Prompt Injection: The Agent Era's SQL Injection

When AI can read documents and act on them, hidden instructions become attacks. Here is what prompt injection is and why nobody has fully solved it.

30 min · Reviewed 2026

The Trust Boundary Problem

When a model only reads what you type, it is clear what counts as an instruction. When a model reads a webpage, a PDF, an email, or a tool response, the boundary gets fuzzy. Any text anywhere in its context window might say do this instead, and the model might obey.

Two flavors

Direct injection: the user types the attack themselves (often to bypass safety)
Indirect injection: someone else planted the attack in content the model reads

Why this is the agent era's SQL injection

In the web era, SQL injection happened because developers concatenated user input into database queries. The database could not tell code from data. Prompt injection has the same shape: the model cannot reliably tell instructions from content.

The difference is worse: SQL injection is fixed by parameterized queries. There is no known full fix for prompt injection. Current defenses reduce it; none eliminate it.

Defenses that help

Instruction isolation: system prompt in a privileged channel the model is trained to trust more
Content labeling: mark document text as data, not instructions
Capability gating: never let the model send email without a human click
Sandboxing: agents run in constrained environments with no network
Output filtering: scan results for suspicious patterns before acting
User confirmation: high-stakes actions require explicit approval

Attacker goal	Vector	Defense
Exfiltrate data	Hidden text tells agent to email files	Block outbound email without human approval
Manipulate decisions	Biased content in a document	Cross-reference against trusted sources
Run harmful tools	Instruction to call delete-all tool	Require confirmation for destructive actions
Phish the user	Fake authority instruction in page	Warn user, never auto-click injected links

Every piece of data an agent reads is a potential prompt. Design like every document is a letter from an adversary.
— Simon Willison, independent researcher

The big idea: the more useful AI agents get, the more they read from the world, and the more they read, the more attack surface they have. Mitigations exist; a perfect fix does not.

End-of-lesson check

8 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-safety-prompt-injection-builders

What is the main idea of "Prompt Injection: The Agent Era's SQL Injection"?
1. When AI can read documents and act on them, hidden instructions become attacks. Here is what prompt injection is and why nobody has fully solved it.
2. Use AI as the final authority for the whole decision
3. Avoid checking the answer once it sounds polished
4. Focus only on speed instead of judgment
Which concept is most central to "Prompt Injection: The Agent Era's SQL Injection"?
1. indirect injection
2. prompt injection
3. agent security
4. agent
Which use of AI fits this topic best?
1. Let the AI decide what matters without your review
2. Use the answer before checking whether it fits the situation
3. Direct injection: the user types the attack themselves (often to bypass safety)
4. Use the first answer without checking it
What should a careful learner remember about "A real 2023 example"?
1. Use AI to draft or organize ideas about prompt injection, then verify before acting.
2. Skip the context so the tool can guess faster
3. Treat the output as private even after sharing it online
4. Use the answer without checking the source
You want to use AI after this lesson. What is the safest next step?
1. Act immediately because the AI answer is written clearly
2. AI cannot make the human values decision for you.
3. Hide uncertainty so the final answer looks cleaner
4. Use private or sensitive details before checking permission
How should AI output about prompt injection be treated?
1. As proof that no other source is needed
2. As a replacement for context, consent, or expert review
3. As a draft or helper output that still needs human judgment and verification
4. As something that becomes correct when it sounds confident
Name one way to verify an AI answer about prompt injection.
Which action would help you apply "Prompt Injection: The Agent Era's SQL Injection" responsibly?
1. Use the tool to avoid thinking through the tradeoff
2. Keep going even if the output conflicts with a trusted source
3. Use the first answer without checking it
4. Indirect injection: someone else planted the attack in content the model reads

← Back to interactive lesson

Tendril · Builders · Ethics & Society