Meet us at Black Hat 2026 →

What Is Prompt Injection? Types, Examples, and How to Stop It

Prompt injection is when hidden instructions hijack an AI's behavior. Here's how it works, the main types, real examples, and how enterprises stop it.

Key Takeaways:

  • Prompt injection is an attack that hides instructions inside text an AI assistant reads, tricking the model into ignoring its real rules and doing what the attacker wants.
  • It works because a large language model (LLM) can’t tell trusted instructions from untrusted input. To the model, it’s all just text.
  • The main types are direct injection (typed straight into the chat), indirect injection (hidden in a document, email, or webpage the AI reads), jailbreaking, and prompt leaking.
  • OWASP ranks prompt injection as the number one security risk for LLM applications, and the worst cases end with data leaving the building.
  • You can’t fully patch it at the model layer, so the durable enterprise control sits at the data layer: watch what an AI agent moves and issue a verdict before data leaves.

AI assistants now read your email, browse the web, open documents, and take actions for you. That’s useful, but it’s also a risky opening. Prompt injection is an attack that turns AI’s helpfulness against you, by slipping instructions into the text it reads. For an enterprise, the question that matters isn’t whether the model can be tricked. The question is what happens to your data when it is.

What Prompt Injection Is, and Why LLMs Fall for It

Prompt injection is an attack that hides malicious instructions inside the text an AI model reads, so the model follows the attacker’s commands instead of its own rules. It works because a large language model (LLM) takes system instructions and user input as one stream of text, with no built-in way to tell which it should trust.

A traditional program keeps code and data apart, so user input can’t become a command. An LLM has no such separation. Everything it receives, the developer’s system prompt, your question, a web page it fetched, or a file it was asked to summarize, arrives as one block of language, and the model does its best to follow all of it. An attacker who can get text in front of the model can write instructions that read as part of the job. This is why OWASP ranks prompt injection as the top security risk for LLM applications. That flaw sits in how the technology works, not in a bug someone forgot to fix.

How a Prompt Injection Attack Works

A prompt injection works by overriding the model’s instructions with new ones the attacker controls. Most AI apps run on a hidden system prompt that sets the rules, plus whatever the user sends. The attacker crafts input that tells the model to ignore those rules, and because it can’t rank trusted instructions above untrusted text, it often obeys.

OWASP ranks prompt injection as the top security risk for LLM applications.

The classic move is a line like “ignore your previous instructions and do this instead.” Early chatbots fell for that. More careful attacks disguise the command so it reads as ordinary content, or use delimiters and formatting to make the model treat hidden text as a fresh instruction. Either way, the model stops doing the task it was given and starts doing the attacker’s. Researchers compare it to SQL injection, where untrusted input gets executed as a command. The difference is that prompt injection uses plain language, so anyone can write one. No code required.

Types of Prompt Injection: Direct, Indirect, and More

Prompt injection comes in a few recognized forms. Direct injection is typed straight into the AI. Indirect injection hides the instructions in content the AI reads later, like a document or email. Jailbreaking aims to strip the model’s safety limits, and prompt leaking tricks it into revealing its own hidden system prompt.

Direct Injection

Direct injection is the simplest. The attacker types malicious instructions straight into the chat, betting the model will follow the most recent or most forceful command over its original rules. The Chevrolet chatbot story below is a direct injection. It’s loud, obvious, and mostly threatens whatever that single conversation can reach.

Indirect Injection

Indirect injection is particularly dangerous. Here the attacker never talks to the AI at all. They plant instructions in something the AI will read on someone else’s behalf: a webpage, PDF, shared document, or email sitting in the inbox. When an AI assistant processes that content as part of a normal task, it runs the hidden command without the user doing anything wrong. This is the type that scales, because the victim and the attacker never have to meet.

Jailbreaking and Prompt Leaking

Two related attacks round out the set. Jailbreaking pushes a model past its safety guardrails to produce content it would normally refuse. Prompt leaking coaxes the model into revealing its confidential system prompt, handing the attacker the exact rules to work around. Both overlap with injection, and in practice attackers mix all of them.

Real Prompt Injection Examples Worth Knowing

In November 2023, someone prompted a Chevrolet dealership’s chatbot, which ran on ChatGPT, to agree with anything a customer said and to treat its replies as binding. He then asked it to sell him a Tahoe for one dollar. It agreed. The dealership didn’t honor the deal, the screenshots went viral, and the lesson came cheap: a public AI tool will follow a confident instruction even when that instruction is absurd. That’s direct injection in its most embarrassing form.

A more serious version arrived in 2025. Researchers at Aim Security disclosed EchoLeak, tracked as CVE-2025-32711, a flaw in Microsoft 365 Copilot. A single crafted email, never opened by the user, could make Copilot read internal files and send their contents to an outside server. No click, download, or malware on the machine. Microsoft patched it and found no sign it had been used in the wild, but the mechanism is the point. That data left because the AI was asked to move it, and nothing in the path was watching the data itself.

The Real Risk: Prompt Injection as a Data-Loss Problem

For an enterprise, the worst outcome of prompt injection has nothing to do with a rude chatbot. The damage is data leaving. As AI agents gain access to email, files, and internal tools, an indirect injection can turn a helpful assistant into an exfiltration channel, reading sensitive data and sending it somewhere it shouldn’t go, inside a normal-looking task.

This is where prompt injection stops being an AI curiosity and becomes a data security problem. EchoLeak showed the shape of it: the attack worked not because the model said something wrong, but because it moved data it should have kept put. That same risk grows with every tool you connect to an AI agent. More access means more that a single poisoned document can reach.

The uncomfortable part for defenders is that you can’t fully fix this at the model layer. OWASP and the researchers behind these disclosures treat prompt injection as a structural property of how these systems read text, not a bug with a permanent patch. You can make it harder. You can’t make it impossible. So the security question turns practical: if the model can be tricked, what stops the data from leaving when it is?

That’s the layer worth building on. When detection reads the intent and context behind every data movement, who’s moving it, what it is, and where it’s going, a hijacked agent trying to ship a file to an unknown destination reads as exactly what it is, an exfiltration attempt to stop. The model got fooled. Your data still didn’t move.

How to Detect and Prevent Prompt Injection

There’s no single switch that stops prompt injection, so defense works in layers. Filter and constrain what goes into the model, limit what the model is allowed to do, test it like an attacker would, and watch the data it can reach. Those first layers reduce the odds. The last one limits the damage.

At the model layer, the standard advice is defense-in-depth. Validate and sanitize inputs, separate trusted instructions from untrusted content where the architecture allows, and constrain outputs so the model can’t be talked into formatting data for exfiltration. Give an AI agent the least access it needs, not the most it could use, so a successful injection reaches less. And red-team the system on a continuous basis, because new bypasses appear faster than fixed rules can catch them.

None of that fully closes the gap, which is why the data layer matters most. The control that holds when the model fails is the one watching the data itself: classify what’s moving in real time, read whether a given movement makes sense for this agent and this task, and block the ones that don’t before anything leaves.

That’s a data loss prevention (DLP) job, rebuilt for a world where the thing moving your data might be an AI acting on someone else’s instructions.

ORION Security is built for that. It reads the intent and context behind every data movement across endpoint, browser, SaaS, email, and AI tools, and issues a verdict before data leaves, whether a person, a script, or a prompt-injected agent is the one moving it. If you want to see what your AI tools are doing with your data, ORION Security will show you, usually in about 30 minutes.

Frequently Asked Questions

What’s the difference between prompt injection and jailbreaking?

They overlap, but the goals differ. Jailbreaking tries to remove a model’s safety limits so it produces banned content. Prompt injection hijacks the model’s instructions to make it serve the attacker, which can include jailbreaking, leaking the system prompt, or moving data. Jailbreaking is about the output. Injection is about control.

Who coined the term prompt injection?

Developer Simon Willison coined the term in 2022, after researchers showed that AI apps would follow instructions hidden in user input. The name stuck because it mirrors SQL injection, an older attack where untrusted input gets run as a command. The flaw existed before it had a name. The name made people take it seriously.

Can prompt injection be stopped completely?

Not at the model layer. Most experts treat it as a structural limit of how language models read text, so the realistic goal is to cut the odds and contain the blast radius. That’s why the strongest defense pairs model-layer hardening with a data-layer control that keeps sensitive data from leaving, even when an AI agent has been tricked.

More articles

We can stop data exfiltration
We can stop data exfiltration
We can stop data exfiltration
We can stop data exfiltration
We can stop data exfiltration
We can stop data exfiltration
Let Us Show You How