Mechanism
Agentic systems create a new host boundary because messages, documents, tickets, inboxes, tools, and APIs can all carry instructions that an autonomous system may process. Indirect prompt injection becomes more serious when the agent can read, write, forward, retrieve, or call tools.
Indicators
- Untrusted content entering privileged context windows.
- Agents writing retrieved instructions back into shared knowledge stores.
- Unexpected autonomous messages, forwards, or tool calls.
- Non-human identities with broad permissions and weak behavioral monitoring.
Containment
Keep this site defensive: no exploit recipes. Safe guidance focuses on least privilege, prompt-injection scanning, tool-call review, output isolation, RAG-store quarantine, and monitoring for autonomous drift.