// Generative Ai Tools

Prompt Injection is Already Inside: How Enterprises Can Secure GenAI Pipelines

August 18, 2025

min read

Introduction

This is some text inside of a div block.

Prompt injection has surged to the top of the OWASP GenAI Top 10 for 2025, becoming the defining threat vector for CISOs navigating LLM deployments across banking, healthcare, and enterprise SaaS. These attacks bypass traditional IT defenses not by targeting infrastructure, but by hijacking how LLMs interpret instructions.

In enterprise environments, where copilots, RAG-based workflows, and autonomous agents have access to sensitive systems and records, prompt injection isn't a theoretical risk. It's a regulatory, reputational, and operational threat, one that requires a new approach to runtime controls, red teaming, and AI governance.

‍

What is Prompt Injection?

Prompt injection occurs when attackers insert crafted instructions into LLM input streams, causing unintended behaviors. As highlighted in the Lakera prompt injection guide, these inputs often override internal prompts, leak secrets, or initiate actions.

Two main types of injection dominate:

Direct injection: User explicitly tells the model to bypass prior instructions.
Indirect injection: Instructions are hidden inside external content, documents, emails, URLs, or RAG indexes, which are later processed by the model.

Consequences include:

System prompt disclosure
Unauthorized data access or generation
Inaccurate or manipulated outputs
Tool misuse, sending emails, initiating workflows, or changing records

A deep dive from FireTail shows that even basic prompt overrides remain effective against many commercial LLM systems.

‍

Enterprise Incidents: From Copilots to Compliance Violations

Prompt injection has breached the enterprise perimeter in multiple real-world incidents:

EchoLeak / Microsoft 365 Copilot: Malicious instructions embedded in emails were silently parsed by Copilot, causing zero-click data leaks. This case, tracked as CVE-2025-32711, exemplifies the dangers of non-sanitized input streams.
GitLab Duo Exploit: Attackers inserted injection payloads into merge request comments. As described by CalypsoAI, this exposed private source code and triggered unintentional output delivery.
Banking RAG Agents: Customer queries laced with hidden prompts tricked chatbots into leaking account data, despite existing RBAC. Promptfoo’s RAG red teaming guide outlines similar test scenarios.
Healthcare Bots: Virtual assistants generated treatment advice and revealed PHI after ingesting maliciously crafted intake notes, resulting in HIPAA action.

Each case underscores how attacker creativity evolves faster than enterprise AI security maturity.

How Attacks Work: Prompt Injection Vectors in 2025

As detailed in the Pangea threat study, prompt injection is no longer limited to textual commands. Key attack vectors include:

Instruction Overrides: Classic commands like "Ignore all previous instructions" still bypass logic gates in some models.
Encoded and Multilingual Payloads: Using invisible characters, unicode, or foreign scripts to slip past filters.
Hybrid Agentic Exploits: Prompts that cascade through agent workflows, e.g., sending unauthorized files via API, highlighted in hybrid attack research.
Cross-Modal Attacks: Hidden instructions inside PDFs or images, now interpretable by multimodal models.
Index Poisoning in RAG: Attackers seed RAG databases with hostile text, manipulating downstream outputs, a growing concern flagged by TechDemocracy.

‍

EchoLeak: The Zero-Click Breach

One of the most alarming incidents to date is EchoLeak. The vulnerability emerged from how Microsoft 365 Copilot parsed email content via RAG. A malicious actor embedded stealth instructions in a plain-text email. No clicks. No attachments. Just ingestion.

When Copilot interpreted the email, the instructions activated silently, exfiltrating sensitive content. This case has now been cited across OWASP and industry papers as the first “zero-click prompt injection” exploit in production enterprise software.

Watch: EchoLeak Breakdown , How Silent Prompt Injection Works

Add Video

Prompt Injection Readiness Checklist for Enterprises

Readiness Area	Quick Self-Check
RAG Data Hygiene	Are RAG sources labeled as trusted vs. untrusted? Is ingestion validated regularly?
Prompt Engineering Governance	Do teams use prompt templates with role-specific boundaries and policies?
Multimodal Input Controls	Can your system detect prompts hidden in PDFs, images, or multilingual text?
Vendor Risk Management	Are third-party LLM integrations evaluated for prompt injection exposure?
Incident Response Plans	Do you have a playbook for prompt injection detection, rollback, and disclosure?

‍

Best Practices from Field Research

Recent research from firms like Metomic and Promptfoo reinforce several best practices that CISOs should operationalize:

Segregate inputs: Never combine untrusted and internal prompts without clear boundaries.
Reinforce system prompts: Re-assert boundaries and policies across session lifespan, not just at initiation.
Inject meta-prompts: Inform LLMs explicitly of forbidden topics and role scope.
Red-team constantly: Build attack scenarios into CI/CD pipelines. Use adversarial testing tools like Promptfoo.
Sanitize outputs: Use rule-based scrubbing for hallucinated URLs, PII, or policy violations.
Log & monitor sessions: Enable taint tracking and behavioral anomaly detection for post-event audits.

The Google security team recommends embedding runtime policies into orchestration layers, not just system prompts.

‍

Conclusion

Prompt injection isn’t just an LLM problem, it’s a new class of exploit for the GenAI era. Enterprises must now treat prompt streams with the same caution as API calls or database writes. The most resilient organizations will be those that build layered security into the heart of their AI infrastructure.

As research from OWASP and CalypsoAI confirms, surviving in the era of agentic AI means embedding governance, not just trusting guardrails.

‍

What’s a Rich Text element?

The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.

Static and dynamic content editing

A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!

edcbbkn

yvbjnklm

{
  {
    "page_content": "Employee leave-of-absence policy ...",
    "authorized_identities": ["hr-support", "hr-leadership"],
    ...
    "category": "NarrativeText",
    "source": "https://drive.google.com/file/d/1Wp../view",
    "title": "hr-benefit-guide-38.pdf",
  },
  {
    "page_content": "total comp for senior staff ranges from ...", 
    "authorized_identities": ["hr-leadership"], 
    ...
    "category": "NarrativeText",
    "source": "https://drive.google.com/file/d/1Gk../view",
    "title": "hr-payroll-exec-comp-2023-Q4.pdf",
  },
}

How to customize formatting for each rich text

Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.

from langchain.document_loaders.csv_loader import CSVLoader
from langchain_community.document_loaders.pebblo import PebbloSafeLoader
‍
loader = PebbloSafeLoader(
          CSVLoader(file_path),
          name="acme-corp-rag-1", # App name (Mandatory)
          owner="Joe Smith", # Owner (Optional)
          description="Support RAG app",# Description(Optional)
)
‍
documents = loader.load()
vectordb = Chroma.from_documents(documents, OpenAIEmbeddings())