Skip to main content
Menu
AI agent policy gateway blocking indirect prompt injection from external content

AI Security

Indirect Prompt Injection in AI Agents: Risks & Defenses

Table of Contents

What Is Indirect Prompt Injection?

Indirect prompt injection occurs when an AI system reads external content that contains instructions intended to influence the model. The instructions are not typed directly by the current user. They may appear in a web page, email, document, retrieved knowledge entry, tool description, tool result, issue tracker, code repository, or stored memory.

The security problem becomes serious when the application allows the model to turn that content into an action. A model may summarize a page safely, but an agent with email, filesystem, payment, support, cloud, or administrative tools can create real operational impact.

Direct vs Indirect Prompt Injection

Direct prompt injectionIndirect prompt injection
Submitted directly by a userEmbedded in external content
Model sees it as the current promptModel encounters it during normal work
Often visible to the userMay be hidden in a page, file or metadata
Mainly affects the current interactionCan influence tools, memory or future actions

Why AI Agents Increase the Impact

A chatbot can produce an incorrect answer. An agent may browse, retrieve, write, send, delete, approve, schedule, purchase, deploy, or modify permissions. This creates a chain of trust:

External content → model interpretation → plan → tool selection → arguments → external action.

Each step needs an independent control. Prompt filtering alone cannot verify user authorization, resource ownership, business rules, payment limits, destination safety, or whether an irreversible action requires approval.

Where Unsafe Instructions Can Hide

Content sourceDefensive concern
Web pagesVisible or hidden text may influence browsing agents
EmailsMessage content may redirect a workflow or request a sensitive action
Documents and PDFsEmbedded text may be treated as instructions rather than data
Support ticketsUntrusted customer content may reach privileged support tools
RAG documentsRetrieved content may poison answers or decisions
Tool descriptions and resultsMetadata or output may influence tool selection
MCP resourcesExternal servers can supply context and capabilities
Long-term memoryUnsafe content may persist into future sessions
Code repositoriesREADME files, issues and comments may influence coding agents

Indirect Prompt-Injection Evidence Timeline

Framework and research milestones showing why untrusted external content is now a production agent-security boundary.

  1. Framework

    OWASP GenAI Security Project

    OWASP Agentic Top 10 formalized agent risks

    Goal hijacking, tool misuse, memory poisoning and human trust became distinct control areas.

    OWASP framework
  2. Research

    Unit 42

    In-the-wild web-based activity reported

    Unit 42 documented observed techniques and malicious use targeting AI-based review and agent workflows.

    Unit 42 report
  3. Incident

    OWASP GenAI Security Project

    OWASP incident round-up expanded the evidence base

    Recent cases connected tool misuse, identity abuse, memory, supply-chain and agent-control failures.

    OWASP Q1 round-up

Observed In-the-Wild Activity

Unit 42 reported in March 2026 that web-based indirect prompt injection was being used in real activity. The research documented multiple observed techniques and attacker intents. The important defensive conclusion is that external web content is no longer only a theoretical model-safety concern; it is an active application-security boundary.

Organizations should not interpret one report as a complete measurement of global prevalence. Instead, use it as evidence that agent browsing, review, retrieval and tool workflows need production controls now.

Case Study: AI Ad-Review Evasion

One reported case involved malicious instructions hidden in a web page and an AI-based advertising review process as the target. The aim was to influence the review outcome by changing how the AI interpreted the page.

The lesson is broader than advertising: any agent or AI reviewer that consumes untrusted external content must separate data from instructions. The application should not allow page content to redefine policy, disable checks, select privileged tools, or approve the final action.

This article intentionally does not reproduce the hidden instructions, obfuscation patterns, or affected malicious URL.

Seven-Layer Defense Model

LayerControl
ContentClassify all external content as untrusted
RetrievalFilter, scope and permission-check retrieved sources
PromptSeparate trusted instructions from external data
Model outputValidate structured decisions and expected fields
Tool gatewayEnforce user, resource and action policy
ApprovalRequire confirmation for high-impact actions
MonitoringLog, detect, stop and roll back unsafe behavior

Use deterministic controls where possible. A model can help classify content or propose an action, but it should not be the final authority for identity, permission, payment, deletion, privilege or external communication.

RAG, MCP and Memory Considerations

  • RAG: Track source and permissions for every retrieved document. Treat retrieved text as data, not policy.
  • MCP: Review server ownership, tool definitions, schemas, scopes, results and updates. See the MCP Security Guide.
  • Tool poisoning: Treat tool metadata and output as untrusted. See MCP Tool Poisoning.
  • Memory: Isolate users and tenants, limit retention, preserve provenance, and allow review, deletion and quarantine.
  • Approvals: Show the exact action, target, data and external impact before a person confirms.

Indirect Prompt Injection Incident-Response Checklist

  • Disable or restrict affected tools.
  • Preserve prompts, context, retrieved records, tool calls and approvals.
  • Identify the malicious content source and every workflow that consumed it.
  • Review stored summaries and long-term memory.
  • Revoke exposed credentials or tokens.
  • Check downstream systems for actions, messages, records or configuration changes.
  • Remove or quarantine poisoned context.
  • Retest policy, approval and rollback before reconnecting tools.

FAQs

What is indirect prompt injection?
Indirect prompt injection occurs when an AI system encounters unsafe instructions inside external content such as a web page, email, document, retrieved record, tool result, or stored memory.
How is indirect prompt injection different from direct prompt injection?
Direct prompt injection is submitted in the user prompt. Indirect prompt injection is embedded in content the AI system reads while completing another task.
Can a web page attack an AI agent?
A web page can contain text or metadata intended to manipulate an AI system that browses or analyzes it. The application should treat web content as untrusted data and keep authorization outside the model.
Can RAG systems be affected?
Yes. Retrieved documents can contain unsafe instructions or poisoned content, so RAG systems need source controls, permissions, filtering, provenance, and output validation.
Can indirect prompt injection poison agent memory?
Yes. If unsafe content is summarized or stored, it may influence future sessions. Memory should be isolated, source-aware, reviewable, and removable.
How should developers defend AI agents?
Use layered controls across content handling, retrieval, prompt construction, model output, tool gateways, human approval, monitoring, revocation, and rollback.

Summary

Indirect prompt injection turns external content into a security-relevant input. The risk grows when an AI system can use tools, retain memory or take actions. Treat every external source as untrusted, enforce policy outside the model, validate tool calls, require approval for high-impact operations, and design for monitoring, revocation and rollback.

Sources and further reading

Subscribe

Get new cyber security tutorials and ethical hacking posts in your inbox.