Context Poisoning

Expanded Definition

Context poisoning is a form of prompt-adjacent manipulation in which an AI agent ingests misleading instructions, facts, or assumptions from its working context and then acts on them. In NHI security, the issue is less about code execution and more about corrupted decision inputs that can steer tools, privileges, or workflows. Usage in the industry is still evolving, and definitions vary across vendors, but the common theme is that the poisoned material changes agent behaviour without needing to breach the model itself. That makes it especially relevant when agents rely on retrieved documents, tickets, chat threads, or configuration notes as operational context. The concept maps closely to NIST-style risk thinking around secure, trustworthy system behaviour, and it aligns with the broader governance lens in the NIST Cybersecurity Framework 2.0. A poisoned context can be subtle, because the agent may appear to follow policy while actually following tainted instructions embedded upstream. The most common misapplication is treating context poisoning as a pure prompt-injection problem, which occurs when teams ignore poisoned retrieval sources, stale runbooks, or attacker-controlled metadata.

Examples and Use Cases

Implementing context-poisoning defenses rigorously often introduces friction in retrieval and approval workflows, requiring organisations to weigh agent autonomy against verification overhead.

• An incident-response agent ingests a tampered ticket that tells it to skip a containment step and instead open broader access for a “trusted” service account.
• A procurement workflow agent reads a poisoned document that falsely labels an external API as approved, causing it to route sensitive data to the wrong integration.
• A code-review assistant consumes attacker-written comments in a pull request and treats them as authoritative remediation guidance rather than untrusted context.
• A knowledge-base agent is fed stale operational notes that override current policy, producing actions that conflict with the organisation’s control baseline and NIST Cybersecurity Framework 2.0 expectations for governed access.
• In NHI-heavy environments, a poisoned support transcript can persuade an agent to reuse secrets or request elevated access, even when the request originated outside approved channels. The broader NHI lifecycle risks described in the Ultimate Guide to NHIs become relevant here because the poisoned context often targets identities, credentials, and entitlement decisions.

Why It Matters in NHI Security

Context poisoning matters because agents increasingly operate with real authority: they can call APIs, move secrets, create tickets, or trigger access changes. If the context they trust is compromised, the blast radius is not limited to a bad answer; it can become an NHI event involving misuse of a service account, API key, or delegated workflow. NHI governance is already difficult, and Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges, which makes poisoned instructions far more dangerous when they reach an over-entitled agent. The right control objective is not just filtering input, but constraining what context sources an agent can trust, how those sources are authenticated, and when humans must revalidate high-impact actions. That also means treating retrieved content as a supply-chain issue for decision-making, not as neutral background text. Practitioners typically encounter the consequences only after an agent has already changed access, disclosed a secret, or widened scope following a compromised retrieval source, at which point context poisoning becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• What is the Model Context Protocol (MCP) and why does it matter for security?
• What is agent communication poisoning?
• What is MCP in the context of AI security?
• When is it appropriate to implement MCP in the context of AI systems?