how organisations can prevent prompt injection attacks in enterprise AI systems

nterprise AI is rapidly moving from experimentation to everyday business operations, powering workflows, code assistants, customer interactions, and internal knowledge systems. As adoption grows, so do new security risks. Ranked first in the OWASP Top 10 Risks for LLM Applications 2025, prompt injection attacks have emerged as a critical threat capable of undermining AI reliability, exposing sensitive data, and compromising connected enterprise systems. As enterprise AI continues to expand across business operations, organisations must stay ahead of emerging prompt injection tactics to protect connected systems, preserve data integrity, and maintain stakeholder confidence.


What are prompt injection attacks?

Unlike conventional cyberattacks that exploit software vulnerabilities, prompt injection attacks manipulate an AI model through carefully crafted instructions. The attacker influences how the model interprets prompts, potentially overriding system instructions or altering its intended behaviour.

The most common types of prompt injection include:

  • Direct prompt injection: Attackers submit malicious instructions directly to the AI model.
  • Indirect prompt injection: Hidden instructions embedded in external sources such as emails, documents, or web pages influence AI responses when the model processes that content.
  • RAG poisoning: Attackers insert malicious content into retrieval sources, causing Retrieval-Augmented Generation (RAG) systems to feed compromised information to the model.

Unlike jailbreak attacks, which attempt to bypass built-in safety policies, prompt injection targets the application's workflows, connected tools, or data sources to manipulate AI behaviour. Potential business implications of these attacks often include:

  • Disclosure or exfiltration of confidential business and customer data
  • Exposure of system prompts, AI infrastructure details, and sensitive information
  • Manipulation of AI outputs to influence business decisions or spread misinformation
  • Execution of unauthorised commands, connected functions, or business workflows
  • Deployment of malware or remote code execution in connected systems
  • Circumvention of access controls to gain unauthorised privileges

These risks demonstrate why organisations need AI-specific security controls that go beyond traditional cybersecurity measures.


Securing enterprise AI requires more than deploying technical controls. It demands governance, continuous monitoring, and responsible implementation at scale. Infosys BPM helps organisations strengthen AI security through AI governance, trust and safety services, and continuous AI risk management. Its responsible AI framework enables businesses to deploy AI solutions with greater confidence while reducing exposure to evolving AI prompt injection threats.


Prompt injection prevention and mitigation strategies

Traditional cybersecurity controls focus on networks, endpoints, or applications. They rarely inspect the natural-language instructions that guide LLM behaviour. Protecting enterprise AI therefore requires security controls designed specifically for prompt injection attacks and AI-driven workflows.

Rather than relying on a single safeguard, organisations must implement multiple complementary controls across AI design, deployment, and operations, including:


Build secure prompts and validate every interaction

Strong system prompts establish clear behavioural boundaries, but they cannot stop every attack alone. Organisations should combine resilient prompt engineering with robust input validation and output verification. This may include:

  • Restricting model scope and permitted actions
  • Applying strict input validation to detect suspicious instructions
  • Enforcing structured output formats to minimise unexpected responses
  • Filtering both user inputs and AI-generated outputs before downstream use

Together, these measures help reduce the likelihood of successful prompt injection attacks before they can influence AI behaviour.


Apply strict identity and privilege controls

Enterprise AI should never receive unrestricted access to business systems. Every AI agent should operate with only the permissions required for its specific task. This reduces the likelihood that malicious prompts can access confidential information, execute privileged actions, or manipulate critical business processes.

Human approval should remain mandatory before AI performs financial transactions, modifies production environments, or accesses sensitive records.


Separate trusted and untrusted content

Protect Enterprise AI Systems with Infosys BPM

Protect Enterprise AI Systems with Infosys BPM

Enterprise AI increasingly consumes emails, documents, websites, and knowledge repositories. Treating all content as equally trustworthy creates unnecessary risk. Organisations should:

  • Clearly identify external or untrusted content.
  • Isolate retrieved information before processing.
  • Apply security controls to RAG pipelines.
  • Prevent external instructions from influencing system prompts.

These measures significantly reduce the risk of indirect prompt injection and RAG poisoning.


Continuously monitor, test, and strengthen AI defences

AI security requires continuous evaluation rather than periodic assessments. Security teams should monitor interactions, analyse behavioural anomalies, and conduct specialised adversarial testing to identify weaknesses before attackers do.

An effective defence programme against prompt injection risks would typically include:

  • Continuous monitoring and logging
  • Prompt injection threat-specific red, blue, and purple team exercises
  • Regular governance and risk assessments
  • Vendor security reviews
  • Ongoing model updates and user awareness training

Continuous monitoring and adversarial testing help organisations identify emerging threats before attackers can exploit them.

Recent incidents demonstrate why proactive security matters. In 2025

  • EchoLeak (CVE-2025-32711): Attackers exploited a zero-click prompt injection vulnerability in Microsoft 365 Copilot by sending a crafted email that caused the AI assistant to exfiltrate sensitive organisational data without user interaction.
  • GitHub Copilot RCE (CVE-2025-53773): Researchers manipulated GitHub Copilot through prompt injection to modify its configuration and enable unauthorised command execution, demonstrating how attackers could weaponise trusted AI coding assistants.
  • ChatGPT memory manipulation (2024): Researchers exploited ChatGPT's memory feature to persist malicious instructions across sessions, allowing persistent prompt injection to influence future interactions and facilitate long-term data exfiltration.

Together, these incidents show that AI security risks have moved from theory into production environments, making continuous vigilance essential.


Conclusion

As enterprise AI becomes deeply integrated into business operations, security strategies must evolve alongside it. Preventing prompt injection attacks depends on combining resilient AI design, effective input validation, least-privilege access, continuous testing, and strong governance into a unified defence strategy. Organisations that embed these practices into every stage of AI deployment will be better positioned to innovate confidently while maintaining confidence in their data, systems, and AI-driven decisions.



Frequently asked questions

A prompt injection attack manipulates an AI model through crafted instructions rather than exploiting software vulnerabilities. It can override system instructions or alter intended behaviour. Common forms include direct injection, indirect injection hidden in emails or documents, and RAG poisoning of retrieval sources. Prompt injection ranks first in the OWASP Top 10 for LLM Applications 2025.

The difference is the target. Jailbreaking tries to bypass a model's built-in safety policies, while prompt injection targets the application's workflows, connected tools, and data sources. Injection manipulates how the model handles trusted instructions and external content, rather than defeating content filters. This makes prompt injection a systems-level threat, not just a content-safety concern.

Preventing prompt injection requires layered, AI-specific controls, not a single safeguard. Enterprises should combine resilient prompt design with strict input validation and output filtering, enforce least-privilege access with human approval for sensitive actions, separate trusted from untrusted content in RAG pipelines, and run continuous monitoring with adversarial testing. This reduces successful attacks across design, deployment, and operations.

Prompt injection can expose data, hijack connected systems, and manipulate business decisions. Consequences include exfiltration of confidential data, exposure of system prompts, unauthorised command execution, malware or remote code execution, and privilege escalation. Real 2025 incidents, including EchoLeak in Microsoft 365 Copilot and a GitHub Copilot remote code execution flaw, show these risks now reach production environments.

Traditional cybersecurity controls cannot stop prompt injection because they do not inspect natural-language instructions. Network, endpoint, and application controls focus on code and infrastructure, not the prompts that guide LLM behaviour. Enterprise AI therefore needs controls built specifically for AI workflows, backed by governance and continuous monitoring, to protect data integrity and stakeholder confidence as adoption scales.