Prompt injection is exploiting enterprise AI’s biggest design flaws by targeting agents, RAG pipelines and model routers

In the past two years, businesses have been trying to fit large language models (LLMs) into support, analytics, development, and internal automation like never before.

Along with the increasing adoption of AI technology, another trend is gaining momentum — cybercriminals are taking advantage of the disconnect between assumptions about LLMs and their actual characteristics.

In 2025 and 2026, several independent sources have highlighted the same trend: Prompt injection remains one of the most impactful and widely demonstrated attack vectors against LLM systems. The OWASP LLM Top 10 (2025) lists prompt injection as LLM01, identifying it as the most critical category of LLM‑specific vulnerabilities, for the second consecutive edition. OWASP’s ranking reflects the fact that LLMs still struggle to reliably separate instructions from data, making them susceptible to manipulation through crafted inputs.

CrowdStrike’s 2026 Global Threat Report — built on frontline intelligence across more than 280 tracked adversaries — documented that threat actors injected malicious prompts into legitimate generative AI tools at more than 90 organizations in 2025. They then used those injections to generate commands that stole credentials and cryptocurrency. The report stated it plainly: “Prompts are the new malware.” AI-enabled adversaries increased their overall attack volume by 89% year-over-year, with prompt injection working as both an entry point and a force multiplier.

Real‑world incidents illustrate the operational impact. In August 2024, researchers at PromptArmor disclosed a prompt injection vulnerability in Slack AI that allowed an attacker to exfiltrate data from private Slack channels they had no access to — including API keys shared in private developer channels — by placing a malicious instruction in a public channel or embedding it in an uploaded document.

In June 2025, researchers at Aim Security disclosed EchoLeak (CVE-2025-32711, CVSS 9.3), the first documented zero-click prompt injection exploit against a production AI system, targeting Microsoft 365 Copilot. By sending a single crafted email, no user interaction required, an attacker could cause Copilot to access internal files and transmit their contents to an attacker-controlled server.

Both vulnerabilities were patched. These incidents underscore the fact that prompt injection is not a theoretical weakness but a practical, repeatable threat organizations must address as they deploy AI systems at scale.

Prompt injection techniques have undergone major evolutions over recent years, now targeting multi-agent architecture, retrieval-augmented generation (RAG) pipelines, model routers, and long-term memory capabilities.

The enterprise challenge: Too much trust

Businesses deploy LLMs to process instructions, summarize information, and trigger automated workflows, but it is difficult for LLMs to tell:

  • Instructions from data

  • Information from context

  • Context from metadata

  • User intent from metadata

This creates an opportunity for attackers to manipulate and influence the model’s behavior, either directly or indirectly.

Modern prompt injection

Cross-model prompt injection

LLM use is a common practice among enterprises. Attackers corrupt the output of a particular model, knowing well that other models would be processing the content. Hence, the corruption propagates through all AI systems.

RAG supply chain poisoning

Attackers create malicious information — documentation, blog articles, GitHub READMEs. Then they wait until this malicious information is ingested in enterprises’ RAG pipelines, then use it as an attack vector.

Agent hijacking

AI agents have evolved to the point where they can send emails, modify cloud infrastructure, execute code snippets, and interact with internal corporate systems. It takes just a single instruction to make agents act differently in a harmful manner.

Context overflow attacks

With the help of million-token context windows, attackers place malicious code within the document and hope that an LLM will stumble upon it and execute it, thus overriding all previous instructions.

Memory poisoning

Due to the implementation of long-term memory in LLMs, attackers can inject instructions that permanently reconfigure their state.

Model‑router manipulation

Enterprises increasingly use model routers to select between multiple LLMs. Attackers craft prompts that force routing to the weakest or least‑guarded model.

Why this matters for business leaders

Prompt injection is not a theoretical problem. It directly affects:

  • Customer‑facing systems (chatbots, support agents)

  • Internal copilots (developer tools, security assistants)

  • Automation workflows (ticketing, cloud operations, HR processes)

  • Data governance (RAG pipelines, knowledge bases)

The risk is no longer limited to “the model said something it shouldn’t.”

In 2026, prompt injection can:

  • Trigger unauthorized actions

  • Leak sensitive data

  • Corrupt internal workflows

  • Manipulate analytics

  • Alter business logic

  • Compromise multi‑agent systems

The attack surface has expanded dramatically.

What enterprises should do now

1. Constrain model permissions

Limit what the model can do, not just what it should do.

2. Segment untrusted content

Treat all external data — including RAG sources — as potentially hostile.

3. Monitor tool invocation

Require human approval for high‑impact actions.

4. Validate content provenance

Ensure RAG pipelines don’t ingest poisoned external content.

5. Harden model routers

Prevent attackers from forcing routing to weaker models.

6. Treat LLMs as untrusted components

This mindset shift is the foundation of modern AI security.

The bottom line

Prompt injection remains the most effective way to compromise enterprise AI systems because it exploits the fundamental way LLMs interpret text. Until organizations treat LLMs as untrusted interpreters — not autonomous decision‑makers — prompt injection will continue to dominate the AI threat landscape.

Julie Brunias is an AI Security Architect.

Watch out — that income tax form could actually be dangerous malware
Watch out — that income tax form could actually be dangerous malware

Researchers uncovered a fake tax notice campaign that delivered remote-access malware via staged downloads and encrypted communications.

GTA VI fans beware — experts warn ‘a new wave of scam websites’ is offering early access, but just stealing your bank details instead
GTA VI fans beware — experts warn ‘a new wave of scam websites’ is offering early access, but just stealing your bank details instead

Cybercriminals are exploiting GTA VI anticipation with fake beta programmes designed to steal money, credentials, and personal information.

Security News This Week: LastPass Users Had Their Data Stolen—Again

Plus: Former national security advisor John Bolton pleads guilty in classified-materials case, Microsoft helps take down major infostealer infrastructure, and more.

NAIC confirms data breach with ShinyHunters claiming 3.1TB of data stolen in Oracle zero-day attack

Insurer regulatory filing documents, customer bulk orders, and more, stolen in a major zero-day supply chain attack

Autonomous security agents need complete data. Here’s how to check if yours is ready.

An endpoint agent cannot report its own absence. The 2026 Axonius Actionability Report, conducted with the Ponemon Institute and surveying 662 IT and security professionals, put a number on a gap SOC teams have worked around for years. Across the Axonius customer base, 12.7% of devices in a 298,000-device median inventory are missing their expected security agent.

If a device has no agent, no management console shows it. If a CMDB record is stale, no reconciliation flags it. An employee who installed Claude Enterprise outside procurement created a SaaS workspace, identity surface, and API-token footprint that endpoint telemetry alone will not reliably inventory. The coverage percentage on the EDR dashboard is structurally incomplete because the reporting mechanism cannot see what it does not cover.

That gap matters more now than it did six months ago. SOC and XDR vendors are pushing more autonomous investigation and remediation into production. Those agents will query the same dashboards, trust the same coverage percentages, and act on the same blind spots human analysts learned to work around. A human analyst second-guesses a 98% coverage number. An autonomous agent treats it as ground truth and moves at machine speed.

Three independent signals converged on the same gap

Gravitee’s 2026 survey of 900-plus executives found 88% reported confirmed or suspected AI-related incidents, and only 14.4% sent agents live with full security approval. The Axonius/Ponemon report found 52% of respondents would let autonomous agents act on recommendations — while 63% said the underlying data lacks important information. The CSA’s Agentic Trust Framework requires verified data governance before agents act on any finding.

Mike Riemer, Field CISO at Ivanti, said that known vulnerabilities on Azure’s honeypot networks are now attacked in under 90 seconds. “Traditional security measures continue to work,” Riemer told VentureBeat.

The caveat is that those measures only protect what they can see. An EDR agent deployed across 87.3% of the device inventory leaves the remaining 12.7% outside that agent’s telemetry, policy enforcement, and detection logic.

Exclusive deployment data quantifies the scale

Joe Diamond, CEO of Axonius, told VentureBeat that the average CISO sees roughly 50% of what is actually on the network. “Say 50% of their environment is sitting in dark matter,” Diamond said. “They don’t know what it is, or where it is, or who has access to it, if it’s secure, if it’s not secure.”

Deployment data from more than 900 Axonius customers confirms those numbers. TransUnion went from 70% to 99% endpoint coverage after out-of-band verification. Western Union went from 85% to 99% by consolidating data from 38 tools and cutting manual workload by half. Lumen discovered 1.1 million assets, where the CMDB showed 17,000. That translates to roughly 37,000 unmanaged endpoints per organization sitting outside every policy, every patch cycle, and every detection rule.

Diamond pointed to Mythos, Anthropic’s frontier reasoning model, as a sign that machine-speed offensive capability will make any unknown asset far riskier than it is today. “People tend to have shiny object syndrome,” he said. “If you didn’t understand what 50% of your environment looked like from a traditional endpoint perspective, and you think you’re going to wind sprint to granular control and governance of AI, your program will fail.” Diamond called the broader AI shift “as big, if not bigger than the internet.”

Three approaches compete to close the gap

No single architecture solves the visibility problem today. Three approaches compete, each with named tradeoffs security teams should evaluate before procurement.

A dedicated integration layer uses bidirectional API adapters to build an always-current inventory. Axonius runs 1,400-plus adapters and now discovers shadow Claude Enterprise installations via its Anthropic adapter (GA June 15). “We created a bidirectional API integration with all the IT systems and all the security controls to build an always up-to-date inventory of what the environment looks like,” Diamond told VentureBeat.

Platform-native EDR and XDR intelligence builds richer asset context inside the agent footprint. Depth within the agent footprint is the advantage. The limitation is structural. Platform-native intelligence is bounded by what the agent can see, and the gap the Ponemon report identified lives precisely where that visibility ends.

CMDB modernization requires continuous reconciliation against three or more independent telemetry sources. Only 13% of organizations reconcile daily, according to Axonius/Ponemon data. The remaining 87% operate on stale records that feed incorrect prioritization into any automated remediation pipeline.

EDR data readiness: Five gates before autonomous remediation

Before you let autonomous SOC agents close tickets or quarantine assets, this checklist tells you whether your EDR and asset data is solid enough to trust. It is vendor-agnostic, works with any EDR and CMDB, and gives you five pass/fail gates you can run in a single working session.

Risk Area

What the data shows

Readiness threshold

Action to take now

Asset inventory delta

Ponemon: only 45% consolidate into a single view. Forrester TEI: 150% more assets than previously identified. Lumen: 17K in CMDB vs. 1.1M discovered.

Delta ≤10% between discovery, CMDB, and EDR agent count. Delta above 10% blocks automated remediation until reconciled.

Run API-based discovery against all segments. Diff against CMDB and EDR console count. Reconcile quarterly minimum.

Unmanaged AI services

Gravitee: 88% confirmed or suspected AI incidents. Only 14.4% with full security approval. Anthropic adapter (GA June 15) discovers unmanaged Claude Enterprise installations.

No high-risk AI services outside approved procurement. Weekly SaaS discovery scans. Unmanaged high-risk instances trigger IR triage before exception review.

Deploy SaaS discovery or protocol-level adapters for AI service detection. Automate weekly scans. Route unmanaged instances to IR queue.

CMDB record accuracy

Ponemon: only 13% reconcile daily (RSAC 2026). Brooks Running: 20% server discrepancy between console and independent discovery. Top remediation barriers: unclear prioritization, unclear ownership, inconsistent data.

≥85% of records validated against 3+ independent telemetry sources. No stale or orphaned records in active remediation queue.

Cross-reference CMDB against cloud inventory, EDR telemetry, and IdP directory. Continuous reconciliation replaces annual audit cycles.

Endpoint agent coverage gap

Ponemon: an agent cannot report its own absence (p. 8). TransUnion: 70% to 99% after out-of-band verification. RSAC 2026: 12.7% of 298K median devices missing expected agent.

≥95% agent coverage verified via out-of-band discovery. Many CISOs set this as the minimum before allowing autonomous remediation. No self-reported-only metrics in board reports.

Run network-based or API-driven discovery against managed device list. Coverage below 95% blocks automated remediation scoping.

Asset ownership mapping

Ponemon: 32% apply tags consistently. Only 51% assign ownership on new exposures (pp. 9, 16). TransUnion: 12K to 190K assets with ownership mapped.

Owner assigned within 24 hours. Tags consistent across cloud, EDR, CMDB. Three systems showing three owners = failure.

Automate ownership via cloud tags, IdP group membership, or CMDB metadata. Map asset, remediation, and business owner as separate fields.

Five questions to ask before allowing autonomous SOC action

  1. What independently verifies endpoint-agent coverage outside the EDR console?

  2. How does the SOC reconcile conflicts between EDR, CMDB, cloud inventory, IdP, and discovery tools?

  3. Can AI agents act on assets with unknown or disputed ownership?

  4. Can the system distinguish “not vulnerable” from “not visible”?

  5. What data-quality gate blocks autonomous remediation when coverage or ownership falls below threshold?

Board-ready risk framing

Kayne McGladrey, IEEE Senior Member, has confirmed the pattern across multiple published VentureBeat interviews. The structural gap in self-reported coverage is not new. What is new is that autonomous agents will act on it at machine speed without the institutional workarounds human analysts developed over years of experience. Diamond put the board-level stakes plainly in an April 2026 press statement: “Findings pile up because the data isn’t trusted, ownership isn’t clear, and entire asset classes aren’t even in the picture.”

The CSA’s Agentic Trust Framework requires that any agent promoted to a higher autonomy level must pass five gates, including demonstrated accuracy and a security audit. The EU AI Act’s Article 50 transparency obligations take effect August 2, 2026. The May 2026 Digital Omnibus pushed high-risk system obligations to December 2027, but organizations deploying agentic SOC agents on incomplete asset data face immediate operational risk that outpaces any regulatory timeline.

The board-ready sentence: Our EDR coverage reports are structurally incomplete because an endpoint agent cannot report its own absence, and we are verifying coverage through out-of-band discovery before deploying autonomous agents that would act on those reports at machine speed.

Security director playbook

  1. Run out-of-band asset discovery this week. Compare results against your CMDB export and EDR console count. If the delta exceeds 10%, halt automated remediation scoping until the gap is reconciled.

  2. Deploy SaaS discovery for AI services. Employees install AI ahead of procurement, ahead of security. Weekly scans are the minimum. Route any unmanaged high-risk instance to your incident response queue for triage before exception review.

  3. Map asset ownership to remediation responsibility. Ponemon found only 32% of organizations apply tags consistently. If three systems show three different owners for the same asset, automated remediation has no routing target. Fix the ownership layer before deploying agents that depend on it.

  4. Kill self-reported-only coverage metrics. Any risk calculation or board report that relies on EDR console-reported coverage alone is built on data the reporting system cannot verify. Require out-of-band verification for every coverage number that informs a risk decision.

Russian hackers were behind $2.5 billion hack of Jaguar Land Rover: Report

The hack on car giant Jaguar Land Rover last year was one the most disrupting, damaging, and costly hacks of the last few years.

The Pentagon Is Looking Into the Dialog Data Exposure for Unmasking National Security Officials

Exposed records from the private group included the personal information of a senior White House intelligence official and an active-duty special operations officer.