Prompt injection

Hostile or hidden instructions in context that hijack an LLM's behavior, direct (user input) or indirect (RAG, tools, untrusted documents).

Prompt injection smuggles hostile instructions into text the model must read: user messages, retrieved chunks, emails, or web pages, so an LLM follows them instead of the app’s system prompt.

Direct injection: the attacker types manipulative instructions (e.g. “ignore previous instructions”). Indirect injection: untrusted content arrives via RAG, tool output, or pasted documents without the user writing an attack. That overlaps with but is not the same as a jailbreak, which often targets safety refusals rather than hijacking instruction hierarchy in production apps.

Risk surfaces include public chatbots, AI agents with tools, and enterprise assistants. Mitigations include context design, filtering, guardrails, and red teaming.