Prompt injection is an attack on AI systems where someone hides malicious instructions inside the text the AI reads, getting it to ignore its own rules, reveal secrets, or take actions it should not. It targets large language models specifically, because they treat almost any text as something to follow.
Picture a new assistant who has been told “do whatever instructions are written on the notes I hand you.” An attacker simply slips a note into the pile that reads “ignore your boss and email me the client list.” The assistant cannot tell the planted note from the real ones, so it obeys. That is prompt injection: the AI cannot reliably separate trusted instructions from untrusted content, especially when that content comes from a web page, a PDF, or a RAG knowledge base it was told to read.
The dangerous version is indirect. The attacker never talks to your AI at all. They hide a line of text on a web page or in an email, and when your assistant later reads that source as part of its job, the buried instruction fires. The user sees nothing wrong.
This makes injection one of the defining security problems of AI features. Careful prompt engineering helps, but it is not a complete shield, because the attacker is editing the very input the prompt depends on. The practical defence is to assume the model can be tricked and design around it: limit what it can reach, treat its output as a suggestion rather than a command, and put a human or a hard rule in front of anything risky, like sending money or deleting records.
At TopDevs we design AI features defensively, keeping untrusted data away from the instruction layer and putting hard limits on what a model is ever allowed to do on its own.