Prompt Injection: The OWASP LLM #1 Risk
Prompt injection sits at #1 on the OWASP LLM Top 10 for a reason: the model can't tell the difference between trusted instructions and untrusted content. That single property breaks most naive AI integrations.
Direct vs indirect injection
Direct attacks live in the user's prompt. Indirect attacks live in the data your LLM reads — emails, web pages, PDFs, tool outputs. Indirect is what makes this dangerous at scale.
Real-world impact
Data exfiltration via tool calls, unauthorized actions in agentic workflows, prompt leakage, and bypassed safety guardrails — all without exploiting a single CVE.
Defense in depth
There is no silver bullet. Combine these controls:
- Strict input/output validation and allowlists
- Sandboxed tool execution with human approval for sensitive actions
- Separate trust contexts for instructions vs. retrieved content
- Continuous red-teaming with Garak / PyRIT / Promptfoo
Test like an attacker
Build a regression suite of jailbreaks. Re-run it on every model upgrade — guardrails that worked last quarter often fail today.
Tools mentioned
Treat every model output as untrusted, every retrieved document as hostile, and every tool call as a privilege escalation opportunity.