The Helpful AI Paradox: Why Instruction-Following Is a Security Vulnerability
There's an uncomfortable truth about LLMs that doesn't get discussed enough in product reviews: the property that makes them useful is identical to the property that makes them exploitable. An LLM that obediently follows instructions — any instructions, from any source, delivered in any format — will follow malicious instructions with the same cheerful compliance it applies to legitimate ones. The model cannot tell the difference.
This isn't a bug that will be patched away. It's an architectural reality. And as these systems take on more agentic roles — reading emails, browsing the web, executing code, calling APIs — the exposure surface grows in ways that most engineering teams haven't mapped.
The SQL Injection Problem, Reborn in Natural Language
Traditional software distinguishes between instructions and data through parsing rules enforced at the compiler or runtime level. SQL injection breaks this boundary — it gets data interpreted as a query. LLMs have no such boundary by design. Instructions and data both arrive as tokens. The model interprets both. There's no parameterized query equivalent that fully solves this, because the "parser" is itself a language model trained to handle natural language instructions wherever they appear.
The result is a three-way failure taxonomy:
Direct prompt injection (jailbreaking): A user in the conversation window explicitly overrides system instructions. "Ignore previous instructions and do X." This is the most studied form — and the least dangerous in practice, since it requires the attacker to be in the loop.
Indirect prompt injection: Malicious instructions arrive embedded in data the model processes — documents, web pages, emails, tool outputs, RAG retrieval results. The attacker never interacts with the model directly. They poison a source the model will later read. This is the dominant form in deployed enterprise systems and accounts for over 80% of documented attack attempts.
Goal hijacking through context manipulation: The most sophisticated variant. The attacker doesn't issue an explicit "ignore" command. Instead, they construct a context — a believable conversational continuation, a document that seems like normal business content — that causes the model's inferred goal to shift. The model isn't overriding its instructions; it's interpreting new context as a reason to update what it should be doing.
Attack success rates for real production systems are sobering: GPT-4 agents running with ReAct prompting are vulnerable to indirect injection 24% of the time under standard attacks, and nearly double that with enhanced techniques. For newer attack variants targeting pseudo-conversation injection, success rates against GPT-4o reach 92%.
Indirect Injection Is the Harder Problem
The direct injection story is well understood. Someone feeds the model a jailbreak prompt. Defenses like instruction hierarchy training and refusal scripting catch most of these. The rate of successful direct injection against production deployments is declining.
Indirect injection is different. The attacker's instructions sit in a PDF, a webpage, a Slack message, an MCP tool description. The model processes these as data — but because instructions and data arrive in the same token stream, the model may treat embedded instructions as instructions. This is working as designed.
Consider what happened with Slack AI in August 2024. An attacker posted a message in a public Slack channel containing hidden instructions. Slack AI ingested it into its retrieval index. Later, a different user in a different channel queried Slack AI. The hidden instructions activated, causing the model to render a phishing link: "Error loading message, click here to reauthenticate" — passing private channel data as query parameters to the attacker's server. The victim wasn't in the public channel. They never saw the injected message. They got exfiltrated anyway.
The same pattern recurred in Microsoft 365 Copilot (EchoLeak, CVE-2025-32711): a crafted email with invisible instructions caused Copilot to embed sensitive data in reference-style Markdown image links, which the browser auto-fetched, completing the exfiltration with zero user clicks. The attack bypassed four separate defenses. It required no user interaction beyond opening an email.
GitHub Copilot was similarly vulnerable when analyzing untrusted source code. Instructions embedded in comments or config files caused the LLM to generate links to attacker-controlled image URLs that IDEs auto-fetched, leaking context data.
The pattern is consistent: LLM reads external content, external content contains instructions, LLM follows instructions. The sophistication required is not high. What requires sophistication is bypassing the specific defenses each deployment has added — and those defenses are inconsistent across products.
Multi-Agent Systems Have a Trust Blindspot
The problem compounds in multi-agent architectures. A multi-agent system has a clear vulnerability gradient:
- Direct prompt injection: 46% attack success
- RAG backdoor attacks: 69% success
- Inter-agent trust exploitation: 85% success
- https://genai.owasp.org/llmrisk/llm01-prompt-injection/
- https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html
- https://arxiv.org/abs/2403.02691
- https://arxiv.org/html/2410.23678v2
- https://arxiv.org/html/2509.10540v1
- https://www.promptarmor.com/resources/data-exfiltration-from-slack-ai-via-indirect-prompt-injection
- https://arxiv.org/abs/2503.18813
- https://bair.berkeley.edu/blog/2025/04/11/prompt-injection-defense/
- https://arxiv.org/html/2605.03378
- https://arxiv.org/html/2601.11893v1
- https://arxiv.org/html/2404.13208v1
- https://arxiv.org/html/2603.22489v1
- https://www.anthropic.com/research/many-shot-jailbreaking
- https://www.lakera.ai/blog/indirect-prompt-injection
- https://blog.google/security/prompt-injections-web/
