, then broadens its data pull across systems because the injected content influenced its next step.
For a broader NHI governance lens, the Ultimate Guide to NHIs is useful because context injection often lands in environments already struggling with weak visibility, broad privileges, and poor secret hygiene. Standards guidance is still evolving, but NIST Cybersecurity Framework 2.0 remains a practical reference for handling trust boundaries and operational response.
Why It Matters in NHI Security
Context injection matters because it turns ordinary content channels into control channels. In NHI systems, the impact is rarely limited to a single bad answer. An injected instruction can cause the agent to select the wrong tool, expose secrets, write to the wrong system, or chain actions across services that were never intended to be coupled. That is especially dangerous where service accounts and API keys already have excessive privilege, a pattern NHI Management Group has documented at scale: 97% of NHIs carry excessive privileges. When context injection meets over-permissioned identities, the result is not just misinformation, but operational compromise. The issue also intersects with governance because context sources, retrieval pipelines, and tool permissions often sit in different control domains, making ownership unclear until after an incident. In practice, this term becomes urgent when an agent has already acted on poisoned content and responders must determine which input altered the execution path, which tool calls were legitimate, and which identities need to be revoked. Organisations typically encounter the consequence only after an agent has already queried the wrong system or exposed data, at which point context injection becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic AI guidance addresses prompt and context injection as core agent threats. | |
| OWASP Non-Human Identity Top 10 | NHI-04 | Context injection becomes high impact when NHIs can act with excessive privileges. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access limits the blast radius of agent actions influenced by injected context. |
Isolate untrusted content from agent instructions and gate every tool action behind policy checks.
