Over the past two years, businesses have increasingly integrated large language models (LLMs) into areas such as support, analytics, development, and internal automation. This surge in adoption has coincided with a growing trend where cybercriminals exploit misunderstandings about LLMs and their functionalities.
In both 2025 and 2026, multiple independent sources have identified a persistent issue: Prompt injection remains a highly impactful and frequently demonstrated attack vector against LLM systems. According to the OWASP LLM Top 10 (2025), prompt injection is listed as LLM01, marking it as the most critical LLM-specific vulnerability for the second consecutive year. This ranking highlights the ongoing challenges LLMs face in distinguishing instructions from data, making them vulnerable to manipulation.
The 2026 Global Threat Report by CrowdStrike, which is based on intelligence from over 280 tracked adversaries, reveals that in 2025, threat actors injected malicious prompts into legitimate generative AI tools at over 90 organizations. These injections were used to create commands that stole credentials and cryptocurrency. The report bluntly states: “Prompts are the new malware.” The use of AI by adversaries led to an 89% increase in overall attack volume year-over-year, with prompt injection serving as both an entry point and a force multiplier.
Real-world examples demonstrate the operational impact. In August 2024, researchers at PromptArmor uncovered a prompt injection vulnerability in Slack AI, which allowed attackers to extract data from private Slack channels without access, including API keys shared in private developer channels, by placing a malicious instruction in a public channel or embedding it in an uploaded document.
In June 2025, researchers at Aim Security reported EchoLeak (CVE-2025-32711, CVSS 9.3), the first zero-click prompt injection exploit documented against a production AI system, targeting Microsoft 365 Copilot. By sending a single crafted email, without user interaction, an attacker could make Copilot access internal files and send their contents to a server controlled by the attacker.
Both vulnerabilities were patched, underscoring that prompt injection is a tangible, repeatable threat that organizations must address as they scale AI systems. Prompt injection techniques have evolved significantly, now targeting multi-agent architecture, retrieval-augmented generation (RAG) pipelines, model routers, and long-term memory capabilities.
The enterprise challenge: Too much trust
Businesses rely on LLMs to process instructions, summarize information, and initiate automated workflows, but LLMs struggle to distinguish:
-
Instructions from data
-
Information from context
-
Context from metadata
-
User intent from metadata
This difficulty creates opportunities for attackers to manipulate and influence the model’s behavior, either directly or indirectly.
Modern prompt injection
Cross-model prompt injection
In enterprises, LLM use is common. Attackers corrupt the output of one model, knowing that other models processing the content will propagate the corruption across AI systems.
RAG supply chain poisoning
Attackers create malicious content—such as documentation, blog posts, GitHub READMEs—and wait for it to be ingested into enterprises’ RAG pipelines, using it as an attack vector.
Agent hijacking
AI agents have advanced to handle tasks like sending emails, modifying cloud infrastructure, executing code snippets, and interacting with internal systems. A single instruction can cause agents to act in harmful ways.
Context overflow attacks
With large context windows, attackers embed malicious code in documents, hoping an LLM will encounter and execute it, thus overriding previous instructions.
Memory poisoning
With long-term memory in LLMs, attackers can inject instructions that permanently alter the model’s state.
Model-router manipulation
As enterprises use model routers to choose between multiple LLMs, attackers craft prompts to force routing to the weakest or least-guarded model.
Why this matters for business leaders
Prompt injection is a real concern, directly impacting:
-
Customer-facing systems (chatbots, support agents)
-
Internal copilots (developer tools, security assistants)
-
Automation workflows (ticketing, cloud operations, HR processes)
-
Data governance (RAG pipelines, knowledge bases)
The risk extends beyond “the model said something it shouldn’t.” By 2026, prompt injection can:
-
Trigger unauthorized actions
-
Leak sensitive data
-
Corrupt internal workflows
-
Manipulate analytics
-
Alter business logic
-
Compromise multi-agent systems
The attack surface has grown significantly.
What enterprises should do now
1. Constrain model permissions
Restrict what the model can do, beyond what it should do.
2. Segment untrusted content
Treat all external data, including RAG sources, as potentially hostile.
3. Monitor tool invocation
Require human approval for high-impact actions.
4. Validate content provenance
Ensure RAG pipelines do not ingest poisoned external content.
5. Harden model routers
Prevent attackers from forcing routing to weaker models.
6. Treat LLMs as untrusted components
This mindset shift is fundamental to modern AI security.
The bottom line
Prompt injection continues to be the most effective method for compromising enterprise AI systems, as it exploits how LLMs interpret text. Until organizations regard LLMs as untrusted interpreters, rather than autonomous decision-makers, prompt injection will remain a dominant threat in the AI landscape.
Julie Brunias is an AI Security Architect.
