TL;DR: Prompt injection can trick AI assistants into bypassing rules, leaking data, or abusing tools through direct, hidden, and retrieval-based instructions, with reported success rates reaching 86% in real-world web and document scenarios according to Knostic. The security issue is not just model wording but the lack of layered control across inputs, retrieval, tool scope, and monitoring.
NHIMG editorial — based on content published by Knostic: Key Findings on Prompt Injection
By the numbers:
- A paper on Benchmarking Web Agent Security reports partial attack success up to 86% and end-to-end success up to 16% of the time in realistic browsing flows.
- The authors of Data Extraction Attacks in Retrieval-Augmented Generation via Backdoors show that with only 3% poisoned data, their backdoor-based method is highly effective.
- Assessing Prompt Injection Risks in 200+ Custom GPTs found a 97.2% success rate in extracting system prompts and 100% success in file leakage.
Questions worth separating out
Q: What breaks when prompt injection is not contained at the retrieval layer?
A: When retrieval is not contained, attacker-controlled documents can become trusted context and override intended behaviour.
Q: Why do AI assistants with tool access increase prompt injection risk?
A: Tool access converts prompt injection from a wording issue into an execution issue.
Q: How do security teams know whether prompt injection controls are actually working?
A: They should measure whether injected content is blocked before retrieval, whether unsafe tool calls are denied, and whether alerts correlate prompts with retrieved sources and actions.
Practitioner guidance
- Harden inbound content before model ingestion Sanitize email, HTML, document, and metadata inputs before they enter retrieval or prompting paths.
- Restrict tool permissions to task-scoped verbs Limit each assistant to the smallest possible set of APIs, destinations, and write actions.
- Enforce provenance and source lineage checks Tag every retrieved chunk with source, time, and trust status, then block generation when provenance is missing or ambiguous.
What's in the full article
Knostic's full analysis covers the operational detail this post intentionally leaves for the source:
- Benchmarks and attack-path breakdowns for direct override, indirect injection, retrieval poisoning, and tool abuse.
- Examples of how prompt injection appears in emails, SharePoint content, web metadata, plugins, and RAG pipelines.
- Control guidance on input hardening, retrieval hygiene, policy guardrails, and least-privilege actions in AI workflows.
- Auditability and lineage approaches that help investigators reconstruct which prompt or source caused the unsafe output.
👉 Read Knostic's analysis of prompt injection risks and enterprise defenses →
Prompt injection in enterprise AI: are your controls keeping up?
Explore further
Prompt injection is a governance failure, not just a model failure. The attack works because enterprise systems often let untrusted content enter the same decision context as trusted policy. That collapses the boundary between data and instruction, which is exactly where conventional prompt reviews and static filters break down. Practitioners should treat the model context window as a policy enforcement surface, not a neutral text buffer.
A few things that frame the scale:
- A paper on Benchmarking Web Agent Security reports partial attack success up to 86% and end-to-end success up to 16% of the time in realistic browsing flows, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- The same research set notes that with only 3% poisoned data, retrieval backdoors can drive an average verbatim extraction success rate of 79.7% on Llama 2-7B.
A question worth separating out:
Q: Who is accountable when an AI assistant leaks data or takes an unsafe action?
A: Accountability sits with the organisation that deployed the assistant, but ownership should be split across model operations, data governance, and access control. If a business process allows untrusted content to drive sensitive actions, the control failure is shared and must be documented in governance and incident review.
👉 Read our full editorial: Prompt injection exposes the control gap in enterprise AI assistants