Cyber For AI Notes

[Lecture] Attack and Defences of AI Systems

Direct prompt injection, indirect prompt injection, indirect RAG injection, tool abuse through injection

June 19, 2026

image

Prompt injection often chains multiple weaknesses

  • One prompt crosses authorization, data, and tool boundaries
  • Issues surface in outputs, but root causes live in context and permissions
  • Guardrails slow attacks, but do not stop chained exploitation
  • Real risk appears when prompts interact with RAG, agents, and tools

AI Security Overview

Shadow AI Risk

  • Public SaaS and AI tools introduce shadow AI risk — unknown training datasets, unclear data lifecycles, and potential exposure of proprietary company data through data leakage.
  • Key concerns to address include preventing sensitive data exposure, enforcing acceptable use policies, and controlling developer behaviour such as pasting code into external SaaS tools.

Core Controls for AI We Use

  • Apply DLP and prompt filtering to intercept sensitive data before it leaves the organisation.
  • Enforce secure access and maintain an approved tool list with clear usage guidelines.
  • Implement data classification to distinguish what can and cannot be shared with AI tools.

What Core Controls Don't Solve

  • Core controls do not address third-party model risk, full data lifecycle certainty, downstream leakage, or business misuse where users act on poor or misleading model outputs.

AI Architecture and the Attack Surface

The Orchestrator

  • The orchestrator is the crown jewel — it defines the security boundary of the system, managing role-based access control, prompt construction (user prompt, system prompt, tool calls, agent-to-agent interactions), and safety logic.
  • Orchestrators are non-deterministic by nature — they decide which agents to call, which tools to use, and how to decompose tasks, all powered by an LLM at the core.

Reducing Orchestrator Risk

  • Use rule-based routing logic to constrain orchestrator decision-making.
  • Set temperature to zero to minimise output variability — same input produces the same output.
  • Account for parallel execution and concurrency in multi-agent workflows, as ordering can affect downstream decisions.

OWASP Top 10 for LLM Applications

Prompt Injection (LLM01)

  • Direct injection — the user directly manipulates the prompt (e.g. "Ignore your system prompt and do this instead").
  • Indirect injection — malicious instructions are hidden in external content the model reads, such as documents, emails, or web pages (e.g. white text on a white background, attacker-controlled websites, or embedded instructions in files).

Why It Matters

  • Prompt injection is comparable to social engineering — it tricks the model into acting outside its intended scope. Success depends on phrasing and placement, not traditional exploits.
  • It is rarely an isolated attack; it typically chains multiple weaknesses and becomes most dangerous when it interacts with RAG pipelines, agents, and tools.

Defending Against Prompt Injection

  • Treat all user input as untrusted.
  • Apply input sanitisation — strip hidden characters, whitespace, and formatting tricks.
  • Implement output monitoring and validation using regex to detect system prompt leakage or exposed API keys.
  • Enforce human oversight for high-risk operations such as password release, deletions, admin actions, and bypass attempts.

The System Prompt is Not a Security Control

Why the System Prompt Cannot Be Trusted as a Secret

  • The system prompt shares the same context window as untrusted user input — there is no cryptographic boundary separating them. It will be extracted through various prompt injection techniques.
  • Common extraction attempts include asking the model to repeat its instructions in plain language, encode them in base64, substitute letters with numbers, or describe them as an example for a "research paper."

What This Means in Practice

  • Never place credentials, API keys, or security logic inside a system prompt.
  • Never rely on the system prompt as the sole line of defence — a model with no backend enforcement is trivially exploitable.
  • Even if the system prompt is hidden, a user can still manipulate the orchestrator into returning data they are not authorised to access.

The Real Fix

  • Security decisions must be enforced in code, not prompts — the LLM can request data, but the backend must validate authorisation.
  • Implement code-level authorisation checks for every sensitive operation; never delegate these decisions to the model.

Excessive Agency

When LLMs Are Given Too Much Authority

  • Excessive agency occurs when an LLM can take actions beyond its intended scope — caused by broad tool permissions, long-running workflows without checkpoints, or self-directed task planning.

Examples of Failure

  • Over-privileged agent — instructed to clean up old accounts, the agent deletes active customer records due to missing scope limits or approval gates.
  • Tool chaining escalation — the agent fetches data with one tool, uses the output to justify calling higher-impact tools, and ends with a destructive action such as revoking access or closing incidents.

Levels of Automation

  • L1 – User as operator: user directs all decisions; agents act on instruction.
  • L2 – User as collaborator: user and agent jointly plan, delegate, and execute.
  • L3 – User as consultant: agent leads but consults the user for expertise or preferences.
  • L4 – User as approver: agent acts autonomously but checks in for risky or pre-specified scenarios.
  • L5 – User as observer: agent operates with full autonomy under passive user monitoring.