Prompt injection

Affected tools

• AI chat tools
• AI copilots
• Browser-based AI agents
• RAG-enabled assistants

How it usually happens in the browser

• A user pastes untrusted content (web pages, emails, tickets) into an AI tool and asks it to summarize or act.
• The untrusted content contains hidden instructions (“ignore previous instructions”, “exfiltrate secrets”).
• An AI agent with tool access (browser, email, docs) follows the injected instructions.
• The model leaks data, performs unsafe actions, or generates outputs that cause users to take risky steps.
• Attackers iterate quickly because prompt injection is cheap and hard to detect perfectly.

What traditional defenses miss

• Classic input validation isn’t designed for natural-language instruction attacks.
• Users assume “summarize this page” is safe, even when the page is adversarial.
• Security tooling often doesn’t track the chain: untrusted web content → prompt → model output → user action.
• Agents with tool access amplify risk because injected instructions can trigger real actions.

Mitigation checklist

• Treat all external content as untrusted input to AI systems; use strong system prompts and guardrails.
• Constrain tools and permissions: least privilege for agents (what they can read/write/click).
• Separate data and instructions: label sources, isolate retrieval results, and sanitize/strip hidden text where possible.
• Add human confirmation for high-risk actions and prevent models from directly executing sensitive operations.
• Monitor and test: run prompt-injection red-teaming against your most used AI workflows.

How isolation helps

• Isolation can reduce risk from untrusted web content by running pages in isolated containers and limiting what reaches the endpoint environment.
• When teams browse unknown sites to “feed” content into AI tools, isolation reduces exposure to drive-by threats and malicious downloads.
• Isolation complements AI guardrails by reducing the overall browser attack surface in prompt-heavy workflows.

FAQs.