Subscribe to the Non-Human & AI Identity Journal

What breaks when extensions can issue hidden prompts to LLMs?

Auditability breaks first, because background interactions can erase the user-visible trail by deleting chats or hiding activity in tabs. Then data governance breaks, because the model may retrieve content from connected services that the user never intended to expose. Security teams need visibility into both extension behaviour and LLM outputs.

Why This Matters for Security Teams

When extensions can issue hidden prompts to LLMs, the risk is not just an extra input channel. It is a second, less-visible control plane that can steer model behaviour outside the user’s line of sight. That breaks the assumptions behind review, approval, and data handling, especially when the extension can read tabs, modify pages, or trigger background activity.

This is why guidance in the OWASP Agentic AI Top 10 and NIST’s AI governance work both emphasise runtime context, prompt integrity, and least-privilege access. NHIMG research on McKinsey AI platform breach and AI LLM hijack breach shows the same pattern: once model access becomes embedded in everyday workflows, hidden interactions are hard to detect after the fact.

In practice, many security teams discover this only after sensitive content has already been retrieved, summarised, or forwarded through a workflow that never appeared in the user-visible audit trail.

How It Works in Practice

Hidden prompts usually work by separating what the user sees from what the extension sends to the model. A browser extension, desktop add-on, or plugin can collect page content, session state, clipboard data, or connected-service metadata, then submit a prompt in the background. The model may respond with a summary, action, or extracted data that looks legitimate because it was generated through an apparently normal API call.

The security problem is that traditional approvals are often tied to the user interface, while the real request is happening elsewhere. That means audit logs may show a generic model invocation without showing which page, tab, identity, or data source was involved. If the extension also has access to connected apps, hidden prompts can pull from email, docs, chat, or tickets that the user did not actively open or intend to expose.

Current practice is moving toward three controls:

  • Per-extension permission scoping, so a tool cannot read more than it needs.
  • Prompt and output logging, so hidden model interactions are visible for review and incident response.
  • Context-aware policy enforcement, so retrieval and generation are checked at request time rather than trusted by default.

That direction aligns with the CSA MAESTRO agentic AI threat modeling framework and NIST AI Risk Management Framework, which both push for governance at the interaction layer, not just the identity layer. NHIMG’s OWASP NHI Top 10 also reflects this reality: if the system cannot show who caused the prompt, what data was touched, and why the model saw it, then security review becomes guesswork. These controls tend to break down in multi-extension enterprise browsers because overlapping permissions make it difficult to isolate which component actually initiated the hidden prompt.

Common Variations and Edge Cases

Tighter extension control often increases friction, requiring organisations to balance user productivity against stronger containment and auditability. That tradeoff becomes especially visible in environments that rely on copilots, CRM plug-ins, or knowledge-base extensions, where background prompting can be normalised as “helpful” behaviour.

There is no universal standard for this yet, but current guidance suggests treating hidden prompts as high-risk whenever an extension can access authenticated sessions or connected services. In those cases, the safest pattern is to require explicit user initiation for sensitive retrieval, separate model contexts for different applications, and clear provenance on both prompts and outputs. Where possible, organisations should also prefer controls that verify the workload or extension identity at runtime rather than trusting a static allowlist alone.

One practical edge case is enterprise-managed extensions that are installed legitimately but later gain new capabilities through updates. Another is local AI tooling that routes prompts through a browser process while the user believes the interaction is happening in a single trusted app. Both cases can defeat ordinary review because the behaviour is not obviously malicious at first glance. NHIMG’s research on OmniGPT breach and DeepSeek breach reinforces that visibility failures often emerge before classic compromise indicators do. Hidden-prompt risks are most severe in highly connected browsers with broad SSO access, because the extension can silently bridge user intent and sensitive enterprise data.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A2 Hidden prompts are a prompt-injection and tool-abuse issue in agentic systems.
OWASP Non-Human Identity Top 10 NHI-05 Extensions acting on behalf of users create opaque non-human access paths.
CSA MAESTRO T5 MAESTRO covers agentic data exposure and uncontrolled tool interaction.
NIST AI RMF GOVERN The issue is governance over unseen AI-mediated actions and data use.
NIST CSF 2.0 PR.AC-4 Least-privilege access is essential when extensions can reach hidden data.

Inspect extension-driven prompts for injection paths and block unintended tool use at runtime.