Prompt injection has become the primary security threat to enterprise AI, targeting agents, retrieval-augmented generation (RAG) pipelines, model routers and long-term memory.
The OWASP LLM Top 10 (2025) ranks prompt injection as LLM01 and CrowdStrike's 2026 Global Threat Report documented injected prompts at more than 90 organizations in 2025, noting attackers increased AI-enabled attack volume by 89% year-over-year.
"Prompts are the new malware," CrowdStrike's report said.
Real incidents show the risk is practical and repeatable: in August 2024 researchers at PromptArmor disclosed a Slack AI prompt injection that could exfiltrate data from private channels, including API keys, by embedding malicious instructions in public channels or uploaded documents.
In June 2025 researchers at Aim Security disclosed EchoLeak (CVE-2025-32711, CVSS 9.3), a zero-click prompt injection against Microsoft 365 Copilot that could access internal files from a crafted email; both vulnerabilities were patched.
Attack techniques have evolved into cross-model injections, RAG supply‑chain poisoning, agent hijacking, context‑overflow attacks against million‑token windows, memory poisoning and model‑router manipulation.
The root problem is design: LLMs struggle to reliably separate instructions from data, context from metadata and user intent from content, creating large trust gaps in automation and analytics pipelines.
Security teams should constrain model permissions; segment and treat external content as untrusted; require human approval for high‑impact tool invocation; validate RAG provenance; harden model routers; and adopt a posture that treats LLMs as untrusted interpreters.
Until organizations adopt those controls, prompt injection will remain the most effective way to compromise enterprise AI systems.
