ForcedLeak shows why AI agent prompt injection expands CRM risk

At a glance

What this is: This is a vulnerability analysis showing how indirect prompt injection in AI agents can turn routine CRM workflows into a data exfiltration path.

Why it matters: IAM and NHI teams need to treat AI agents as privileged execution surfaces, because the trust boundary now includes external data, internal memory, and outbound tool use.

👉 Read Noma Security's analysis of the ForcedLeak Agentforce prompt injection chain

Context

AI agent security is no longer limited to prompt filtering. When an autonomous agent can read external inputs, call tools, and generate downstream actions, the real governance problem becomes trust boundary control across the entire execution path. ForcedLeak is a clear example of why NHI governance has to account for data sources, tool permissions, and output handling together, not as separate problems.

In this case, the failure mode was not a classic authentication break. It was a combination of indirect prompt injection, overbroad model behavior, and a weak content security assumption that let attacker-controlled text be treated like trusted instruction. That is a familiar pattern in early agent deployments: business users see automation, while security teams inherit a broader and less visible attack surface.

Key questions

Q: How should security teams prevent prompt injection in AI agent workflows?

A: Security teams should separate untrusted data from executable instructions, enforce runtime policy checks before tool use, and monitor outbound destinations for abuse. Prompt filtering alone is not enough because indirect prompt injection often arrives through trusted business data. The control goal is to stop the agent from treating attacker-controlled content as authority.

Q: When does an AI agent become a privileged access risk?

A: An AI agent becomes a privileged access risk when it can retrieve sensitive records, make decisions, or invoke tools without tight action-level controls. At that point, the agent is not just producing text. It is exercising delegated authority, so its inputs, memory, and outputs must be governed like any other high-risk NHI.

Q: What is the difference between prompt injection and indirect prompt injection?

A: Prompt injection targets the model directly through the user prompt. Indirect prompt injection hides malicious instructions inside data the model later reads from a trusted source, such as a form submission or knowledge base. Indirect attacks are more dangerous in agentic systems because the malicious content can travel through normal workflows before it is executed.

Q: Why do AI agents complicate zero trust architecture?

A: AI agents complicate zero trust architecture because they can combine identity, decision-making, and execution in one workflow. Zero trust requires continuous verification, but agents may process untrusted context and act quickly across systems. Teams need policy enforcement at each action boundary, not only at login or network access.

Technical breakdown

How indirect prompt injection works in agent workflows

Indirect prompt injection happens when malicious instructions are embedded in data that a model later retrieves and treats as operational context. In an agent workflow, that data can come from forms, knowledge bases, tickets, emails, or CRM records. The model does not need to be tricked at the input prompt itself. It only needs to process attacker-controlled content inside a trusted workflow, then follow the hidden instruction as if it were part of the legitimate task. This is why agent design needs source trust separation, not just prompt hygiene.

Practical implication: Classify every external data source feeding an agent and block instruction-like content before it reaches decision logic.

Why autonomous tool use changes the threat model

Traditional chatbots mostly produce text. Agentic systems can also reason, plan, and invoke tools, which makes the model part of an execution chain rather than a passive interface. That creates a much larger NHI risk because the agent may access records, create messages, or send requests based on compromised context. Once a model can act, prompt injection becomes a control-plane problem: the attacker is no longer only shaping output, but steering authorization, workflow branching, and data movement.

Practical implication: Separate conversational intent from execution authority and require policy checks before any agent tool call is allowed.

Why content security policy bypasses matter in AI exfiltration

A content security policy is meant to restrict where a browser or embedded workflow can send data. In this case, a whitelisted but expired domain created a trusted-looking outbound path. That matters because agentic attacks often need a second stage beyond model compromise: a way to exfiltrate data without triggering obvious alarms. If domain trust is stale, the control fails even if the prompt injection is detected too late. The lesson for IAM and NHI teams is that outbound trust is part of the identity boundary, not an afterthought.

Practical implication: Audit every trusted URL, domain allowlist, and outbound channel with the same discipline used for privileged access.

Threat narrative

Attacker objective: The attacker wants to turn a business workflow into a covert CRM exfiltration path without triggering immediate suspicion.

1. Entry occurs when an attacker submits malicious instructions through a lead form field that later becomes trusted agent input.
2. Escalation happens when the agent processes the hidden instruction, follows attacker-controlled steps, and queries sensitive CRM data.
3. Impact occurs when the agent uses a trusted outbound channel to send extracted data beyond the organisation's control.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ForcedLeak is not just a Salesforce issue, it is an identity governance problem for autonomous systems. The core failure was a trusted system acting on untrusted instruction, which is exactly the kind of boundary confusion NHI programmes are meant to prevent. As agents become more autonomous, the governance question shifts from who can log in to what can safely instruct the system. Practitioners should treat agent inputs, memory, and tool calls as separate trust zones.

Indirect prompt injection creates ephemeral credential trust debt: the system may only be exposed for the brief moment it processes hostile context, but that window is enough for misuse. This makes static review and periodic audit insufficient on their own. Security teams need runtime inspection, source trust scoring, and policy enforcement at the point of action, not after the fact. The practical conclusion is that agent approvals must be tied to live context, not just identity.

AI agents broaden the NHI blast radius because execution and access now move together. When an agent can retrieve records, draft responses, and invoke outbound channels, a single compromised workflow can touch multiple systems in sequence. That changes incident handling from token revocation to workflow containment. Organisations should assume that one poisoned input can produce multi-system impact unless each action is explicitly constrained.

Outbound trust controls are now part of agent security, not only network security. Expired domains, permissive allowlists, and weak destination validation can turn a model compromise into a clean exfiltration path. This is a reminder that NHI governance must cover data egress as tightly as credential issuance. Teams that stop at input filtering will miss the second half of the attack chain.

Agentic AI security is converging with PAM discipline, but the control objectives are broader. The goal is not merely to reduce standing access, but to prevent unmanaged autonomy from turning ordinary business workflows into privileged actions. That means policy checks, tool scoping, and strong separation between data ingestion and execution. Practitioners should reframe agent governance as a privilege boundary problem.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a broader control baseline, compare this with OWASP Agentic AI Top 10 and map agent tool use to the most restrictive action boundary.

What this signals

Ephemeral credential trust debt: organisations are already living with short-lived but high-impact agent failures, which means the next control gap is not token lifetime alone. It is whether the agent can be trusted to distinguish data from instruction at runtime. Teams that still treat agent output as harmless text will miss the operational path to exfiltration.

With 96% of technology professionals identifying AI agents as a growing security threat, the category has crossed from experimentation into governance urgency, and NHI programmes need to catch up fast. That should push practitioners toward stricter inventorying, action-scoped approvals, and continuous auditability, using resources such as the OWASP NHI Top 10 to prioritise controls.

For practitioners

• Implement source trust separation for agent inputs Tag all external data fields, knowledge sources, and CRM records that can reach an AI agent, then block instruction-like content from being interpreted as operational intent. Review Web-to-Lead, email ingestion, and ticketing flows first.
• Constrain tool calls with explicit policy checks Require runtime authorization before an agent can query records, draft outbound messages, or call external endpoints. Treat each tool invocation as a privileged action and log the triggering context for review.
• Audit outbound domains and trusted URLs Revalidate every trusted destination used by agent workflows, including legacy allowlists and expired domains. Remove stale entries, test for exfiltration paths, and tie destination approval to ownership and expiry checks.
• Inspect business forms for prompt injection patterns Scan lead forms and other user-controlled fields for long instruction blocks, HTML snippets, or unusual multi-step requests that could steer downstream agents. Escalate suspicious submissions into the same queue used for high-risk NHI review.

Key takeaways

• AI agents create a larger trust boundary than traditional chat interfaces because they can read, decide, and act across multiple systems.
• Indirect prompt injection is especially dangerous in CRM and lead-processing workflows because attacker-controlled text can look like routine business data.
• Practitioners should treat agent governance as an NHI control problem, with runtime authorization, source validation, and outbound trust reviews.

Key terms

• Indirect Prompt Injection: An attack where malicious instructions are hidden inside content a model later reads as trusted context. The model does not need to be directly prompted by the attacker. In agentic systems, this becomes more dangerous because the hidden instruction can influence tool use, data retrieval, and outbound actions.
• AI Agent Trust Boundary: The set of data, systems, and actions an AI agent is allowed to interpret or control. For security teams, the boundary is not just the prompt or login session. It includes memory, tools, external sources, and destinations that can turn a model decision into real-world impact.
• Content Security Policy Bypass: A failure where an allowlist or browser content policy permits data to leave through a destination that should no longer be trusted. In AI agent attacks, this matters because outbound channels can be used to exfiltrate information after the model has already been steered into unsafe behavior.
• Agentic Execution Authority: The ability of an AI system to move beyond generating text and into taking actions through connected tools and workflows. This authority is what changes AI from a conversational interface into a non-human identity risk, because misuse can affect records, messages, and integrated systems.

Deepen your knowledge

AI agent governance and NHI trust boundary control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for CRM workflows or other agent-driven systems, it is worth exploring.

This post draws on content published by Noma Security: ForcedLeak and the Agentforce prompt injection chain. Read the original.