The act of mixing two or more languages within a single prompt or conversation. In AI security, code-switching matters because it can split harmful intent across language boundaries, making it harder for moderation systems to detect the request as dangerous even when the user’s meaning is clear.
Expanded Definition
Code-switching is the deliberate or incidental mixing of two or more languages within a single prompt, conversation, or response. In AI security, the term matters because moderation, policy enforcement, and intent detection can weaken when harmful requests are split across language boundaries, even though the user’s meaning remains intact. Definitions vary across vendors on whether dialect shifts, transliteration, and partial translation count as code-switching, so operational teams should treat it as a multilingual evasion pattern rather than a purely linguistic feature. This distinction is especially important in agentic workflows, where an AI agent may inherit a prompt, tool instruction, or user request that changes language midstream and bypasses a detector tuned for one language only. NHI Management Group treats the problem as a visibility and control issue, not a content novelty issue, because the security failure is often in the guardrail design, not the language itself. The most common misapplication is assuming a single-language safety filter covers mixed-language prompts, which occurs when moderation is validated only on monolingual test sets.
Examples and Use Cases
Implementing defenses against code-switching rigorously often introduces extra review and model-evaluation overhead, requiring organisations to weigh detection coverage against latency and operational complexity.
- A user begins in English, then inserts a harmful instruction in another language to evade a content policy check.
- A prompt combines English control words with translated technical terms so the unsafe request is harder to classify consistently.
- An AI agent receives a multilingual support ticket and misreads a language shift as harmless context, then executes an unsafe tool action.
- A security team tests moderation against adversarial prompt sets that intentionally alternate languages to probe weak spots in the filter pipeline, a concern that aligns with broader NHI risk patterns described in the Ultimate Guide to NHIs.
- Policy teams compare multilingual abuse cases against the NIST Cybersecurity Framework 2.0 to ensure detection, response, and recovery processes cover language-based evasions.
In practice, code-switching shows up during red-team testing, customer support automation, cross-border operations, and any workflow where the same model must interpret more than one language or script. It is also relevant when transcription, translation, or summarisation layers sit between the user and the safety control, because those layers can normalise the language just enough to hide the original intent.
Why It Matters in NHI Security
Code-switching matters in NHI security because non-human systems often act on prompts, tickets, and runbooks that are assumed to be machine-readable and policy-safe. That assumption fails when a malicious request is fragmented across languages or encoded through mixed-language phrasing, creating blind spots in moderation, logging, and human review. The risk becomes more serious in environments with autonomous agents, service accounts, and delegated tool access, because a missed instruction can move from text to action. NHI Management Group research shows that 68% of organisations do not know how to fully address NHI risks, and that lack of clarity extends to prompt-layer controls when multilingual abuse is not explicitly tested. Code-switching should therefore be treated as part of the broader control surface for AI and NHI governance, alongside secrets handling, access scoping, and policy enforcement. Organisations typically encounter the impact only after a harmful prompt has already slipped through moderation or an agent has executed an unsafe action, at which point code-switching becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Addresses multilingual prompt injection and unsafe agent instructions across language boundaries. | |
| NIST AI RMF | Requires robust AI risk controls for adversarial input patterns, including language-based evasion. | |
| NIST CSF 2.0 | PR.DS | Protective data handling depends on detecting and filtering unsafe multilingual inputs. |
Test agent prompts in multiple languages and harden guardrails against mixed-language instruction evasion.
Related resources from NHI Mgmt Group
- Why is hardcoding credentials into source code so dangerous?
- What is the difference between code scanning and runtime identity monitoring?
- What is the difference between scanning AI-generated code and governing AI agent identity?
- When do AI-generated code and assistants increase secret exposure risk?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org