Context Exploitation

Expanded Definition

Context exploitation is a prompt attack pattern that manipulates the conversation state so an AI system accepts false authority, false capability claims, or invented prior history. In NHI and agentic AI security, it matters because the model does not treat all context as equally trustworthy. It may inherit instructions from system messages, tools, retrieved documents, memory, or user input unless those sources are bounded and validated. Guidance varies across vendors on how much weight to give prior turns, retrieval results, and tool outputs, so the defensive goal is not to eliminate context but to label, isolate, and verify it. This is closely aligned with the control mindset in NIST Cybersecurity Framework 2.0, where trust decisions should be explicit and continuously reassessed. NHIMG’s research on the 52 NHI Breaches Analysis shows how identity failures often begin with weak assumptions about what is trustworthy.

The most common misapplication is treating the prompt transcript as a neutral record, which occurs when retrieval, memory, or pasted instructions are allowed to override authenticated policy or tool provenance.

Examples and Use Cases

Implementing defenses against context exploitation rigorously often introduces latency and workflow friction, requiring organisations to weigh stronger provenance controls against a less fluid agent experience.

• A user inserts fabricated prior approval into a chat, and the agent follows it because the conversation history is trusted more than the current policy state.
• A retrieval-augmented assistant pulls a poisoned document that claims a service account has admin scope, causing the model to reason from false authority.
• An attacker primes an AI operator by repeatedly asserting that a tool call already succeeded, reshaping the model’s memory of prior actions.
• A delegated agent accepts a counterfeit “system” instruction inside a pasted ticket or email thread, then acts on it as if it were higher privilege context.
• Defenders map these failures to known NHI abuse patterns in the 52 NHI Breaches Analysis and compare them with identity assurance guidance in NIST Cybersecurity Framework 2.0.

In practice, the safest use cases are those that separate untrusted user content from policy, tool results, and authenticated state, rather than blending them into one narrative context.

Why It Matters in NHI Security

Context exploitation is a governance issue because agents often make decisions based on accumulated conversational history, not just the latest prompt. When that history can be spoofed or steered, attackers can induce privilege misuse, unsafe tool invocation, secret exposure, or incorrect approval flows. The risk is especially serious for NHIs because machine identities already operate at high scale and are frequently overprivileged; NHIMG reports that 97% of NHIs carry excessive privileges, which makes any successful context attack more damaging. In a weakly governed environment, false context can become a path to credential misuse, policy bypass, or agentic persistence. Defenders should treat context provenance, memory controls, and instruction hierarchy as first-class security controls alongside secrets management and access review.

Organisations typically encounter the operational impact only after an agent has followed a forged instruction, at which point context exploitation becomes impossible to ignore and urgently requires containment.

Related resources from NHI Mgmt Group

• What is the Model Context Protocol (MCP) and why does it matter for security?
• What is MCP in the context of AI security?
• When is it appropriate to implement MCP in the context of AI systems?
• Why is organizational context important for AI agents?