Organisations often treat prompt injection as a text-only problem, when it is really an execution problem. The issue is not only manipulated output, but whether that output can trigger sensitive data access or downstream actions. Effective defence requires monitoring the entire live interaction path.
Why This Matters for Security Teams
Prompt injection is often discussed as a clever jailbreak trick, but security teams should treat it as a path to unauthorised action. Once an AI agent can read untrusted content, call tools, or retrieve data, malicious instructions can steer behaviour in ways that resemble privilege abuse more than simple content manipulation. That is why the risk spans confidentiality, integrity, and downstream execution.
Current guidance from OWASP Agentic AI Top 10 and NHIMG research such as the OWASP NHI Top 10 points to the same operational issue: the model response is only one step in a larger live workflow. If the workflow includes secrets retrieval, ticket creation, file access, or API calls, the attack surface expands beyond the prompt window.
Many teams also underestimate how quickly prompt injection overlaps with NHI risk. A compromised agent identity, overbroad tool scope, or exposed token can turn a bad instruction into a real-world action. In practice, many security teams encounter prompt injection only after a tool has already been invoked, rather than through intentional review of the agent’s execution path.
How It Works in Practice
The practical mistake is assuming the model is the control point. It is not. The control point is the execution path around the model: what context it can see, what tools it can call, which secrets it can request, and what approval gates sit between a generated instruction and an actual side effect. That aligns with the broader zero trust framing in the NIST Cybersecurity Framework 2.0, where identity, access, and monitoring must be continuous rather than implicit.
For agentic systems, defence usually works best when teams combine policy, identity, and runtime controls:
- Restrict the agent’s tool scope so it can only invoke approved actions for the current task.
- Use short-lived credentials and rotate or revoke them immediately after task completion.
- Separate untrusted input from system instructions and treat retrieved content as hostile by default.
- Log tool calls, secret access, and external side effects, not just prompt and output text.
- Require context-aware checks before high-risk actions such as data export, account changes, or code execution.
NHIMG’s OWASP Agentic Applications Top 10 and the Ultimate Guide to NHIs both reinforce that identity and authorisation must be evaluated at the moment of action, not assumed from the prompt’s intent. That is especially important where agents chain multiple tools together, because one poisoned input can propagate across systems, generate a misleading output, and still produce a valid but unsafe action.
These controls tend to break down when the agent can reach legacy APIs, shared service accounts, or unconstrained browser automation because the execution environment cannot reliably separate instruction from authority.
Common Variations and Edge Cases
Tighter prompt and tool controls often increase workflow friction, requiring organisations to balance safer execution against latency, developer effort, and user experience. There is no universal standard for this yet, so current guidance suggests matching control strength to the sensitivity of the action rather than applying one fixed policy to every prompt.
Some environments create special problems. Retrieval-augmented generation can import hostile text from documents or web pages. Multi-agent systems can amplify injection because one compromised agent may influence another. Browser-based agents are especially exposed because page content, hidden fields, and UI state can all become attack inputs. In these cases, the issue is not just whether the model “believes” the prompt, but whether the workflow allows that input to reach a privileged action.
Security teams should also avoid a false sense of safety from output filters alone. A blocked phrase in the answer does nothing if the agent has already queried a sensitive record or issued an API call. The better question is whether each step has explicit policy enforcement, an accountable identity, and a revocation path. That is why NHIMG’s Top 10 NHI Issues remains relevant even for prompt injection discussions, because execution authority is where the real damage occurs.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A3 | Prompt injection is a core agent instruction-following and tool-abuse risk. |
| CSA MAESTRO | T2 | Addresses agent task execution and untrusted input steering downstream actions. |
| NIST AI RMF | AI RMF covers governing and mapping risks from prompt injection in live systems. |
Define ownership, monitor harmful interactions, and enforce controls across the full agent lifecycle.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
