Prompt poaching is the covert capture and forwarding of user prompts, conversations, or related context to an unapproved external system. In browser and AI tooling, it often hides behind a legitimate-looking interface, turning user trust into an unwitting data transfer path.
Expanded Definition
Prompt poaching is not just prompt logging. It is the covert redirection of user prompts, conversation context, or embedded secrets to an unapproved external system, often through a browser extension, wrapper app, plugin, or AI assistant interface. In NHI and agentic AI environments, the risk grows when an agent, service account, or connected tool can see more context than it needs.
Definitions vary across vendors because some products treat forwarding as a telemetry feature, while others frame it as a privacy or data-loss issue. In practice, prompt poaching overlaps with secret exfiltration, shadow AI, and tool-chain abuse, but the distinguishing factor is deception: the user believes the interface is local or sanctioned, while the data path is silently external. That makes governance under NIST Cybersecurity Framework 2.0 especially relevant where data flows and third-party exposure must be identified and controlled.
The most common misapplication is assuming any prompt forwarding is acceptable if the interface looks legitimate, which occurs when teams fail to inspect browser permissions, extension behavior, or hidden API routing.
Examples and Use Cases
Implementing prompt-poaching controls rigorously often introduces friction, requiring organisations to balance user convenience and model quality against inspection overhead, tighter allowlists, and more restrictive tool permissions.
- A browser-based AI sidebar captures a customer support chat and forwards it to a third-party model endpoint without explicit approval from the organisation.
- An internal agent interface copies prompts plus conversation history into an external SaaS layer for “enhanced responses,” even though the user expected local processing.
- A malicious or over-permissioned extension harvests credentials embedded in a troubleshooting prompt and relays them to an untrusted destination.
- A developer workflow sends repository context to an external assistant, exposing secrets that were never intended to leave the build environment.
- A shadow AI tool embedded in a collaboration platform behaves like a productivity feature while quietly creating an unauthorised data transfer path.
These cases are easiest to miss when the forwarding happens inside normal-seeming workflows, which is why NHI governance content in the Ultimate Guide to NHIs consistently ties identity scope to data-path visibility and lifecycle control. For implementation teams, NIST Cybersecurity Framework 2.0 is useful because it forces the question of where information is being processed, retained, and shared.
Why It Matters in NHI Security
Prompt poaching matters because prompts often contain more than text. They may include secrets, API keys, internal URLs, operational instructions, customer data, or agent instructions that shape tool use. Once that content is forwarded to an unapproved system, the organisation loses control over retention, access, deletion, and downstream reuse. In an NHI environment, the impact is amplified because the data may also be consumed by agents or service identities with broad privileges.
That risk aligns with the broader NHI exposure pattern documented by NHI Mgmt Group: Ultimate Guide to NHIs reports that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, making prompt leakage far more damaging when those secrets are pasted into AI workflows. The same governance gap appears when teams do not classify prompt content as sensitive data in their NIST Cybersecurity Framework 2.0 mappings.
Organisations typically encounter the consequence only after an incident review, credential misuse, or an external disclosure, at which point prompt poaching becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Prompt poaching exposes secrets and context through weak data handling controls. |
| OWASP Agentic AI Top 10 | A2 | Agent tool abuse can silently route prompts to untrusted external systems. |
| NIST CSF 2.0 | PR.DS | The term maps to protecting data in transit, storage, and shared workflows. |
Classify prompt content as sensitive and block unauthorised forwarding paths.
Related resources from NHI Mgmt Group
- What is the 'no prompt means no action' principle in Agentic AI security?
- What is the difference between prompt injection risk and identity abuse in agents?
- What is the difference between prompt-based control and runtime authorization for agents?
- What is the difference between prompt guardrails and identity controls for agents?
