A clear explanation of prompt injection — how attackers manipulate AI systems through crafted inputs — why it is hard to eliminate, and the layered defences enterprises use to contain it.
Prompt injection is an attack in which crafted text causes an AI system to ignore its intended instructions and follow an attacker's instructions instead. It comes in two forms: direct injection, where a user enters malicious instructions, and indirect injection, where the malicious instructions hide inside content the AI retrieves — a document, email or web page. Prompt injection cannot currently be eliminated, because language models read instructions and data in the same text stream and cannot reliably tell them apart. It must instead be contained through layered defences that limit what any successful injection can actually do.
A language model follows instructions written in natural language. That is its core capability — and its core vulnerability. If an attacker can get text in front of the model that says, in effect, "ignore your previous instructions and do this instead," the model may comply, because it has no robust way to distinguish a legitimate instruction from a malicious one embedded in the data it is processing.
This is fundamentally different from traditional software security, where code and data are separate. In AI systems they share one channel, which is why prompt injection is a new and persistent category of risk rather than a bug to be patched.
As organisations connect AI to real tools and data, the consequences of injection escalate. A chatbot that can only talk is a limited target. An AI agent that can read emails, access documents and take actions is a serious one — a successful injection could cause it to exfiltrate data, send unauthorised messages or trigger harmful actions.
The risk grows precisely as the value does. Anthropic's 2026 research shows organisations moving rapidly toward agents that act across multiple systems, and every new capability an agent gains is also a new thing an injection could misuse. For Australian enterprises, an injection that causes an AI to leak personal information engages Privacy Act obligations directly. Treating prompt injection as a core security requirement, not a fringe concern, is now essential.
Defences are layered because no single one is sufficient:
The governing principle is that since you cannot guarantee the model will never be fooled, you design the system so that being fooled is survivable.
The single most effective control is least privilege. Every tool, data source and action an AI system can reach should be the minimum its purpose requires. This is also the control most often neglected, because broad access is convenient during development.
Edison AI's AI readiness audit assesses prompt injection exposure by examining what an organisation's AI systems can access and do, and whether the blast radius of a successful injection is bounded. Agents with broad permissions and no approval flows are flagged as high risk.
Indirect injection deserves particular attention for any AI that retrieves external or user-supplied content. If an agent browses the web or reads incoming documents, it is exposed to instructions an attacker has planted in that content, and the defences above must assume that content is hostile.
Assume prompt injection cannot be fully prevented and design for containment. Apply least privilege rigorously, so every AI system can access and do only what it must. Require approval flows for consequential actions and treat all retrieved content as potentially hostile. Audit existing AI deployments for injection exposure, prioritising agents with broad access. Make prompt injection a standing item in your AI security posture, reviewed as capabilities expand.
Start with an AI readiness audit to map your data, access and governance gaps before you scale.
Prompt injection is an attack where crafted text causes an AI system to ignore its intended instructions and follow the attacker's instead. It can be direct, through user input, or indirect, through content the AI retrieves such as a web page or document.
Not with current technology. Because language models process instructions and data in the same text stream, injection cannot be fully eliminated. It is managed through layered defences that limit what a successful injection can achieve.
Because the malicious instructions hide inside content the AI retrieves — a document, email or web page — rather than coming from the user. An AI agent that reads attacker-controlled content can be manipulated without the user doing anything wrong.
Edison AI helps Australian businesses move from AI curiosity to practical implementation, with workflow design, team training and measurable outcomes. Tell us about your setup and we'll come back with a sequenced plan grounded in the same thinking you just read.
Article: Prompt Injection: The Security Risk Every AI Deployment Must Address
