A technique that hides malicious instructions inside content an AI assistant automatically reads, such as comments, documentation, logs, or metadata. The model treats the text as part of the task context, which can steer code generation or reasoning without any direct prompt injection from the user.
Expanded Definition
context window poisoning is a form of model manipulation where attacker-controlled text is placed inside material an AI assistant is likely to ingest automatically, such as repository comments, tickets, log files, documentation, or metadata. The malicious text is not submitted as an obvious user prompt, but it still becomes part of the model’s working context and can influence output, tool use, or reasoning.
Unlike direct prompt injection, context window poisoning exploits trust in adjacent content. In agentic systems, this matters because the assistant may read content from multiple sources, merge it into a single context window, and then act on the result. Industry usage is still evolving, and definitions vary across vendors on whether the term includes only malicious instructions or also covertly biased data meant to distort decisions. NIST’s NIST Cybersecurity Framework 2.0 helps frame this as an integrity and governance problem, not just a model safety issue.
The most common misapplication is assuming all harmful model influence must come from the user prompt, which occurs when teams ignore untrusted text already present in connected systems.
Examples and Use Cases
Implementing controls against context window poisoning rigorously often introduces workflow friction, requiring organisations to weigh richer AI-assisted automation against stricter content filtering and source validation.
- Malicious instructions embedded in a pull request comment cause a coding agent to generate insecure code paths or ignore repository policy.
- A poisoned incident ticket contains hidden text that tells the assistant to reveal secrets, bypass review, or prioritise a false remediation step.
- Documentation imported from an external knowledge base includes adversarial wording that steers a support agent toward incorrect operational advice.
- Log lines or telemetry metadata carry hidden directives that influence an AI tool used for analysis, escalation, or automated response.
- A poisoned knowledge article is ingested alongside legitimate content, causing the model to override safer instructions with attacker-supplied guidance.
These scenarios are especially relevant when organisations treat retrieved content as trustworthy by default. The Ultimate Guide to NHIs shows why broad system access is dangerous when service accounts, API keys, and automation pipelines are already highly exposed. For implementation context, the OWASP Top 10 for Large Language Model Applications is a useful external reference point for injection-style risks.
Why It Matters in NHI Security
Context window poisoning is an NHI security issue because non-human identities often have the broadest access in the environment, and an agent acting on poisoned context may use those privileges at machine speed. When an AI assistant can read code, tickets, vault references, or CI/CD logs, a single hidden instruction may trigger credential exposure, unsafe deployment actions, or unauthorized data movement. NHI Mgmt Group notes that Ultimate Guide to NHIs reports 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, underscoring how quickly automation abuse becomes a real incident.
Governance controls should therefore focus on source trust, retrieval boundaries, content sanitisation, and least-privilege tool access. The right question is not only whether the model is safe, but whether the context it consumes has been authenticated, filtered, and segmented well enough to prevent adversarial steering. Organisations typically encounter the impact only after an agent has already leaked data, changed a record, or deployed unsafe output, at which point context window poisoning becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Addresses prompt and context injection risks in agentic AI systems. | |
| OWASP Non-Human Identity Top 10 | NHI-08 | Covers abuse paths where compromised automation contexts drive unauthorized NHI actions. |
| NIST CSF 2.0 | PR.DS-6 | Protects data integrity, which includes content fed into automated decision systems. |
| NIST Zero Trust (SP 800-207) | CA-3 | Requires continuous trust evaluation for sources and transactions inside the architecture. |
| NIST AI RMF | Frames malicious or unreliable inputs as an AI risk that must be identified and monitored. |
Treat retrieved text as untrusted and gate agent actions behind validation and policy checks.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org