Over the past two years, businesses have been trying to fit large language models (LLM) into support, analytics, development, and internal automation like never before.
Along with the increase in adoption of AI technology, another trend is gaining momentum – cyber criminals are exploiting the gap between perceptions about LLMs and their actual characteristics.
In 2025 and 2026, multiple independent sources have highlighted the same trend: Prompt Injection remains one of the most influential and widely demonstrated attack vectors against LLM systems. The OWASP LLM Top 10 (2025) lists prompt injection as LLM01, identifying it as the most significant category of LLM-specific vulnerabilities for the second consecutive edition. OWASP’s ranking reflects the fact that LLMs still struggle to reliably distinguish instructions from data, making them vulnerable to manipulation through crafted input.
CrowdStrike’s 2026 Global Threat Report – built on frontline intelligence from more than 280 tracked adversaries – documented that threat actors injected malicious signals into legitimate generative AI tools in more than 90 organizations in 2025. The report clearly states: "Indications are new malware." AI-enabled opponents increased their overall attack volume by 89% year-over-year, with quick injections serving as both entry points and force multipliers.
Real-world events reflect operational impact. In August 2024, researchers at PromptArmor disclosed an instant injection vulnerability in Slack AI that allowed an attacker to exfiltrate data from private Slack channels to which they had no access – including API keys shared in private developer channels – by placing a malicious directive in a public channel or embedding it in an uploaded document.
In June 2025, researchers at AIM Security disclosed EchoLeak (CVE-2025-32711, CVSS 9.3), the first documented zero-click prompt injection exploit against production AI systems targeting Microsoft 365 Copilot. By sending a single crafted email, requiring no user interaction, an attacker can cause Copilot to access internal files and transmit their contents to an attacker-controlled server.
Both vulnerabilities were fixed. These incidents underscore the fact that early injection is not a theoretical weakness, but a practical, repeatable threat organizations must address as they deploy AI systems at scale.
Recent years have seen major developments in prompt injection techniques, now targeting multi-agent architectures, retrieval-augmented generation (RAG) pipelines, model routers, and long-term memory capabilities.
EEnterprise Challenge: Too Much Trust
Businesses deploy LLMs to process instructions, summarize information, and trigger automated workflows, but it’s difficult for an LLM to tell:
- Iinstructions from data
-
Iinformation from context
-
Cmetadata to ontext
-
Youser intent from metadata
This creates an opportunity for attackers to directly or indirectly manipulate and influence the behavior of the model.
modern prompt injection
cross-model prompt injection
The use of LLM is a common practice among enterprises. Attackers corrupt the output of a particular model, knowing full well that other models may be processing the content. Therefore, corruption spreads through all AI systems.
RAG supply chain poisoning
AAttackers create malicious information – documentation, blog articles, GitHub READMEs. They then wait until this malicious information reaches enterprises’ RAG pipelines, then use it as an attack vector.
agent kidnapping
AI agents have evolved to the point where they can send emails, modify cloud infrastructure, execute code snippets, and interact with internal corporate systems. Agents need only one instruction to act differently in a harmful way.
Context overflow attack
With the help of the million-token context window, attackers insert malicious code within the document and hope that the LLM will stumble upon it and execute it, thus overriding all previous instructions.
memory poisoning
Due to the implementation of long-term memory in LLMs, attackers can inject instructions that permanently reconfigure their state.
model-router manipulation
Enterprises are increasingly using model routers to choose between multiple LLMs. The attacking craft gives signals that force one to move towards the weakest or least protected model.
Why does this matter to business leaders?
Early injection is not a theoretical problem. It directly affects:
- CCustomer-facing systems (chatbots, support agents)
-
IInternal co-pilot (developer equipment, safety assistant)
-
AAutomation workflows (ticketing, cloud operations, HR processes)
-
DATA Governance (RAG Pipeline, Knowledge Base)
The risk is no longer limited to this "The model said something she shouldn’t have said."
In 2026, prompt injection may:
- Tearigging in unauthorized works
-
levery sensitive data
-
CDisrupting internal workflow
-
mAnalyze Analytics
-
Alater business logic
-
CCompromise multi-agent systems
The attack surface has expanded dramatically.
What should enterprises do now
1. Constrain Model Permissions
Limit what the model can do, not just what it should do.
2. Segment unreliable content
Treat all external data, including RAG sources, as potentially hostile.
3. Monitor Tool Invocation
High-impact actions require human approval.
4. Validate Content Origin
Ensure that RAG pipelines do not ingest toxic foreign materials.
5. Rigid Model Router
Prevent attackers from forcibly rooting vulnerable models.
6. Treat LLMs as untrusted components
This mindset shift is the foundation of modern AI security.
bottom line
Prompt injection is the most effective method for compromising enterprise AI systems because it exploits the fundamental way LLMs interpret text. Unless organizations treat LLMs as untrusted interpreters – not autonomous decision-makers – quick injection will continue to dominate the AI threat landscape.
Julie Brunias is an AI security architect.
<a href