A model for explaining why some indirect prompt injections succeed. Context is task fit, format is how well the payload blends into the medium, and salience is how strongly the instruction stands out to the model. Together, they describe whether malicious text feels legitimate enough to follow.
Expanded Definition
Context, format, and salience describe why an indirect prompt injection succeeds or fails in an agentic system. Context is the task and surrounding data that make malicious instructions seem relevant. Format is the medium and structure that help the payload blend into the input stream. Salience is the degree to which the instruction stands out, which can either attract or dilute model attention.
This model is especially useful when evaluating tool-using agents that read email, tickets, web pages, documents, or API responses. It maps closely to the practical reality that malicious instructions do not need to be overt to be effective; they only need to appear compatible with the current task. That is why defenders should assess both the content and the delivery channel, not just whether the text is obviously hostile. For a broader identity and access lens, the NIST Cybersecurity Framework 2.0 reinforces that protective controls must account for the environment in which access decisions are made, not only the identity making them.
Definitions vary across vendors because some treat these three factors as a full security model while others use them as a heuristic for prompt robustness. The most common misapplication is assuming a low-salience payload is harmless, which occurs when defenders ignore how task-relevant formatting can still make malicious text executable.
Examples and Use Cases
Implementing controls around context, format, and salience rigorously often introduces friction, requiring organisations to balance agent usefulness against tighter input validation and reduced automation latitude.
- An email summarisation agent receives a vendor message that includes a “please forward this to finance” line hidden in a quoted thread. The task context is plausible, the format looks normal, and the instruction becomes easy for the model to follow.
- A support-ticket agent ingests a customer issue that contains embedded instructions disguised as troubleshooting notes. The payload blends into the ticket structure, making the malicious directive appear operationally relevant.
- A document-review agent processes a policy PDF with a footer note that asks the model to reveal internal routing rules. The text is low-visibility, but the format and context make it feel legitimate enough to execute.
- An API-fed agent reads JSON fields that include natural-language comments intended to steer tool use. The structured format can hide the payload in plain sight if the system does not separate data from instruction.
- NHIMG’s Ultimate Guide to NHIs is relevant here because hidden instructions often reach the model through poorly governed service accounts, integrations, and automation paths rather than through user chat alone.
Why It Matters in NHI Security
For NHI security, this concept matters because agents often operate with tool access, secrets exposure, and delegated authority. A prompt injection that succeeds by exploiting context, format, and salience can turn a routine workflow into unauthorised data movement, credential exposure, or unsafe tool invocation. That risk is amplified when the agent can reach service accounts, CI/CD systems, or ticketing platforms where hidden instructions may be treated as ordinary content.
NHIMG research shows that 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage. In that environment, prompt injection is not just a model quality issue; it becomes an identity and governance issue because the attacker is trying to steer an authorised NHI into misusing its own privileges. Stronger content separation, least-privilege tool design, and tighter message provenance are therefore essential. Organisational exposure typically becomes visible only after an agent has already forwarded data, triggered a workflow, or leaked a secret, at which point context, format, and salience become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Covers prompt injection where instruction context and formatting alter agent behavior. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Relevant because malicious prompts can steer NHIs into unsafe secret or tool use. |
| NIST CSF 2.0 | PR.DS | Protecting data streams and provenance reduces the chance of malicious instruction blending. |
Separate instructions from data and validate every agent input before tool execution.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
