Security researchers say enterprises should validate every LLM agent action with external deterministic policy code, arguing the real breach point is execution, not the injected prompt itself.
An academic study found a single poisoned email could trigger SSH-key exfiltration in up to 80% of trials without user interaction, while OWASP and NIST now rank prompt injection among AI’s top security risks.
A September 2025 Agentforce flaw disclosed by Noma showed the pattern in production: hidden instructions in a Web-to-Lead form later drove CRM data to an attacker-controlled domain that had been re-registered for about $5.
The proposed fix is to force consequential actions into typed tool calls and check them against hard rules—such as vendor lists, dollar caps and human-review thresholds—before any API call executes.
That architecture shifts AI security toward least-privilege, zero-trust machine identities and auditable capability contracts, on the assumption that models will sometimes be fooled and must be stopped at the action gate.
With AI now automating cyberattacks, is the race to build security gates for other AIs a losing battle?
The proposed fix for AI is total distrust. What does this mean for the future of truly autonomous systems?
The Escalating Threat of Prompt Injection: Industry Trends, Attack Metrics, and Defense Strategies for LLMs
Overview
Prompt injection has quickly become a major security threat for Large Language Model (LLM) applications, allowing attackers to manipulate AI outputs in ways that appear legitimate to users. This risk is heightened by indirect attacks, such as embedding hidden instructions in URL fragments, which can influence AI behavior without the user's knowledge. LLMs are especially vulnerable because they treat all input—whether instructions or data—as part of the same context, making it hard to distinguish between safe and malicious prompts. As LLMs become more capable and integrated into workflows, their attack surface grows, leading to biased information, altered decisions, and compromised trust.