Tendril — AI Lessons for Real Life

Tendril

The premise

Models cannot reliably distinguish trusted instructions (from you) from untrusted data (from users or documents). A web page, email, or PDF can carry hidden instructions that change your AI's behavior.

What AI does well here

Demonstrating injection on any naive prompt+data system

Sanitizing inputs to reduce — not eliminate — risk

Designing trust boundaries that limit blast radius

Auditing tool calls against expected behavior

What AI cannot do

Eliminate prompt injection with prompt engineering alone

Trust that the model will follow rules in the face of contrary instructions

Make injection-resistant agents in 2024 levels of model technology

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-ai-foundations-prompt-injection-final1-creators

What is the fundamental architectural limitation that makes prompt injection attacks possible?

AI models can be fooled by cleverly crafted text that looks like a legitimate command
AI models lack the ability to remember previous instructions in a conversation
AI models have no way to verify the identity of who is providing instructions
AI models cannot reliably distinguish between trusted developer instructions and untrusted user input

In the lesson's demonstration, what specifically triggers the vulnerable AI tool to respond with 'PWNED'?

A special API endpoint that returns the word 'PWNED' when called
A JavaScript script embedded in the web page that directly hacks the AI
Hidden text in the web page containing prompt injection instructions that the AI follows
A CSS style that makes the word 'PWNED' appear as if the AI wrote it

What does the term 'blast radius' refer to in AI security?

The maximum number of users who can interact with an AI system at once
The scope of capabilities and actions an AI agent can perform that could be exploited if compromised
The physical distance an AI system can operate from its servers
The amount of training data an AI model can process in a single request

Why does the lesson recommend treating AI agents like 'confused interns'?

Because AI agents will follow any instruction they encounter in a document, even if it's not intended as a command
Because AI agents can understand context better than experienced workers
Because AI agents are as intelligent as human interns and can learn from mistakes
Because AI agents require the same management style as entry-level employees

Which security measure does the lesson identify as essential but insufficient on its own?

Using longer and more detailed system prompts
Sanitizing user input to remove potentially malicious content
Requiring two-factor authentication for AI tool access
Encrypting all data transmitted to and from AI systems

What is 'indirect injection' in the context of AI security?

When an attacker directly types malicious commands into a chat interface
When an attacker intercepts and modifies the AI's response before it reaches the user
When two different AI models collude to bypass safety measures
When malicious instructions are hidden in external data that an AI processes, such as emails, PDFs, or web pages

What is a 'trust boundary' in an AI application?

A legal document defining who is responsible for AI behavior
A physical barrier separating AI servers from the internet
The line between trusted system instructions and untrusted user data or external content
A visual border displayed in the user interface showing where user input begins

The lesson states that AI in 2024 cannot be made fully injection-resistant. What is the primary reason for this?

AI models are not trained with enough safety data
Government regulations prevent AI companies from improving security
AI companies lack the financial incentive to fix the problem
The fundamental architecture of language models makes them follow instructions regardless of source

If you build an AI tool that can summarize web pages, what is the most important security consideration from this lesson?

Adding the ability to summarize multiple pages at once
Ensuring the tool can handle websites with JavaScript animations
Making sure the summary appears quickly for the user
Treating the content of any webpage as potentially untrusted and not blindly following instructions found within it

What should an organization do before giving an AI agent powerful capabilities like sending emails or deleting files?

Test the AI thoroughly to ensure it never makes mistakes
Nothing special—AI agents can be trusted with these tasks
Implement strict allowlists, require human approval for sensitive actions, and maintain audit trails
Give the AI a more friendly name so users trust it more

Why might sanitizing inputs (removing certain words or patterns) fail to prevent prompt injection?

Sanitization makes the AI less accurate at its main task
Attackers can use encoding, synonyms, or creative formatting to bypass filters
Sanitization is computationally expensive and slows down AI responses
AI models automatically restore removed content during processing

What is wrong with relying solely on prompt engineering to prevent prompt injection attacks?

Prompt engineering has no effect on AI behavior
Prompt engineering alone cannot solve the problem because models will still follow instructions in user data
Prompt engineering makes AI responses too slow
Prompt engineering is too expensive for most organizations

What should developers understand about the AI models they use in their applications?

AI models can be easily updated to block all malicious instructions
AI models will always follow their system prompts perfectly
AI models are immune to manipulation by external content
AI models cannot reliably distinguish trusted instructions from untrusted data in inputs

Why is it risky to give an AI agent the ability to execute financial transactions based on instructions it reads?

AI agents are bad at math and will make calculation errors
AI agents are not allowed to handle money due to regulations
Financial transactions are too slow for AI agents to process
The AI might be injected with instructions to transfer money to an attacker, and it cannot distinguish this from legitimate requests

What does auditing tool calls against expected behavior involve?

Ensuring the AI uses the correct API endpoints
Verifying that tool executions match what was actually requested and expected, not what an injected instruction demanded
Counting how many times a tool is used
Recording what the AI says to users

The premise

What AI does well here

Demonstrating injection on any naive prompt+data system

Sanitizing inputs to reduce — not eliminate — risk

Designing trust boundaries that limit blast radius

Auditing tool calls against expected behavior

What AI cannot do

Eliminate prompt injection with prompt engineering alone

Trust that the model will follow rules in the face of contrary instructions

Make injection-resistant agents in 2024 levels of model technology

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-ai-foundations-prompt-injection-final1-creators

What is the fundamental architectural limitation that makes prompt injection attacks possible?

AI models can be fooled by cleverly crafted text that looks like a legitimate command
AI models lack the ability to remember previous instructions in a conversation
AI models have no way to verify the identity of who is providing instructions
AI models cannot reliably distinguish between trusted developer instructions and untrusted user input

In the lesson's demonstration, what specifically triggers the vulnerable AI tool to respond with 'PWNED'?

A special API endpoint that returns the word 'PWNED' when called
A JavaScript script embedded in the web page that directly hacks the AI
Hidden text in the web page containing prompt injection instructions that the AI follows
A CSS style that makes the word 'PWNED' appear as if the AI wrote it

What does the term 'blast radius' refer to in AI security?

The maximum number of users who can interact with an AI system at once
The scope of capabilities and actions an AI agent can perform that could be exploited if compromised
The physical distance an AI system can operate from its servers
The amount of training data an AI model can process in a single request

Why does the lesson recommend treating AI agents like 'confused interns'?

Because AI agents will follow any instruction they encounter in a document, even if it's not intended as a command
Because AI agents can understand context better than experienced workers
Because AI agents are as intelligent as human interns and can learn from mistakes
Because AI agents require the same management style as entry-level employees

Which security measure does the lesson identify as essential but insufficient on its own?

Using longer and more detailed system prompts
Sanitizing user input to remove potentially malicious content
Requiring two-factor authentication for AI tool access
Encrypting all data transmitted to and from AI systems

What is 'indirect injection' in the context of AI security?

When an attacker directly types malicious commands into a chat interface
When an attacker intercepts and modifies the AI's response before it reaches the user
When two different AI models collude to bypass safety measures
When malicious instructions are hidden in external data that an AI processes, such as emails, PDFs, or web pages

What is a 'trust boundary' in an AI application?

A legal document defining who is responsible for AI behavior
A physical barrier separating AI servers from the internet
The line between trusted system instructions and untrusted user data or external content
A visual border displayed in the user interface showing where user input begins

The lesson states that AI in 2024 cannot be made fully injection-resistant. What is the primary reason for this?

AI models are not trained with enough safety data
Government regulations prevent AI companies from improving security
AI companies lack the financial incentive to fix the problem
The fundamental architecture of language models makes them follow instructions regardless of source

If you build an AI tool that can summarize web pages, what is the most important security consideration from this lesson?

Adding the ability to summarize multiple pages at once
Ensuring the tool can handle websites with JavaScript animations
Making sure the summary appears quickly for the user
Treating the content of any webpage as potentially untrusted and not blindly following instructions found within it

What should an organization do before giving an AI agent powerful capabilities like sending emails or deleting files?

Test the AI thoroughly to ensure it never makes mistakes
Nothing special—AI agents can be trusted with these tasks
Implement strict allowlists, require human approval for sensitive actions, and maintain audit trails
Give the AI a more friendly name so users trust it more

Why might sanitizing inputs (removing certain words or patterns) fail to prevent prompt injection?

Sanitization makes the AI less accurate at its main task
Attackers can use encoding, synonyms, or creative formatting to bypass filters
Sanitization is computationally expensive and slows down AI responses
AI models automatically restore removed content during processing

What is wrong with relying solely on prompt engineering to prevent prompt injection attacks?

Prompt engineering has no effect on AI behavior
Prompt engineering alone cannot solve the problem because models will still follow instructions in user data
Prompt engineering makes AI responses too slow
Prompt engineering is too expensive for most organizations

What should developers understand about the AI models they use in their applications?

AI models can be easily updated to block all malicious instructions
AI models will always follow their system prompts perfectly
AI models are immune to manipulation by external content
AI models cannot reliably distinguish trusted instructions from untrusted data in inputs

Why is it risky to give an AI agent the ability to execute financial transactions based on instructions it reads?

AI agents are bad at math and will make calculation errors
AI agents are not allowed to handle money due to regulations
Financial transactions are too slow for AI agents to process
The AI might be injected with instructions to transfer money to an attacker, and it cannot distinguish this from legitimate requests

What does auditing tool calls against expected behavior involve?

Ensuring the AI uses the correct API endpoints
Verifying that tool executions match what was actually requested and expected, not what an injected instruction demanded
Counting how many times a tool is used
Recording what the AI says to users

Prompt Injection: The Top Security Issue in AI Apps

The premise

What AI does well here

What AI cannot do

End-of-lesson check

Prompt Injection: The Top Security Issue in AI Apps

The premise

What AI does well here

What AI cannot do

End-of-lesson check