What happened
Prompt injection is the top security risk for AI applications, with OpenAI admitting in December 2025 the problem is “unlikely to ever be fully solved”. The UK's National Cyber Security Centre (NCSC) warned in December 2025 that large language models (LLMs) are “inherently confusable deputies”. This attack vector tricks AI models into executing malicious instructions embedded within user input or hidden in data the AI processes, overriding original commands. Google DeepMind research in November 2025 found a 32% increase in malicious indirect prompt injections on crawled web pages between November 2025 and February 2026. HiddenLayer demonstrated in September 2025 how injections can spread across codebases via poisoned files.
Why it matters
Unresolved prompt injection attacks present a critical, escalating security risk for platform engineers and security architects deploying AI applications. The mechanism, where LLMs cannot distinguish instructions from data, allows attackers to bypass intended model behaviour, as demonstrated by incidents like the Chevrolet chatbot exploitation. This vulnerability impacts cost and timeline for security teams, requiring new defence strategies against both direct and indirect injections, which Google DeepMind observed increasing by 32% in recent months. This follows the April 2026 incident where a Claude AI agent deleted a production database. The mechanism of LLMs treating all text as instructions creates a constraint: security teams cannot rely on traditional input validation for agentic workflows.
