By NHI Mgmt Group Editorial TeamPublished 2026-04-20Domain: Agentic AI & NHIsSource: Lakera

TL;DR: Prompt injection manipulates LLM instructions to override safeguards, extract sensitive data, and alter model behaviour, according to Lakera’s analysis of direct, indirect, and multilingual attack patterns. The security gap is not just content filtering but governance for what AI systems are allowed to read, trust, and execute at runtime.


At a glance

What this is: Prompt injection is a class of AI attack that hijacks an LLM’s instruction-following logic to make it ignore safeguards and act on attacker-controlled inputs.

Why it matters: It matters because IAM, NHI, and emerging agentic AI programmes now have to govern not just access, but also what an AI system can interpret, prioritise, and execute safely.

By the numbers:

👉 Read Lakera's analysis of prompt injection and AI prompt attacks


Context

Prompt injection is an AI security problem, not a conventional code vulnerability. The attacker targets the model’s instruction hierarchy by placing deceptive text in prompts or in external content that the model reads, then relies on the model to follow the malicious instruction instead of the intended one.

For identity teams, the important question is not whether the model can answer safely in isolation, but whether the surrounding system can constrain what the model sees, trusts, and does. That makes prompt injection relevant to NHI governance, AI agent controls, and the broader execution layer that sits between identity and action.


Key questions

Q: How should security teams defend against prompt injection in AI applications?

A: Use layered controls. Separate system instructions from user input, sanitise retrieved content, require authorisation before tool use, and monitor for abnormal prompt patterns. No single filter is enough because prompt injection is an adaptation game, not a static signature problem. The goal is to prevent model compromise from becoming execution compromise.

Q: Why do AI copilots and agents make prompt injection risk worse?

A: They widen the impact of a successful injection. A plain chatbot may only produce unsafe text, but a connected AI system can search data, invoke tools, write records, or trigger workflows. Once the model can act, the attacker is no longer only manipulating output. They are steering privileged behaviour through the model.

Q: What do organisations get wrong about prompt injection?

A: They often treat it as a content moderation problem instead of an access and execution problem. The real failure is assuming the model can reliably distinguish trusted policy from untrusted instructions on its own. In practice, defensive design has to constrain the model’s authority, not just try to clean its language.

Q: How can teams reduce the blast radius of a compromised AI prompt?

A: Limit the model’s permissions, isolate sensitive retrieval sources, and require separate checks before any downstream action is taken. If the model cannot reach secrets, production tools, or approval paths by default, a successful injection is far less likely to become an enterprise incident.


Technical breakdown

Direct prompt injection and instruction override

Direct prompt injection happens when the attacker places conflicting instructions directly into the prompt stream, often with role-play, coercion, or suppression cues such as ignoring previous instructions. The weakness is structural: the model does not fully separate trusted system instructions from untrusted user content. That means the attacker is not breaking the model in the classic exploit sense. They are exploiting how the model arbitrates instruction priority under ambiguity, especially when the surrounding application passes raw input straight into the model context.

Practical implication: isolate system instructions from user-controlled text and treat prompt inputs as untrusted content, not as policy carriers.

Indirect prompt injection in retrieved content

Indirect prompt injection places malicious instructions inside content the model later consumes, such as webpages, documents, emails, or knowledge base entries. The model appears to be processing benign data, but the payload rides inside that data and becomes active once retrieved into context. This is especially dangerous in retrieval-augmented generation and tool-using applications, because the attacker no longer needs to control the user prompt itself. They only need to influence a source the model will trust during runtime.

Practical implication: verify and sanitise retrieved content before it reaches the model, especially when AI systems read from external or user-supplied sources.

Why prompt attacks become execution risks in AI applications

Prompt injection matters most when the model is connected to tools, memory, or downstream workflows. In those designs, a malicious instruction can shift from harmful text generation to harmful action selection, such as data exposure, policy bypass, or unauthorised tool use. The risk is therefore wider than jailbreaks. It becomes an execution-layer issue where the model’s output can trigger privileged behaviour in other systems. That is why prompt security must be evaluated alongside identity, authorisation, and runtime guardrails.

Practical implication: bind model actions to explicit authorisation and logging controls so prompt compromise does not become tool compromise.


Threat narrative

Attacker objective: The attacker wants the AI system to ignore intended safeguards and produce disclosures or actions that benefit the attacker.

  1. Entry occurs through a crafted prompt or malicious external document that the model ingests as normal input.
  2. Escalation follows when the model gives attacker instructions higher priority than the intended system policy or retrieval guardrail.
  3. Impact occurs when the model reveals sensitive data, violates safety rules, or triggers downstream actions that the attacker controls.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Prompt injection is a governance problem before it is a model problem. The attack works because organisations have treated model input as text instead of as an access-controlled control plane. Once the model can read external content, internal prompts, or memory without strong boundaries, the security question shifts from content filtering to instruction authority. Practitioners should treat prompt handling as part of identity and access design, not as a cosmetic layer on top of AI.

Prompt injection exposes a named concept we call instruction authority collapse. The system prompt was designed for a world where trusted instructions stay distinct from untrusted inputs. That assumption fails when the actor can smuggle commands through retrieval, copy-paste, multilingual variation, or context hijacking. The implication is that policy cannot depend on the model’s ability to self-separate truth, intent, and authority at runtime.

AI agents turn prompt injection from a safety flaw into a delegated-action risk. When a model can retrieve data, invoke tools, or update memory, the same attack pattern can cross into privileged execution. That connects LLM security directly to NHI governance because the model is now acting through machine identities and service permissions. Identity teams should recognise that prompt compromise becomes privilege compromise once the model can act.

Static filtering is too weak for a moving adversary. Lakera’s discussion of direct, indirect, obfuscated, and multilingual prompt attacks shows that the attacker can vary format faster than rule-based controls can keep up. That does not mean controls are useless. It means the defensive boundary must include runtime inspection, output gating, and privilege scoping around the model’s actions. Practitioners should assume evasive prompt patterns will continue to evolve.

Enterprises need to govern what the model can do, not only what it can see. The article’s core lesson is that AI security fails when teams stop at prompt hygiene and ignore execution paths. If the model can reach tools, memory, or sensitive retrieval layers, the real control is the one that limits blast radius after an input is accepted. Practitioners should align AI security with IAM, NHI, and zero trust principles.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
  • For a broader identity and secrets perspective, see NHI Lifecycle Management Guide for lifecycle controls that reduce long-lived exposure.

What this signals

Instruction authority collapse: prompt injection shows that the hard boundary is not between safe and unsafe text, but between content and control. Once AI systems can ingest retrieval, memory, and tools, the security programme has to assume that attacker text will attempt to become policy. That is a governance issue first, and a model issue second.

With 43% of security professionals already worried about AI systems learning and reproducing sensitive information patterns from codebases, the operational risk is no longer theoretical. Identity teams should expect prompt security to merge with secrets handling, retrieval governance, and approval design as AI moves closer to action.

The programme signal is clear: if an AI system can act across enterprise workflows, then prompt hardening alone is insufficient. Teams should align model guardrails with Zero Trust principles and workload identity controls, then validate them against runtime abuse patterns rather than only against benign test prompts.


For practitioners

  • Separate trusted instructions from untrusted content Keep system prompts, policy rules, and user-controlled text in distinct layers so attacker text cannot override the governing instruction set. Apply the same discipline to retrieved documents and memory-bearing contexts.
  • Gate tool use behind explicit authorisation Require deterministic permission checks before an AI system can call tools, access records, or trigger workflows. If prompt compromise cannot translate into action, the blast radius stays bounded.
  • Test indirect and multilingual attack paths Red team models using copied text, web retrieval, translated prompts, obfuscation, and context-hijack patterns. Treat these as production test cases, not edge cases, because attackers use them to bypass simple filters.
  • Audit memory and retrieval for secret exposure Remove secrets, tokens, and sensitive policies from prompt-visible stores wherever possible, and log every retrieval path that can feed the model. The model should not be able to surface data that would be unacceptable for a human operator to see.

Key takeaways

  • Prompt injection is best understood as an instruction-priority failure that can turn ordinary text into attacker-controlled policy.
  • The risk becomes materially worse when an AI system can retrieve data, use tools, or trigger workflows, because prompt compromise can then reach execution.
  • Identity and AI security teams should govern model authority, retrieval trust, and action gating together rather than treating prompt filtering as a standalone control.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10A1Prompt injection drives unsafe model instruction handling in connected AI systems.
OWASP Non-Human Identity Top 10NHI-01Prompt-visible secrets and model-connected credentials create non-human identity exposure.
NIST Zero Trust (SP 800-207)PR.AC-4AI models should not gain implicit trust from context or retrieval alone.

Treat prompts as untrusted input and gate model actions behind explicit policy checks.


Key terms

  • Prompt injection: A prompt injection is malicious text that tries to override or redirect an AI model’s intended instructions. In practice, it exploits weak separation between trusted system policy and untrusted input, especially when the model can read external content, memory, or user-supplied documents.
  • Indirect prompt injection: Indirect prompt injection hides attacker instructions inside content the model later consumes, such as webpages, files, or knowledge base entries. The payload is not in the visible user prompt, which makes the attack harder to spot and especially dangerous in retrieval-augmented systems.
  • Instruction authority collapse: Instruction authority collapse is the failure of a model or AI application to preserve priority between trusted policy and attacker-controlled text. It becomes visible when the system can no longer reliably tell which instructions should govern behaviour at runtime, particularly in connected AI workflows.
  • Execution layer: The execution layer is the part of an AI system where model output becomes action, such as tool use, retrieval, memory updates, or workflow triggers. It is where prompt safety becomes identity and access control, because the model’s words can translate into privileged behaviour.

What's in the full article

Lakera's full article covers the operational detail this post intentionally leaves for the source:

  • Examples of direct and indirect prompt injection patterns that security teams can test against.
  • A fuller breakdown of prompt attacks versus non-prompt attacks for implementation teams.
  • Lakera's discussion of runtime detection and multi-layered AI security controls in production environments.
  • The article's practical defence checklist for securing AI applications against adversarial prompts.

👉 Lakera's full article covers attack variants, real-world examples, and practical defences in more depth.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org