TL;DR: Security teams often conflate jailbreaks with prompt injection, but they attack different layers of an AI system: jailbreaks target model safety tuning, while prompt injection exploits how applications mix trusted instructions with untrusted content, according to Pillar Security. Treating them as synonyms creates blind spots because the right defense depends on whether the risk lives in the model, the application, or both.
NHIMG editorial — based on content published by Pillar Security: The terminology problem causing security teams real risks
Questions worth separating out
Q: How should security teams defend against both jailbreaks and prompt injection?
A: Treat them as separate attack classes.
Q: Why do prompt injections remain dangerous even when the model seems well aligned?
A: Because alignment protects the model’s behaviour, not the application’s trust boundary.
Q: What do teams get wrong when they rely on prompt filters alone?
A: They often assume the filter can spot every harmful instruction by wording alone.
Practitioner guidance
- Separate model risk from application risk Assess jailbreak exposure with model hardening and red teaming, then assess prompt injection with application architecture reviews.
- Classify trusted and untrusted instruction sources Map every place where external content can be concatenated into prompts, including documents, emails, webpages, and support tickets.
- Constrain tool execution after untrusted input Block high-risk actions unless the request is revalidated outside the prompt stream.
What's in the full article
Pillar Security's full blog covers the operational detail this post intentionally leaves for the source:
- Side-by-side examples of jailbreak and prompt injection payloads so teams can test detection logic against the right mechanism.
- Discussion of signature-based detection patterns and why they succeed on some adversarial prompts but miss many indirect injections.
- Control design guidance for input isolation, privilege separation, and output validation in AI applications.
- References to the CFS framework for indirect prompt injection and how context, format, and salience affect payload execution.
👉 Read Pillar Security's analysis of why jailbreaks and prompt injection are not the same risk →
Prompt injection vs jailbreaks: where AI security controls fail?
Explore further
Jailbreaks and prompt injection are different control problems, not a single AI risk bucket. Jailbreaks attack safety tuning at the model layer, while prompt injection attacks the application layer where trusted and untrusted strings are merged. Security teams that collapse them into one label end up selecting the wrong control family and measuring the wrong failure mode. The practitioner conclusion is simple: threat classification must drive control selection, not vendor marketing terms.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: How do security teams decide which controls to prioritise for AI applications?
A: Start by asking whether the main exposure is model-level refusal bypass or application-level instruction hijacking. If attackers are trying to coerce the model into unsafe behaviour, prioritise alignment and jailbreak detection. If untrusted content can influence tools or data access, prioritise trust separation, provenance, and output validation.
👉 Read our full editorial: Jailbreaks vs prompt injection: why AI defenses miss the point