Skip to content

AI Agents Vulnerable to Indirect Prompt Injection Attacks

The bottom line: Indirect prompt injection attacks are an architectural security problem in transformer models that cannot be solved through training alone and can lead to significant losses in production environments.

Zscaler has demonstrated in tests that autonomous AI agents are vulnerable to indirect prompt injection attacks — even high-quality language models fall for manipulations that a human would easily see through.

Zscaler investigated various forms of indirect prompt injection (IPI) in tests and found that numerous AI models are susceptible to such attacks. The tests identified four models as “vulnerable” among 26 language models: Llama 3.3-70b-instruct, Llama 3.2-90b-instruct, Gemini 3-flash, and Gemini 2.5-pro. Three models performed better and were classified as “secure”: Llama 4-maverick, Gemini 3.1-pro, and Gemini 3.1-flash-lite. Surprisingly, some lower-cost models showed better resistance than more expensive alternatives.

Zscaler identified IPI attacks embedded in websites that contained hidden instructions to manipulate AI agents. The security implications are significant: in one example, an agent was tricked into paying for a fake developer license for $3. However, this attack vector mechanism could also be used against agents with authority in procurement, expense reporting, or payments, causing large-scale losses. Aman Mahapatra, Chief Strategy Officer at Tribeca Softtech, reported that Fortune 50 banks have already deployed agentic workflows that would not survive this attack “in a live review”.

The fundamental problem does not lie in inadequate security training, but in the architecture of transformer-based models. According to Mahapatra, these cannot achieve “clean separations between untrusted content and trusted instructions” when both are present in the same context window. The attack vector is thus fundamentally architectural in nature, not merely a training or implementation issue.

Security experts warn against oversimplification. Noah Kenney, Principal Consultant at Digital 520, criticizes the strict categorization of “secure/vulnerable” as unsuitable for practical risk assessment. Agents continuously change their behavior through new data, which means test results represent only a snapshot in time. A test result at one point in time cannot be generalized.


Source: www.csoonline.com · Published July 7, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: