A glitch token is an unusual token that a model or tokenizer handles poorly because it was not represented well in training. In security terms, it can disrupt attention, distort output, or help an attacker smuggle text past simple filters by exploiting odd token behaviour.
Expanded Definition
A glitch token is not just a strange string. In NHI security, it is a token-like input that a model, tokenizer, or downstream filter handles unpredictably because its representation is rare, fragmented, or poorly learned. That can change how the model attends to surrounding text, how a policy layer classifies the content, or whether a basic detector even notices the payload. The term is still evolving across vendors, so usage is best treated as a practical security label rather than a formal standard.
This matters most where agentic systems process prompts, commands, or tool arguments that include embedded credentials, control text, or policy-sensitive instructions. A glitch token can be a normal-looking character sequence that breaks assumptions in the parsing pipeline, making it different from general prompt injection or ordinary obfuscation. For a broader governance lens, map the risk to the NIST Cybersecurity Framework 2.0 functions for identifying, protecting, and detecting anomalous input handling. The most common misapplication is treating glitch tokens as a purely model quality issue, which occurs when security teams ignore how tokenizer edge cases can bypass input controls.
Examples and Use Cases
Implementing defenses against glitch tokens rigorously often introduces extra preprocessing and false-positive tuning, requiring organisations to weigh better detection against higher review overhead and more brittle normalisation rules.
- Prompt sanitisation in an AI support agent where a malformed token sequence causes a moderation layer to miss hidden instructions, similar to patterns seen in the Guide to the Secret Sprawl Challenge.
- API request validation for an AI assistant that accepts pasted text containing credentials or command fragments, where rare token boundaries can bypass naive regex filters.
- Tool-call hardening in an autonomous workflow that ingests user-supplied text before execution, requiring deterministic normalisation and allowlisted parsing.
- Detection engineering for LLM gateways that compare model-visible text against security-policy text, using tokenizer-aware inspection rather than character-only checks.
- Incident analysis of a leaked token or secret in a prompt chain, where the payload was not blocked because its encoding confused the classifier, as explored in the JetBrains GitHub plugin token exposure case.
For implementation context, teams often pair this with tokenizer and model-risk guidance from the NIST Cybersecurity Framework 2.0 and the surrounding secret-handling lessons from Guide to the Secret Sprawl Challenge.
Why It Matters in NHI Security
Glitch tokens matter because they turn a parsing weakness into a control failure. In NHI environments, the payload may be an oauth token, API key, certificate string, or command fragment that should have been blocked before reaching an agent or model tool path. When tokenisation behaves unexpectedly, defenders can lose visibility at the exact point where text becomes action. That is especially dangerous in systems that chain prompts, retrieval, and execution across multiple services.
NHIMG research shows the scale of the exposure problem: 44% of NHI tokens are exposed in the wild, being sent or stored in collaboration tools, ticketing systems, and code commits, according to The 2025 State of NHIs and Secrets in Cybersecurity by Entro Security. Related breach reporting such as the Salesloft OAuth token breach and the Internet Archive breach shows how token exposure becomes operational compromise once controls fail. Organisations typically encounter the consequence only after a hidden prompt path, leaked secret, or maliciously crafted input has already been accepted, at which point glitch-token handling becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Covers agent input handling and prompt injection edge cases around malformed tokens. | |
| NIST CSF 2.0 | PR.DS-1 | Addresses data protection, including secrets and token integrity during processing. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Secret exposure and improper handling are core NHI risks that glitch tokens can exploit. |
Treat malformed token bypasses as secret-exposure paths and harden detection and revocation.