Defenses are strained because models share a single text channel for instructions and data, limiting input validation and signature-based detection, and adversaries can adapt quickly to bypass even strong defenses.

Real-world incidents like PromptArmor in 2024 and EchoLeak in 2025 show zero-click or covert injections were exploited before being patched.

Effective enterprise controls must reside outside the model, including restricting agent permissions, requiring human approvals for sensitive actions, tagging data by sensitivity, excluding restricted sources from RAG, allowlisting outbound domains, and maintaining thorough audit and replay capabilities of prompts and tool calls.

The attack surface has expanded to the agentic stack, with agents handling email, cloud infrastructure, and code execution, making context, memory, and RAG pipelines vulnerable to poisoned data and persistent malicious instructions.

Direct prompt injections can override system prompts, while indirect injections hide malicious instructions in content the model will read later, enabling actions without user awareness.

CISOs should ask vendors four concrete questions: detection cadence and retraining of classifiers; published attack success rates for single and multiple attempts; which OWASP/ASI categories are guarded with working controls; and whether security teams can replay exact prompts, retrievals, and tool calls behind consequential agent actions.

AI-enabled intrusions rose 89% year over year, with 82% of intrusions involving no traditional malware as enterprises move to agents, copilots, and browser automations with broader access.

Industry guidance is shifting, with Gartner and national security bodies urging blocking AI browsers and adopting stronger controls as defenses lag behind attacker capabilities.

Prompt injection ranks as the top risk in OWASP Top 10 for LLM apps due to models’ difficulty distinguishing developer instructions from external text.

Vendor defenses remain limited; major players acknowledge that prompt injection may never be fully solved, with imperfect defenses and varying success across OpenAI, Anthropic, and Google.

Prompt injection attacks surged in 2025, resulting in credential and cryptocurrency theft across more than 90 organizations, underscoring prompts acting like malware.

Bottom line: treat the model as an untrusted component and implement durable, outside-the-model controls to govern agent behavior and risk.