Subscribe to the Non-Human & AI Identity Journal

Prompt Erosion

Prompt erosion is the gradual weakening of earlier instructions as more context is added to an AI session. In coding tools, it means security and compliance rules can be displaced by newer text, making prompt order an unreliable control mechanism for enterprise governance.

Expanded Definition

Prompt erosion describes the way earlier instructions lose influence as a large language model session accumulates more context, especially in coding assistants and agentic workflows. The model is not “forgetting” in a human sense; rather, later text, injected content, and repeated task details can crowd out initial policy, safety, or compliance instructions. In practice, this makes prompt order an unreliable governance control unless it is reinforced by system-level safeguards, policy layers, and structured tool boundaries.

Definitions vary across vendors, but in NHI and Agentic AI operations the important distinction is between a prompt that is merely long and a prompt that has become operationally drifted. That drift can cause an AI agent to follow the newest instruction even when it conflicts with security rules, code standards, or restricted actions. For a standards-based control lens, NIST SP 800-53 Rev 5 Security and Privacy Controls is more relevant than prompt order alone because it emphasizes enforceable governance outcomes, not conversational precedence. The most common misapplication is treating the first prompt block as a durable control when later user text or retrieved context can override it.

Examples and Use Cases

Implementing prompt governance rigorously often introduces friction, requiring teams to balance model flexibility against stronger control over instruction hierarchy and context growth.

  • A coding agent receives secure coding rules at the top of the session, then later accepts a user request that asks it to bypass validation and expose secrets.
  • An operations agent is told to follow approval workflow steps, but a long incident thread adds fresh instructions that redirect it toward an unapproved remediation path.
  • A developer tool uses retrieval-augmented context, and new documentation fragments weaken earlier compliance constraints unless policy is reasserted at execution time.
  • A service account assistant is primed with rotation policy, but subsequent chat history introduces exceptions that blur when rotation and revocation should occur.

These patterns are often discussed alongside broader NHI control failures in the Ultimate Guide to NHIs, which shows how governance gaps compound when identity behavior is not centrally enforced. They also connect to the practical boundaries in NIST SP 800-53 Rev 5 Security and Privacy Controls, where access and action limits should not depend on prompt ordering alone.

Why It Matters in NHI Security

Prompt erosion matters because AI agents often act with execution authority over secrets, deployments, and access workflows. If earlier safety instructions weaken over time, an agent may leak credentials, approve unsafe changes, or ignore rotation and offboarding requirements when the conversation grows complex. In NHI security, that is especially dangerous because the asset at risk is not just a response quality issue, but a live identity path that can reach production systems.

NHI Mgmt Group data shows that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage, a reminder that instruction drift can become an operational incident very quickly. The most resilient controls are layered: constrain tool permissions, re-validate high-risk actions, and treat prompt text as advisory rather than authoritative. The guidance in the Ultimate Guide to NHIs aligns with this view by prioritising lifecycle governance, visibility, and least privilege over conversational memory. Organisations typically encounter prompt erosion only after an agent has already taken an unsafe action, at which point the term becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 Agentic AI risks include instruction conflict, context drift, and unsafe tool use.
OWASP Non-Human Identity Top 10 NHI-02 Prompt drift can expose secrets and weaken controls around non-human identities.
NIST CSF 2.0 PR.AC-4 Least-privilege access must not depend on prompt order or conversational precedence.
NIST AI RMF AI RMF addresses context, reliability, and governance risks in AI operations.
NIST Zero Trust (SP 800-207) Zero Trust requires continuous verification, not trust in prior instructions.

Prevent prompt-driven secret exposure by enforcing storage and access controls outside the chat layer.