Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Latest AI and industry news. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

News Trending AI News

Google: Prompt Injection Attacks on AI Agents Are Real

Google documented a 32% rise in malicious prompt injection attacks on AI agents, including hidden PayPal instructions embedded in ordinary web pages.

Enterprise DNA | | via Google Security Blog
Google: Prompt Injection Attacks on AI Agents Are Real

For years, prompt injection attacks on AI agents existed mostly as a theoretical concern — the kind of thing researchers demonstrated in lab conditions but rarely found in the wild. That has changed. Google’s threat intelligence team published research in April 2026 documenting a 32% surge in malicious indirect prompt injection attacks between November 2025 and February 2026, with real payloads targeting enterprise AI agents actively deployed on the open web.

The attack class is called indirect prompt injection (IPI). The basic idea: a malicious actor hides instructions inside an ordinary web page. When an AI agent browses that page as part of a research or automation task, it reads the hidden instructions and treats them as legitimate commands — potentially sending emails, executing transactions, or exfiltrating data, all on behalf of someone who was never in your chain of command.

What Actual Attacks Look Like

Google’s researchers documented several real payloads found in the wild. The most striking: fully specified PayPal transaction instructions embedded invisibly inside ordinary HTML, designed to fire when any AI agent with payment access reads the page. Another example used meta tag namespace injection combined with a keyword Google called “ultrathink” — a persuasion amplifier inserted to make the model treat the injected instruction as high-priority — to route AI-mediated financial actions toward a Stripe donation link.

These are not sophisticated attacks. The sophistication is notably low, according to Google’s own assessment. They work because many AI agent deployments do not enforce a strict boundary between data (the content the agent is reading) and instructions (the commands the agent should follow). When those are blurred, every web page an agent reads becomes a potential attack surface.

That is the uncomfortable truth buried in the research: the attacker does not need to be clever. They just need your agent to fetch a page they control.

Why Enterprise Deployments Are Especially Exposed

AI agents with narrow, well-defined tasks and no external tool access present a limited attack surface. The risk scales with capability. An agent that can send emails, make API calls, execute terminal commands, or process payments is a high-value target precisely because it can do things. A successful prompt injection attack against such an agent is not just a data exposure — it is an unauthorized action taken in your name, using your credentials, with your data.

Google found that the attacks are becoming more targeted. Early IPI attempts were generic, hoping to catch any agent that happened to visit. More recent payloads are designed with specific tool interfaces in mind, suggesting attackers are studying which AI platforms are being deployed and writing instructions tailored to how those agents behave.

The 32% growth rate over just four months suggests the threat is maturing faster than most enterprise security teams have prepared for.

What Businesses Deploying AI Agents Should Do

The researchers identified several practical mitigations:

Enforce a strict data-instruction boundary. AI agents should be designed to treat all external content as data, not as potential instructions. This sounds obvious in principle but requires deliberate architectural decisions — it does not happen automatically with most off-the-shelf agent frameworks.

Audit agent permissions regularly. The attack surface is proportional to what the agent can do. If an agent has payment access, email access, and terminal access, a single successful injection can affect all three. Applying least-privilege principles to agent permissions limits the blast radius of a successful attack.

Require human approval for consequential actions. For any agent action that has real-world effects — sending a message, making a purchase, modifying a file — building in an explicit approval step prevents an injected instruction from executing without oversight. This adds friction, but the friction is the point.

Monitor agent behavior for anomalies. Agents that start making unusual API calls, contacting unexpected endpoints, or taking actions outside their defined scope are showing signs of compromise. Logging and anomaly detection for agent activity is not optional anymore.

What This Means for Business

If you are deploying AI agents — for customer support, internal workflows, research automation, or anything that involves browsing external content — this research should prompt a review of your security posture around those agents.

The good news is that the attacks documented so far have been relatively unsophisticated. The attack patterns are known, the mitigations are practical, and getting ahead of this now is significantly easier than responding after an incident. Google’s own assessment is that sophistication is still low but growing — which means the window for proactive preparation is open, but not indefinitely.

For a deeper walkthrough of tools like this and how they fit together, the free Working With Claude field guide covers the ecosystem end to end. Get the guide.

Working With Claude field guide cover

Free Resource

Going deeper with Claude?

Get the free 32-page implementation guide for ANZ teams.

No spam. Unsubscribe any time.