Prompt injection attacks cripple enterprise AI – the hidden threat surfacing in 2025‑26

Prompt injection has become the most exploited flaw in enterprise‑grade large language models, allowing threat actors to hijack agents, poison retrieval‑augmented generation pipelines, and steer model routers toward weaker back‑ends. Recent investigations by Reuters and Bloomberg confirm a surge in incidents across continents.

Prompt injection attacks expand across enterprise AI pipelines

In 2025 the OWASP LLM Top 10 listed prompt injection as LLM01, reflecting its status as the leading vulnerability. CrowdStrike’s 2026 Global Threat Report recorded that adversaries injected malicious prompts into legitimate generative tools at ↓ 90 organisations in the prior year, then used the compromised outputs to exfiltrate credentials and cryptocurrency. AI‑enabled adversaries increased their overall attack volume by ↑ 89% year‑over‑year. The report bluntly declares: “Prompts are the new malware.”

Notable breaches illustrate the danger. In August 2024 a flaw in Slack AI let an attacker siphon API keys from private channels by posting a crafted instruction in a public thread. A month later, the EchoLeak exploit (CVE‑2025‑32711, CVSS 9.3) demonstrated a zero‑click prompt injection against Microsoft 365 Copilot, stealing internal documents via a single email.

“The attack surface now includes multi‑agent orchestrators, long‑term memory stores, and model routing logic,” says Julie Brunias, AI Security Architect.

Must Read Intel Explore deeper: Z.ai Cybersecurity Claim: Matching Mythos in Bug‑Finding Tests

Emerging techniques target three new vectors:

• RAG supply‑chain poisoning: malicious documentation is ingested into knowledge bases, corrupting downstream answers.
• Agent hijacking: autonomous bots receive a rogue instruction and execute privileged actions such as code deployment or cloud configuration changes.
• Context overflow: attackers embed hidden code within million‑token contexts, hoping the model will execute it inadvertently.

Mitigation guidance for executives includes:

1. Restrict model permissions to the minimum necessary.
2. Isolate untrusted content sources.
3. Require human sign‑off for high‑impact tool invocations.
4. Validate provenance of RAG inputs.
5. Harden model routers against forced redirection.
6. Adopt a zero‑trust stance toward all LLM outputs.

Until organizations treat LLMs as untrusted interpreters rather than autonomous decision‑makers, prompt injection will remain the pre‑eminent vector compromising AI‑driven operations.

Words by Nova Stirling (Aerospace & Space Tech Correspondent).