A failure mode where instructions that were meant to guide an AI system can be abused to override or redirect behaviour during execution. In agentic workflows, the risk becomes operational when the injected content can influence tool choice, command use, or access to sensitive data.
Expanded Definition
Prompt injection by design describes a condition where the system’s own instruction path is exposed to hostile or untrusted content that can be interpreted as higher priority than intended. In agentic systems, the issue is not limited to chat responses. It can redirect tool calls, alter workflow state, or influence what data is retrieved and disclosed. Definitions vary across vendors, but the common thread is instruction hierarchy failure: content that should be treated as input is processed as control.
This is closely discussed in the OWASP Agentic AI Top 10, where instruction manipulation is treated as a core risk for systems that can act, not just answer. In NHI environments, the impact is sharper because the model may already be connected to tokens, service accounts, or delegated workflows. That means a successful injection can become an access decision, not merely a content issue. The most common misapplication is assuming a prompt is “just text,” which occurs when untrusted data is allowed into the same context as privileged instructions.
Examples and Use Cases
Implementing prompt handling rigorously often introduces context-separation overhead, requiring organisations to weigh usability and flexibility against stronger trust boundaries and tighter orchestration rules.
- An internal support agent ingests a ticket containing hidden instructions that cause it to reveal environment details or change the queue it queries.
- A code assistant summarises repository content and is steered by malicious comments to suggest unsafe changes or expose secrets embedded in files.
- An AI workflow reads a webpage, document, or email and follows embedded instructions that redirect tool selection, causing unintended API actions.
- A procurement agent is prompted by adversarial text to prioritise an unapproved vendor source, bypassing review logic and policy checks.
- A retrieval-augmented assistant is fed poisoned content that manipulates its answer path, especially when untrusted content is not isolated from system instructions.
These scenarios are treated as operationally important in NHIMG guidance on OWASP Agentic Applications Top 10, and they align with the broader risk framing in the OWASP Agentic AI Top 10. They are most likely when developers let external content share the same prompt window as privileged instructions, tool schemas, or execution policies.
Why It Matters in NHI Security
Prompt injection by design matters because it turns ordinary content processing into a control-plane exposure for NHI-enabled systems. When an agent can access secrets, invoke APIs, or impersonate a service workflow, a successful injection can move from “bad output” to unauthorized action. That is especially dangerous where privilege is already excessive: NHIMG reports that 97% of NHIs carry excessive privileges, which expands the blast radius of any prompt-driven misuse.
In practice, the security failure is rarely just the model itself. It is the combination of hidden instructions, weak boundary enforcement, and overbroad NHI permissions. Controls such as instruction segregation, tool allowlisting, output validation, and strict privilege scoping become mandatory rather than optional. This is why the issue belongs in governance reviews alongside secrets management and access review programs, not only in application testing. Organisations typically encounter the consequence only after an agent has already disclosed data, executed an unsafe action, or queried the wrong system, at which point prompt injection by design becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A3 | Covers prompt injection and instruction hierarchy abuse in agentic systems. |
| OWASP Non-Human Identity Top 10 | NHI-07 | Addresses NHI misuse when agents act on manipulated prompts and workflows. |
| NIST AI RMF | Risk management requires identifying prompt-based manipulation as an AI system hazard. |
Separate trusted instructions from untrusted content and constrain tool execution paths.
Related resources from NHI Mgmt Group
- What is the difference between prompt injection risk and identity abuse in agents?
- What is the difference between prompt injection and credential theft for agents
- What is the difference between prompt injection and tool poisoning?
- How should security teams reduce indirect prompt injection risk in AI systems?