TL;DR: Modern LLMs learn role separation, instruction hierarchy, and prompt templating through control tokens and system prompts, but those same mechanisms can be abused through control token injection, fake context resets, and XML prompt spoofing, according to HiddenLayer. The security boundary is probabilistic, not absolute, so AI teams need layered runtime controls around the model, not prompt engineering alone.
At a glance
What this is: This analysis shows how LLM role tokens, system prompts, and instruction hierarchy create both the behavior of agentic AI and a practical prompt-injection attack surface.
Why it matters: IAM, PAM, and AI governance teams need to treat model context as a control plane with privilege boundaries, because prompt manipulation can alter tool use, data access, and downstream execution.
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
👉 Read HiddenLayer's analysis of LLM roles, instruction hierarchy, and prompt injection
Context
Prompt injection becomes a governance problem when a model treats untrusted text as higher-priority instruction context. In agentic AI systems, the risk is not only what the model says, but what it is persuaded to do with tools, data, and downstream systems once role boundaries are blurred.
For IAM and security architects, the important shift is that system prompts, control tokens, and template structure behave like soft privilege boundaries rather than hard enforcement points. That means the control model around AI agents must extend outside the model itself, into runtime policy, monitoring, and permission boundaries.
HiddenLayer’s analysis is useful because it shows how attackers exploit the same structures developers use to make LLMs usable in production. That is a typical problem pattern for modern AI deployments: the mechanism that creates order also creates an injection path.
Key questions
Q: How should security teams reduce prompt injection risk in agentic AI systems?
A: Security teams should treat all external text as potentially malicious instruction content and place controls outside the model. That means separating system and user context, validating templates, limiting tool access, and logging model decisions. Prompt design helps, but runtime policy enforcement is what stops a successful injection from becoming an unsafe action.
Q: Why do prompt templates create security risk in LLM deployments?
A: Prompt templates create risk because they establish predictable structure that attackers can imitate or corrupt. If a model has learned that certain tags, roles, or separators signal authority, malicious input can exploit that learned pattern. The control boundary is therefore behavioural, not cryptographic, so template design must be paired with enforcement elsewhere.
Q: What breaks when a model can be persuaded to treat untrusted text as system-level instruction?
A: What breaks is the assumed hierarchy between trusted policy and untrusted input. The model may follow attacker-supplied commands, expose information, or use tools in unintended ways. Once that happens, the problem is no longer just wrong output. It becomes a governance failure affecting access, data handling, and downstream action.
Q: Who is accountable when prompt injection leads an AI agent to misuse tools or data?
A: Accountability sits with the organisation that granted the model access and failed to constrain its runtime behaviour. Security, IAM, application, and AI owners all share responsibility for the control plane around the model. If tool use is possible, governance must cover authorisation, monitoring, and incident reconstruction before deployment.
Technical breakdown
XML-style templating and context spoofing
XML-style tags help developers structure prompts and separate instructions from user content, especially in retrieval or tool-driven systems. The same structure can be abused when an attacker closes trusted tags, opens privileged-looking sections, or inserts fake context resets such as start-of-sequence markers. Because many models have seen large volumes of markup-like text during training, they may treat those patterns as meaningful instructions. That makes template design part of the attack surface, especially where repository files, emails, or retrieved documents can carry malicious markup into the prompt.
Practical implication: Validate and sanitize templated context before it reaches the model, especially in RAG and agent workflows.
NHI Mgmt Group analysis
Prompt injection is a privilege problem, not a language problem. The article shows that attackers do not need to break the model to influence it; they only need to persuade it that untrusted text belongs in a higher instruction tier. That matters because role-aware LLMs turn natural language into a de facto policy surface. Practitioners should treat prompt integrity as an access-control issue, not a content-moderation issue.
Control tokens create an identity boundary that looks stable but behaves probabilistically. Special tokens and role tags teach the model who is speaking, yet the same tokens can be imitated, spoofed, or context-reset by crafted input. That means the boundary is useful for steering behaviour, but not sufficient as an enforcement mechanism. The implication is that AI governance cannot rely on prompt hierarchy as if it were PAM or policy enforcement.
Prompt templates are a named concept worth tracking: instruction scaffolding risk. The more developers use XML-like structure to make models reliable, the more they create predictable places for attackers to inject fake privilege cues, close tags, or redefine context. This is especially relevant in agentic workflows where tool use follows from prompt interpretation. Practitioners should treat template structure as an attack surface that can reshape model authority in-session.
Agentic AI governance now depends on the interaction layer, not just the model layer. Once an LLM can reach APIs, browsers, or enterprise systems, prompt injection becomes an operational security issue with identity consequences. HiddenLayer’s analysis reinforces that runtime controls, permission boundaries, and monitoring are the real control plane. Security teams should reframe AI safety as a governance problem that crosses IAM, NHI, and application security.
Assumption collapse is the right lens for autonomous tool use. Least privilege was designed for actors whose intent and scope can be bounded before execution begins. That assumption fails when an AI system can be induced mid-session to reinterpret instructions, select tools, or change its own working context. The implication is that practitioners must rethink which controls are anchored to stable intent versus dynamic behaviour.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to the same SailPoint research.
- That is why practitioners should pair agent governance with OWASP NHI Top 10 controls and stronger context inspection before untrusted text reaches the model.
What this signals
Instruction scaffolding risk: the more a programme depends on prompt templates, the more it needs to think like an identity control programme rather than a content workflow. In agentic deployments, context assembly, role boundaries, and tool permissions are the real governance surfaces, and they should be monitored as such.
With 92% agreeing that governing AI agents is critical but only 44% having implemented policies, according to SailPoint's AI Agents: The New Attack Surface report, the gap is no longer conceptual. Security teams should expect pressure to align AI operations with NIST AI Risk Management Framework style governance and runtime controls.
The practical signal to watch is whether your AI stack can explain what entered the context window, what role each element played, and which action path the model selected. If that evidence is missing, prompt injection response becomes guesswork rather than investigation.
For practitioners
- Treat prompt inputs as untrusted data Inspect system prompts, retrieved documents, emails, and repository files as potential instruction carriers. Apply filtering, canonicalisation, and context separation before those strings reach the model.
- Enforce runtime policy outside the model Use permission boundaries, tool allowlists, and approval gates for actions that touch sensitive systems. Do not assume a well-written prompt can prevent unsafe tool execution on its own.
- Log model context and tool decisions Record which inputs entered the context window, which role markers were present, and which tools the agent selected. That evidence is essential for detecting prompt injection and reconstructing abuse paths.
- Test for instruction-override failure modes Red-team for control token spoofing, fake resets, XML tag closure, and indirect prompt injection in RAG pipelines. Measure whether the model follows attacker content when it conflicts with system instructions.
Key takeaways
- Prompt injection works because model instruction hierarchy is soft, not absolute, so role markup must be treated as a security surface.
- LLM context handling, template design, and tool permissions together define the attack surface for agentic AI systems.
- Runtime policy, monitoring, and permission boundaries matter more than prompt engineering when AI systems can act on enterprise data.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Prompt injection and role spoofing map directly to agent goal and instruction abuse. |
| NIST AI RMF | AI RMF governance applies to model behaviour, oversight, and accountability. | |
| OWASP Non-Human Identity Top 10 | NHI-02 | The model's tool access and contextual authority behave like a non-human identity. |
Apply least-privilege and lifecycle controls to AI agent access just as you would for other NHIs.
Key terms
- Prompt Injection: Prompt injection is the manipulation of model context so the system follows attacker-supplied instructions instead of intended guidance. In practice, it exploits how LLMs weigh content in the context window, especially when retrieved text, documents, or tool output is mistaken for trusted instruction.
- Instruction Hierarchy: Instruction hierarchy is the ordering of authority inside an LLM conversation, where system or developer instructions are intended to outrank user input. It improves alignment, but it is not a hard security boundary, because models learn this hierarchy behaviourally rather than enforcing it cryptographically.
- Control Tokens: Control tokens are special markers used to separate roles, sequence boundaries, or formatting instructions in LLM context. They help the model parse conversation structure, but they also become security-sensitive when attackers can imitate, spoof, or reuse them to shift perceived authority.
- Agentic AI: Agentic AI is software that can choose actions, tools, and execution timing with some degree of independence at runtime. In identity terms, it behaves like a non-human actor with tool use and authority boundaries that must be governed, monitored, and lifecycle-managed like other machine identities.
What's in the full article
HiddenLayer's full research covers the operational detail this post intentionally leaves for the source:
- Token-by-token examples of how ChatML-style control tokens are encoded and abused in practice.
- Concrete prompt spoofing patterns, including fake context resets and control-token injection examples.
- The article's examples of XML-style tag manipulation and how model behaviour changes when trusted sections are closed or replaced.
- Additional analysis of how indirect prompt injection travels through documents, emails, and repository files.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing identity security strategy, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org