Technical description
Audits show prompt injection present in 73% of production AI deployments; indirect (data-sourced) injection now accounts for >80% of documented enterprise attack attempts. OpenAI has publicly acknowledged the problem is unlikely to be fully eliminated.
Attack vector
Direct prompt manipulation and indirect injection via poisoned documents, web pages, and tool outputs consumed as trusted data by agents.
Affected systems
All LLM-backed applications and agents; particularly critical for agentic AI with broad tool access.
Mitigation
Enforce instruction/data boundaries; sandbox tool invocations; apply least-privilege to tool scopes; monitor for behavioural anomalies; red-team continuously.