Subscribe to the Non-Human & AI Identity Journal

Agent-to-Agent Prompt Injection

An attack where one AI agent places misleading or malicious instructions into a message another agent treats as trusted context. The risk is not limited to direct user prompts. It appears when machines inherit each other’s instructions without validation, allowing the injected content to steer downstream tool use or decisions.

Expanded Definition

Agent-to-agent prompt injection occurs when one AI agent supplies instructions, context, or payloads that another agent accepts as trusted input. The danger is not simply “bad prompting.” It is a trust-boundary failure inside an agentic workflow, where machine-generated content can influence planning, tool selection, memory, or escalation paths.

In practice, the injected material may arrive through shared chat threads, task summaries, retrieved documents, tool outputs, or orchestration messages. That makes the issue broader than direct user prompt injection and closer to a control problem for multi-agent systems. Industry usage is still evolving, but the core security expectation is consistent: agents should not treat upstream machine text as authoritative without validation, provenance checks, and policy enforcement. This aligns with the risk framing in the OWASP Agentic AI Top 10 and the governance lens in the NIST AI Risk Management Framework.

The most common misapplication is assuming a message is safe because it came from another agent, which occurs when orchestration layers skip content validation between autonomous components.

Examples and Use Cases

Implementing agent-to-agent controls rigorously often adds latency and review overhead, requiring organisations to weigh autonomous workflow speed against the cost of stronger message validation.

  • A support agent summarizes a customer request, but the summary includes hidden instructions that redirect a billing agent to expose account details.
  • An analysis agent retrieves a document from a shared knowledge base, and the document contains manipulative text that changes the next agent’s tool-call plan.
  • A code-review agent passes a “safe” remediation note to a deployment agent, but the note includes instructions to disable checks before release.
  • A planning agent accepts another agent’s output as a trusted task queue item, causing it to invoke a secrets manager or API with unintended parameters.

These patterns are discussed in NHIMG research on the OWASP NHI Top 10 and the AI LLM hijack breach, where indirect trust and inherited context become the attack surface. A useful implementation reference is the CSA MAESTRO agentic AI threat modeling framework, which helps teams model how agents exchange instructions and decisions.

Why It Matters in NHI Security

Agent-to-agent prompt injection matters because it turns ordinary machine-to-machine communication into a privilege-escalation path. In NHI environments, the downstream agent often has access to secrets, automation tokens, CI/CD actions, or privileged APIs. If one agent can steer another without validation, the result can be unauthorized tool execution rather than merely incorrect text output.

NHI Mgmt Group reports that 97% of NHIs carry excessive privileges and 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, which makes prompt injection far more than a model-safety issue. It becomes a governance issue for identities, scopes, and execution authority. The Ultimate Guide to NHIs is clear that weak visibility and poor rotation compound the blast radius when agents are compromised, while MITRE ATLAS adversarial AI threat matrix and the NIST AI Risk Management Framework both reinforce the need for provenance, monitoring, and controlled outputs.

Organisations typically encounter this consequence only after an agent has triggered an unintended action, at which point agent-to-agent prompt injection becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A3 Covers prompt injection against agentic systems and inherited instruction abuse.
OWASP Non-Human Identity Top 10 NHI-05 Maps to trust-boundary failures where agents pass unsafe context between identities.
NIST AI RMF GV-2 Requires governance of AI system risks, including unsafe instruction flow.
NIST CSF 2.0 PR.DS-1 Addresses protection of data in transit and integrity of exchanged instructions.
NIST Zero Trust (SP 800-207) SC-3 Zero trust requires explicit verification of every trust decision between components.

Protect message integrity between agents and block unauthenticated context injection.