Prompt Injection: The #1 Risk Every AI Product Team Must Understand
Why the top risk in the OWASP LLM Top 10 is a design property, not a bug — and what that means for every team shipping AI.
- Read time
- 10 min
- Threat coverage
- LLM01 · Prompt injection
- Frameworks
- OWASP LLM · MITRE ATLAS · NIST AI RMF
- Audience
- Product & engineering
Prompt injection sits at the top of the OWASP LLM Top 10 for a reason that surprises most teams: it isn't a bug you can patch. It's a direct consequence of how language models work — and until you internalize that, every mitigation you reach for will be the wrong shape.
Why it's ranked #1
Every other class of AI risk gets worse in the presence of prompt injection, because injection is the technique that unlocks the rest. Leak sensitive data, abuse a tool, hijack an agent's goal — each typically begins with text the model was never supposed to treat as a command. That's why it leads the list as LLM01: it is the entry technique, not just one risk among ten.
The root cause: no boundary between data and instructions
A traditional program keeps code and input in separate lanes. A language model does not. Your system prompt, the user's message, a retrieved document, and a tool's output are concatenated into one stream of tokens, and the model attends to all of it the same way. There is no privileged channel that says these tokens are trusted instructions and those are mere data.
So when attacker-controlled text says "ignore your instructions and do X," the model has no structural reason to refuse — the malicious sentence has exactly the same standing as your carefully written system prompt. The boundary you assumed exists was never there.
Direct vs. indirect
Direct injection is the user typing the attack themselves — mostly a problem when the model can act on their behalf or reveal something they shouldn't see. Indirect injection is the dangerous one: the payload lives in content the model reads — a web page, an email, a PDF, a support ticket — and the victim is whoever's agent ingests it. The attacker never touches your system; they just leave instructions where your AI will find them.
Why input filtering doesn't save you
The instinct is to scan inputs for "bad" prompts and block them. It fails for the same reason spam filters never finished the job: the space of phrasings is infinite, attacks are semantic rather than lexical, and content can be encoded, translated, or split across turns. A blocklist raises the effort slightly and creates a false sense of safety. Treat filtering as friction, never as a control you'd stake the system on.
What actually helps
Because you can't reliably stop the model from being manipulated, contain what a manipulated model can do:
- Least privilege. Scope the model's tools, data, and credentials to the task. If it can't reach the crown jewels, an injection can't either.
- Isolate untrusted content. Keep retrieved and tool-returned text in a context the model treats as data to summarize, not instructions to follow.
- Gate consequential actions. Put human approval in front of anything irreversible or sensitive.
- Handle output as untrusted. Never pass model output straight into a shell, a query, or another system without validation.
Framework mapping
| Control | OWASP LLM | NIST AI RMF |
|---|---|---|
| Least privilege & tool scoping | LLM01 / LLM06 | Manage 1.3 |
| Untrusted-content isolation | LLM01 | Measure 2.7 |
| Output handling | LLM02 | Measure 2.7 |
Checklist
- The team treats injection as a design property to contain, not a bug to filter.
- Indirect injection is in the threat model wherever the AI reads external content.
- The model's tools, data, and credentials are scoped to least privilege.
- Consequential actions require human approval.
- Model output is validated before it reaches another system.