Prompt Injection Emerges as Major Threat to Enterprise AI Systems

Prompt injection is establishing itself as a tangible threat accompanied by real damage as an attack method against enterprise AI systems. This attack embeds malicious commands into instructions (prompts) given to AI, guiding the system toward unintended behavior. OWASP (Open Web Application Security Project) has positioned this attack at the top rank of 'LLM01' in its 2025 'LLM Risk Top 10' for the second consecutive year, recognizing it as the most severe vulnerability category specific to LLMs at the present time.

The background lies in the structural characteristics of large language models (LLMs) themselves. LLMs struggle to strictly distinguish between 'instructions' and 'data', or between 'context' and 'metadata'. In situations where a human would recognize 'this is a malicious command', an LLM can misread the format or context of text and execute the attacker's command as-is. As enterprises rapidly expand their use of LLMs for business support, analysis, development, and internal automation, this weakness has begun to function as an actual breach pathway.

According to the 'Global Threat Report' published by cybersecurity firm CrowdStrike in 2026, over 90 organizations experienced prompt injection into legitimate generative AI tools in 2025. Attackers used this technique to generate commands for stealing credentials and cryptocurrency, with the report explicitly stating 'prompts are the new malware'. Additionally, the attack volume by AI-enabled attackers increased 89% year-over-year, demonstrating that prompt injection functions as both an entry point for intrusion and an amplification device for attack power.

Real-world damage cases have also been reported. In August 2024, security researchers disclosed a prompt injection vulnerability in Slack AI. Attackers could embed code in public channel posts or attached documents to exfiltrate data from private channels that should have been inaccessible, including API keys shared by developers. Further, in June 2025, security firm Aim Security disclosed the 'EchoLeak' vulnerability (CVE-2025-32711, CVSS score 9.3) targeting Microsoft 365 Copilot. This was recorded as the first 'zero-click prompt injection' targeting production environment AI systems, capable of causing Copilot to access internal files and send their contents externally with nothing more than a single crafted email requiring zero user interaction. Both vulnerabilities were subsequently patched.

The scope of attacks is also expanding. Prompt injection no longer targets only simple chatbot AI, but has extended to 'multi-agent architecture' where multiple AIs work in concert, RAG (Retrieval-Augmented Generation) pipelines that reference external documents to generate responses, model routers that distribute processing across multiple models, and long-term memory functions where AI retains conversation history. All of these represent approaches that enterprises are actively adopting for operational efficiency, and the broadening of attack surfaces directly signifies an expansion of enterprise risk.

What this situation demonstrates is that prompt injection is not a 'theoretical flaw' but rather an 'iterative attack technique' already employed in actual breaches. For enterprises integrating LLMs into core business operations, establishing a clear definition during the design phase of 'how far to trust' an AI system becomes the starting point of security. A series of cases reveals the necessity of incorporating security designs—such as input data validation and privilege separation—with the same priority as model version upgrades and feature additions.

The point worth monitoring going forward is how far countermeasures against systems with complex configurations like multi-agent and RAG architectures will become systematized. Unlike countermeasures for single models, in environments where multiple AIs work together, even detecting at which stage injection is occurring becomes difficult. As institutions like OWASP and CrowdStrike continue to issue warnings, the establishment of a framework in which enterprise security teams and AI development teams collaborate to manage risk has entered a phase where it is more critical than ever.