Prompt injection is exploiting enterprise AI's biggest design flaws by targeting agents, RAG pipelines and model routers

In the past two years, there has been a significant increase in the adoption of large language models (LLMs) by businesses for various purposes such as support, analytics, development, and internal automation. However, along with the rise of AI technology, cybercriminals have been quick to exploit the vulnerabilities present in LLM systems. Prompt injection has emerged as one of the most prevalent and impactful attack vectors against LLM systems, as highlighted by various sources.

The OWASP LLM Top 10 (2025) identifies prompt injection as the most critical vulnerability category for LLM-specific vulnerabilities. CrowdStrike’s 2026 Global Threat Report documented that threat actors injected malicious prompts into legitimate generative AI tools at over 90 organizations in 2025, using them to steal credentials and cryptocurrency. Prompt injection has been described as “the new malware” due to its effectiveness as both an entry point and a force multiplier for cybercriminals.

Real-world incidents have demonstrated the operational impact of prompt injection vulnerabilities. In one instance, a prompt injection vulnerability in Slack AI allowed attackers to exfiltrate data from private channels by placing a malicious instruction in a public channel or embedded document. Another exploit, dubbed EchoLeak, targeted Microsoft 365 Copilot through a zero-click prompt injection, allowing attackers to access internal files and transmit their contents to a malicious server.

Prompt injection techniques have evolved to target multi-agent architecture, retrieval-augmented generation (RAG) pipelines, model routers, and long-term memory capabilities. Enterprises face the challenge of trusting LLMs to process instructions accurately, leading to opportunities for attackers to manipulate the model’s behavior.

Modern prompt injection techniques include cross-model prompt injection, RAG supply chain poisoning, agent hijacking, context overflow attacks, memory poisoning, and model-router manipulation. These techniques pose a significant threat to businesses that rely on LLMs for customer-facing systems, internal copilots, automation workflows, and data governance.

To mitigate the risks posed by prompt injection, business leaders should take proactive steps such as constraining model permissions, segmenting untrusted content, monitoring tool invocation, validating content provenance, hardening model routers, and treating LLMs as untrusted components. By adopting a security-first mindset and implementing robust security measures, enterprises can protect their AI systems from prompt injection attacks.

In conclusion, prompt injection remains a prevalent threat to enterprise AI systems, exploiting the fundamental way LLMs interpret text. It is essential for organizations to treat LLMs as untrusted interpreters and implement stringent security measures to safeguard against prompt injection attacks. By staying vigilant and proactive, businesses can protect their AI systems and data from malicious actors in an increasingly complex threat landscape.