Enterprises are building AI agents to do real work: support, analytics, developer tasks, internal automation. But prompt injection is exploiting the core design assumption those systems rely on, and the proof keeps getting more operational, not just theoretical. The latest security framing is blunt: OWASP lists prompt injection as LLM01, and CrowdStrike documents malicious prompts at more than 90 organizations in 2025 used to generate commands that stole credentials and cryptocurrency. In other words, the “prompt” is becoming an attack surface, not an input.

What makes this especially dangerous for leadership is that these attacks are not confined to chatbots or one-off demos. They can ride inside enterprise workflows where LLMs are expected to interpret context correctly and then take action. Researchers disclosed a Slack AI prompt injection vulnerability in August 2024 that allowed attackers to exfiltrate data from private Slack channels they had no access to, including API keys shared in private developer channels, by placing a malicious instruction in a public channel or embedding it in an uploaded document. Then in June 2025, researchers disclosed EchoLeak (CVE-2025-32711, CVSS 9.3), described as the first documented zero-click prompt injection exploit against a production AI system, targeting Microsoft 365 Copilot, where sending a single crafted email (no user interaction required) could cause Copilot to access internal files and transmit their contents to an attacker-controlled server. Both vulnerabilities were patched. Still, the pattern is clear, and it is not comforting.

Zoom out and the industry’s design problem explains why prompt injection keeps winning. LLMs struggle to reliably separate instructions from data, instructions from context, and user intent from metadata. That gap matters because enterprises deploy LLMs not just to summarize, but to trigger automated workflows. Once an attacker can manipulate what the model treats as “instruction,” they can influence what it does directly or indirectly. That is why the threat has evolved beyond basic prompt tricks. Modern prompt injection now targets multi-agent architectures, retrieval-augmented generation (RAG) pipelines, model routers, and long-term memory capabilities, meaning the attack can persist across the system, not just within a single conversation.

This is also why the enterprise threat model is getting weird in the worst way. Cross-model prompt injection takes advantage of the fact that enterprises often use multiple models to process the same content. Attackers corrupt the output of one model, knowing other models will ingest that content. The corruption propagates through the whole AI stack, which turns a single successful injection into a broader business risk. RAG supply chain poisoning follows a similar logic: attackers create malicious information like documentation, blog articles, or GitHub READMEs, then wait for that content to be ingested into enterprise RAG pipelines, where it becomes an attack vector. Instead of trying to break the model, adversaries poison the knowledge path the model uses.

Agent hijacking is where the stakes get closest to “boardroom immediate.” Agents can send emails, modify cloud infrastructure, execute code snippets, and interact with internal corporate systems. In that world, it takes just a single instruction to make agents act differently in harmful ways. Add context overflow attacks enabled by million-token context windows, and an attacker can place malicious code inside documents and hope the LLM stumbles on it and effectively overrides previous instructions. Then layer memory poisoning, where long-term memory allows attackers to inject instructions that permanently reconfigure state. Finally, consider model-router manipulation, a technique targeting the selection layer enterprises use to pick between multiple LLMs, where attackers craft prompts to force routing to the weakest or least-guarded model.

For decision-makers, the most important shift is that prompt injection risk is no longer limited to “the model said something it shouldn’t.” It directly affects customer-facing systems like chatbots and support agents, internal copilots such as developer tools and security assistants, automation workflows including ticketing, cloud operations, and HR processes, and data governance across RAG pipelines and knowledge bases. In 2026, prompt injection can trigger unauthorized actions, leak sensitive data, corrupt internal workflows, manipulate analytics, alter business logic, and compromise multi-agent systems. That combination explains why OWASP’s OWASP LLM Top 10 (2025) ranks prompt injection as LLM01 for the second consecutive edition: it is tied to a fundamental behavior problem, not an implementation bug.

So what should enterprises do now? The recommended actions are concrete: constrain model permissions so the model can do less than it technically can; segment untrusted content and treat external data, including RAG sources, as potentially hostile; monitor tool invocation and require human approval for high-impact actions; validate content provenance so poisoned external content does not get into RAG pipelines; harden model routers to prevent attackers from forcing routing to weaker models; and treat LLMs as untrusted components. The bottom line in the source framing is the strategic mindset shift: treat LLMs as untrusted interpreters, not autonomous decision-makers. That mindset is likely the difference between experimenting with AI safely and waking up to a credential theft incident that started with a crafted prompt.