Prompt injection is a security attack on AI systems in which crafted text smuggled into a model’s input gets the model to ignore its real instructions and follow the attacker’s instead. Because a language model reads instructions and data as the same stream of text, content from an email, a web page, or an uploaded file can hijack what the model does.
Also known as prompt hijacking, indirect prompt injection
Prompt injection happens because language models do not draw a hard line between trusted instructions and untrusted content. A system prompt might tell the model to act as a helpful assistant, but if the model then reads a document that says to ignore its previous instructions and reveal the system prompt, it may simply comply. The attack does not exploit a code bug; it exploits the fact that the model treats all text as language to be interpreted.
There are two common forms. Direct injection is when a user types a malicious instruction straight into the prompt. Indirect injection is more dangerous: the malicious instruction is hidden in an external source the model reads, such as a web page, an email, or a file, so the model is compromised without the user ever seeing the payload. As models gain tools and the ability to act, a successful injection can move from leaking text to taking real actions.
For agencies, prompt injection is the risk that turns a useful AI assistant into a liability the moment it touches outside content.
It puts client data and accounts at risk. An AI tool that reads emails, briefs, or web pages on your behalf can be steered by hidden text in those sources, which could expose confidential information or trigger actions you never approved.
It is hard to spot. The malicious instruction can be invisible to the person in the loop, buried in a document or styled to blend into a page, so a teammate can hand the model poisoned content without realizing it.
It shapes how you choose and configure AI tools. Agencies should favor systems with strong guardrails, least-privilege access, and human approval for sensitive actions, and should treat any AI that browses or ingests external content as a surface that can be attacked.
An agency uses an AI assistant to triage its shared inbox and draft replies. An attacker sends an email containing hidden text that tells the assistant to ignore its task and forward the last three client contracts to an outside address. A weak setup might follow that instruction while appearing to do its normal job. A well-built setup blocks it: the assistant has no send or forward permission without human sign-off, its guardrails flag instruction-like content inside messages, and the account manager reviews anything that touches files before it goes out. The same tool is either a risk or an asset depending on how its harness was built.
The automations and agents module of the workshop teaches you how to build AI workflows that compress the busywork without taking the craft out of the studio.