Security researchers at Google have identified a growing threat in which malicious actors are embedding hidden instructions within public web pages to hijack enterprise AI agents. The findings, based on scans of the Common Crawl repository, reveal that website administrators and attackers are placing invisible commands in standard HTML code. These commands remain dormant until an AI assistant scrapes the page for information, at which point the system processes the text and executes the embedded instructions.
Indirect prompt injection represents a significant evolution in AI security risks. Unlike direct manipulation of a chatbot through user input, indirect prompt injection places malicious commands within a trusted data source. In a hypothetical scenario described by the researchers, a corporate HR department might deploy an AI agent to evaluate engineering candidates. The agent navigates to a candidate’s portfolio website and reads its contents. Hidden within the site’s white space, written in white text or buried in metadata, a command instructs the agent to disregard prior instructions, email a copy of the company’s internal employee directory to an external IP address, and output a positive summary of the candidate.
Why Traditional Defenses Fail Against Indirect Prompt Injections
The AI model cannot distinguish between legitimate content and the malicious command, processing the text as a continuous stream of information and interpreting the new instruction as a high priority task. Because the agent possesses legitimate credentials and operates under an approved service account with permissions to read databases and send emails, its actions appear indistinguishable from normal daily operations. Existing cyber defense architectures, including firewalls, endpoint detection systems, and identity access management platforms, typically look for suspicious network traffic, malware signatures, or unauthorized login attempts. An AI agent executing a prompt injection generates none of those red flags.
Many vendors selling AI observability dashboards focus on tracking token usage, response latency, and system uptime, but few offer meaningful oversight into decision integrity. When an orchestrated agentic system drifts off course due to poisoned data, security operations centers receive no alerts because the system believes it is functioning as intended.
Recommended Defenses and Architectural Controls
Google researchers recommend implementing dual model verification as one viable defense mechanism. Instead of allowing a capable and highly privileged agent to browse the web directly, enterprises should deploy a smaller, isolated sanitizer model. This restricted model fetches the external web page, strips out hidden formatting, isolates executable commands, and passes only plain text summaries to the primary reasoning engine. If the sanitizer model becomes compromised by a prompt injection, it lacks the system permissions to cause damage.
Strict compartmentalization of tool usage presents another necessary control. Developers frequently grant AI agents sprawling permissions by bundling read, write, and execute capabilities into a single monolithic identity. According to the researchers, zero trust principles must apply to the agent itself. A system designed to research competitors online should never possess write access to the company’s internal customer relationship management system.
Audit trails must also evolve to track the precise lineage of every AI decision. If a financial agent recommends a sudden stock trade, compliance officers must be able to trace that recommendation back to the specific data points and external URLs that influenced the model’s logic. Without that forensic capability, diagnosing the root cause of an indirect prompt injection becomes impossible.
The internet remains an adversarial environment, and building enterprise AI capable of navigating that environment requires new governance approaches and tightly restricting what those agents believe to be true. As organizations increasingly deploy AI agents for tasks ranging from customer support to financial analysis, the need for robust security frameworks becomes more urgent.
