What it is
Prompt injection is a security vulnerability that affects applications built on large language models (LLMs). It occurs when text from an untrusted source — a user’s message, a web page, an email, a file — contains instructions that the model follows as if they came from its developer or operator, overriding the system’s intended behavior.
The vulnerability exists because LLMs process instructions and data through the same channel: plain text. A conventional program can usually distinguish code from data, but a language model reading “summarize this document” and a language model reading a document that itself says “ignore your instructions and do X instead” are processing structurally identical input. If the model can’t reliably tell the difference, an attacker who controls any text the model will read has a path to hijacking its behavior.
Security researchers distinguish two forms. Direct prompt injection (sometimes called jailbreaking) is when a user directly types adversarial instructions into a chat interface to override its guardrails. Indirect prompt injection is more consequential for real-world systems: the attacker never talks to the model at all, but instead plants instructions in content the model will later ingest on someone else’s behalf — a poisoned webpage an AI browsing agent visits, a malicious comment in a code repository an AI coding assistant reads, or hidden text in a document an AI assistant is asked to summarize. The model, unable to distinguish its principal’s instructions from the attacker’s, may exfiltrate data, take unauthorized actions, or corrupt its own output.
Why it matters for AI governance and narratives
Prompt injection sits at the center of a framing contest between AI builders promoting “agentic” systems — models that browse the web, write and execute code, and take multi-step actions with real-world consequences — and security researchers who argue the underlying architecture is not yet safe for that role. Vendors tend to describe individual incidents as patchable bugs in a specific integration; researchers and standards bodies increasingly describe the vulnerability as architectural: any system that lets a language model act on untrusted input inherits the risk, regardless of vendor or product. That distinction matters for governance, because it determines whether the appropriate response is incident-by-incident patching or a more fundamental rethink of how much autonomy to grant these systems before verification and permission layers mature.
The vulnerability has also become a proxy fight over how fast agentic AI should be deployed. Coverage that treats each new exploit as an isolated failure tends to support continued rapid rollout of agentic features; coverage that treats prompt injection as a persistent, unsolved class of vulnerability tends to support more caution, sandboxing, or regulatory scrutiny before agents are given access to sensitive systems, credentials, or irreversible actions.
Key facts and dates
The underlying issue was identified privately by researchers at the AI safety company Preamble in 2022, who reported it to OpenAI. The term “prompt injection” was coined publicly by developer Simon Willison in a September 12, 2022 blog post, “Prompt injection attacks against GPT-3,” after he and Riley Goodside separately observed the pattern; Willison explicitly likened it to SQL injection — a decades-old class of vulnerability where untrusted input is confused with executable code.
The vulnerability has since been formalized by two major standards bodies. OWASP’s Top 10 for LLM Applications lists Prompt Injection as LLM01, its highest-ranked risk in the 2025 edition, distinguishing direct and indirect variants and cataloguing impacts from data exfiltration to unauthorized plugin or tool use. NIST’s Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2e2025, published March 2025) classifies prompt injection as a formal evasion-attack category and, in its 2025 update, extended the taxonomy specifically to cover autonomous AI agents — including indirect prompt injection, tool supply-chain attacks, and multi-agent abuse scenarios.
As of mid-2026, no vendor or researcher has published a general solution. Willison’s original assessment — that prompt injection is an unsolved problem best managed by awareness, input isolation, and permission restriction rather than eliminated outright — remains the working consensus among security researchers, even as commercial defenses (input filtering, sandboxing, human-in-the-loop approval) proliferate.
Where to learn more
- Prompt injection attacks against GPT-3 — Simon Willison’s original 2022 post coining the term and first framing the SQL-injection analogy
- OWASP LLM01:2025 Prompt Injection — the OWASP Gen AI Security Project’s formal risk definition, attack taxonomy, and mitigations
- NIST AI 100-2e2025: Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations — the U.S. government’s official taxonomy, including 2025 additions covering agentic-AI prompt injection
- OWASP: Prompt Injection (community page) — a concise community-maintained reference distinguishing direct and indirect variants