Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Prompt injection techniques vs intent: what IAM teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Prompt injection is best standardised by separating attacker intent from execution technique, according to Lasso Security, which maps text-based attacks across instruction override, role-playing, context, formatting, cross-lingual, social engineering, encoding, payload splitting, and instruction smuggling. That distinction matters because AI-enabled workflows now need governance for how prompts are manipulated, not just what the model is asked to do.

NHIMG editorial — based on content published by Lasso Security: A Standardization Guide to Prompt Injection, text-based techniques vs intent

Questions worth separating out

Q: How should security teams classify prompt injection attempts in AI workflows?

A: Security teams should classify prompt injection by both attacker intent and the technique used to achieve it.

Q: Why do prompt injection attacks create governance risk for AI agents?

A: Prompt injection creates governance risk because the model often sits in the control path between text input and tool execution.

Q: What do organisations get wrong about filtering malicious prompts?

A: Many organisations focus on obvious harmful wording and miss manipulative structure.

Practitioner guidance

  • Define prompt injection categories in policy Map local detection and response rules to intent, technique, and payload style so analysts can distinguish jailbreak attempts, system prompt leakage, and instruction smuggling during triage.
  • Isolate trusted system instructions from user input Keep governing prompts, tool instructions, and refusal rules separate from untrusted text so attackers cannot use context manipulation to overwrite authoritative session state.
  • Normalise multilingual and encoded content before inference Apply Unicode normalisation, script checks, decoding, and translation-aware inspection to reduce evasion through homoglyphs, mixed scripts, leet speak, or base encodings.

What's in the full article

Lasso Security's full article covers the operational detail this post intentionally leaves for the source:

  • The complete prompt injection taxonomy with subcategories and examples for each attack style
  • Detailed explanation of how text-based techniques are used to evade model safeguards in practice
  • Expanded discussion of encoding, multilingual, and formatting-based manipulation patterns
  • Additional context on how the taxonomy supports standardisation across AI security teams

👉 Read Lasso Security's full prompt injection taxonomy and technique breakdown →

Prompt injection techniques vs intent: what IAM teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Prompt injection is an identity problem because the model becomes the decision layer that interprets authority. Once the LLM is embedded in workflows that can retrieve data, call tools, or shape downstream actions, the attack is no longer just abusive text. The governing question becomes which instructions the system is permitted to treat as authoritative, and when that authority can be spoofed through language alone. Practitioners should treat prompt provenance as part of access control.

A few things that frame the scale:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: How can teams reduce the impact of instruction smuggling in LLM pipelines?

A: Teams should treat retrieved content as untrusted data, even when it comes from HTML pages, documents, or chat history. Hidden instructions in comments, metadata, or non-rendered elements can still influence model behaviour if the pipeline passes them through unchanged. Sanitising content before inference reduces the chance that the model confuses data with commands.

👉 Read our full editorial: Prompt injection taxonomy shows the gap between intent and technique



   
ReplyQuote
Share: