Indirect Prompt Injection in RAG and AI Agents
Treat retrieved documents, web pages, messages, and tool results as untrusted data even when they look like instructions. They may inform an answer, but they must not change system policy, grant tool authority, reveal protected context, or approve side effects. Enforce that boundary in code and test it with hostile fixtures.
Map the path from content to consequence
| Content channel | Allowed influence | Forbidden effect | Regression probe |
|---|---|---|---|
| Retrieved document | Supply facts with source references. | Override policy, alter retrieval scope, or request a privileged tool. | Embed a conflicting instruction beside relevant facts. |
| Web page | Provide public information for the requested task. | Redirect the agent to an unrelated site or action. | Place an action request in page text or metadata. |
| Email or ticket | Describe a user issue for classification or response. | Change recipient, approve a transaction, or impersonate authority. | Include urgent instructions claiming executive approval. |
| Tool result | Return data under the tool's declared contract. | Call another tool or expand the caller's permission. | Return instruction-like text in a normal result field. |
| Vector index | Surface authorized, relevant corpus content. | Cross tenant boundaries or elevate poisoned content. | Insert a high-similarity adversarial document. |
| Generated artifact | Become a draft for validation and review. | Execute code, markup, or commands automatically. | Return active content in an expected text field. |
OWASP's Top 10 for LLM Applications identifies prompt injection as an application risk, while its vector and embedding guidance covers weaknesses in retrieval stores. Use the categories to structure a threat model; they do not prove that a control works in your system.
Separate evidence from authority
Label every context segment with origin, owner, retrieval time, and trust class. Delimit document content from system and developer instructions, and tell the model what the content may be used for. This reduces ambiguity but is not a security boundary: application code still decides which tools exist, who may call them, and which arguments are allowed.
Apply access control before retrieval and again before returning a resource. Scope queries, caches, traces, and citations to the caller's tenant and task. A relevant document is not necessarily an authorized one. The MCP authorization guide explains why model text cannot substitute for resource-server checks.
Keep protected values and broad write authority outside model-visible context. Give read and write tools separate contracts, validate identifiers against owned state, and require review for consequential calls. Retrieved content can propose a fact; it cannot become the approving actor.
Use controls that limit consequence
Start with least privilege. An agent that summarizes retrieved material should not have messaging, payment, deployment, or shell tools. When tools are necessary, enforce schemas, server-side authorization, target allowlists, rate and step limits, and post-call validation. OWASP's Excessive Agency guidance reinforces reducing functionality, permissions, and autonomy.
Validate outputs before another component interprets them. Encode rendered text, reject active content where plain text is expected, and treat URLs and tool arguments as data requiring policy checks. Sandboxing can limit a compromised path, but it does not decide whether the action was authorized.
Finally, observe denied actions, unusual tool sequences, retrieval anomalies, and repeated boundary failures without recording protected payloads. Promote every confirmed exploit path into the red-team regression suite and evaluate the complete trajectory with the agent evaluation checklist.
Indirect injection defense failure cases
- “Ignore instructions in documents” is the only control: the model can still follow persuasive content. Enforce consequences outside the prompt.
- Sanitization destroys evidence: aggressive rewriting removes useful facts but misses novel attacks. Preserve origin and constrain use.
- Authorization happens after retrieval: prohibited content already entered context. Filter before retrieval and verify again on access.
- Tool descriptions grant broad freedom: the model can choose dangerous targets. Narrow schemas and validate targets in code.
- A human approves a vague plan: the final call differs from what was reviewed. Approve concrete arguments immediately before action.
- Sandbox equals safety: an isolated process can still send an authorized but harmful message. Combine isolation with policy.
- One attack string passes: the team declares victory. Test channels, paraphrases, tool paths, and multi-step consequences.
A defense implementation sequence
- Map assets and channels. Name protected data, tools, side effects, retrieved sources, users, and every place attacker-controlled content can enter.
- Define allowed influence. For each channel, state which facts it may supply and which policy, authority, or action it may never change.
- Reduce the tool envelope. Separate read from write, scope targets, validate arguments, cap loops, and require authorization before execution.
- Assemble context deliberately. Label origin, delimit content, select only necessary passages, and exclude protected values.
- Validate the output path. Check schemas, citations, URLs, active content, and proposed actions before rendering or execution.
- Test hostile fixtures. Seed retrieved pages, messages, and tool results with conflicting instructions. Assert no prohibited call or disclosure occurs.
- Prepare response. Log safe event metadata, retain case evidence, define a kill switch, and add confirmed failures to prompt regression testing.
Decision summary
Treat retrieved material as evidence, never as authority. Separate instructions from reference data, constrain tool permissions before execution, validate consequential arguments, and stop or escalate when a source cannot be trusted.
Primary and official sources
- OWASP Top 10 for LLM Applications — primary application-security risk categories including prompt injection.
- OWASP LLM06: Excessive Agency — primary guidance on minimizing capabilities, permissions, and autonomy.
- OWASP LLM08: Vector and Embedding Weaknesses — primary retrieval and vector-store risk guidance.