A prompt injection technique that hides malicious instructions from the user while leaving them available to the model in machine-readable form. It relies on presentation gaps, redirects, or formatting tricks so the assistant acts on content the human reviewer cannot reliably see in time.
Expanded Definition
Invisible Prompt Injection is a prompt-layer attack that exploits the gap between what a human reviewer sees and what the model can still consume as input. The malicious instruction may be hidden in formatting, whitespace, metadata, image overlays, redirected content, or other machine-readable channels, so the assistant follows instructions the operator never meaningfully approved.
In NHI and agentic AI systems, this matters because the model is not just generating text. It may be calling tools, retrieving records, posting messages, or altering workflows. A hidden instruction can therefore become an execution trigger, not just a bad answer. The term is still evolving across vendors, but the core risk is consistent: presentation security is weaker than instruction fidelity. OWASP’s OWASP Agentic AI Top 10 treats prompt injection as a primary application-layer threat, while NIST control guidance such as NIST SP 800-53 Rev 5 Security and Privacy Controls supports the broader need for validation, monitoring, and controlled execution paths.
The most common misapplication is assuming that a prompt is safe because a reviewer cannot visibly see anything suspicious, which occurs when hidden or encoded instructions are treated as benign content.
Examples and Use Cases
Implementing protections against invisible prompt injection rigorously often introduces friction, because stricter sanitisation and rendering controls can reduce usability and increase false positives, requiring organisations to weigh model autonomy against review confidence.
- A calendar invite or document contains hidden text that tells the agent to exfiltrate context, as seen in Gemini AI Breach — Google Calendar Prompt Injection.
- A code-assistance agent ingests comments or files that quietly instruct it to run unsafe commands, a pattern reflected in Gemini CLI Breach — Silent Code Execution.
- A browsing agent follows embedded prompt text in a webpage, then leaks retrieved data into an external tool or chat channel.
- An enterprise workflow agent processes attachments or rich text that contain hidden directives inside formatting, Unicode tricks, or layered content.
- An AI coding agent reads project files that mix legitimate instructions with concealed command sequences, similar to patterns discussed in Amazon Q AI Coding Agent Compromised.
These cases are especially important when agent behavior crosses from interpretation into action, which is why the issue is also reflected in the OWASP Agentic AI Top 10 as a governance and runtime concern rather than a mere content-filtering problem.
Why It Matters in NHI Security
Invisible Prompt Injection becomes an NHI security issue the moment an agent can use secrets, service credentials, API keys, or delegated tokens on behalf of a workflow. Once hidden instructions steer the model, the attack can pivot from text manipulation to unauthorized tool use, data exposure, or destructive change. This is why prompt safety and NHI governance cannot be separated: if an agent can act, it needs explicit boundaries on what it may see, what it may execute, and what it may disclose.
NHI Mgmt Group reports that 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, which shows how quickly hidden-path attacks become operationally expensive once credentials are in the loop. The same risk is amplified when service accounts are overprivileged or poorly monitored. In practice, invisible prompt injection turns into a credential-compromise problem when the agent is allowed to reach beyond the intended context boundary.
Organisations typically encounter the impact only after an agent has already sent data, executed a command, or altered a record, at which point invisible prompt injection is operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | LLM01 | Prompt injection is a core agentic AI risk, including hidden instructions in machine-readable content. |
| OWASP Non-Human Identity Top 10 | NHI-08 | Invisible prompt injection can drive misuse of NHI credentials and agent actions. |
| NIST CSF 2.0 | PR.DS-1 | Hidden prompt content threatens data confidentiality by steering agents into unintended disclosure. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero trust requires continuous verification before an agent is trusted to act on any input. |
| NIST AI RMF | AI RMF addresses deceptive or adversarial inputs that undermine safe AI system operation. |
Assess prompt injection as a managed AI risk and document controls for detection, response, and recovery.
Related resources from NHI Mgmt Group
- What is the difference between prompt injection risk and identity abuse in agents?
- What is the difference between prompt injection and credential theft for agents
- What is the difference between prompt injection and tool poisoning?
- How should security teams reduce indirect prompt injection risk in AI systems?