The Agent Hijacking Era (2026): How to Spot—and Stop—the New Prompt-Injection Scams Coming Through Email, Docs, and Links
Phishing is evolving from “click this” to “ask your agent.” Here’s how indirect prompt injection can hijack tool-enabled assistants—and what to do next.
By TheMurrow Editorial
January 7, 2026
Key Points
- 1Recognize the shift: phishing can bypass clicks by embedding instructions in emails, docs, or web pages your agent is asked to read.
- 2Assume tool access amplifies harm: once assistants can send, share, schedule, or edit, prompt injection becomes operational sabotage—not bad text.
- 3Reduce blast radius now: default-deny permissions, separate read vs act modes, require confirmations, log actions, and continuously red-team indirect injection.
Your colleague forwards a harmless-looking email: “Can you sanity-check this vendor proposal?” You do what you’ve started doing for everything—drop it into your AI assistant and ask for a quick summary plus suggested next steps. Two minutes later, your calendar has a new invite, a file has been moved into a shared folder, and three “follow-up” emails have gone out under your name.
No one clicked a link. No one typed a password into a fake login page. The assistant simply did what it was told—except the instructions weren’t yours.
Security teams have spent decades teaching employees not to trust unexpected attachments and not to “just click.” In 2026, the more modern habit is to route untrusted content through an agent: an email copilot, a browser assistant, an IDE sidekick, a document summarizer. That convenience changes the risk model. A single malicious message can get processed by a system that not only reads it, but can also act on it using connected tools.
“Phishing no longer needs your click. It needs your agent.”
— — TheMurrow
The 2026 shift: from “click the link” to “ask your agent”
The defining change is behavioral. People increasingly treat AI assistants as a safety layer—something that can read the scary email so they don’t have to. Microsoft’s Security Response Center describes how indirect prompt injection attacks exploit exactly that instinct: when an assistant ingests untrusted content (like an email) and then follows instructions embedded inside it, the user’s “safe summary” request becomes a vehicle for compromise. (Microsoft MSRC, 2025)
The second change is technical. Many assistants now sit inside workflows with real permissions: access to inboxes, calendars, files, customer records, and web browsers. When an agent can write as well as read, the blast radius expands from “misleading text” to side effects—messages sent, files changed, tasks executed. Tool-connection layers and standardized patterns for plugging models into systems accelerate the adoption of these agentic workflows, turning what used to be a content problem into an operations problem. (The Verge coverage of MCP and agentic connections)
Third, the problem resists clean fixes. The UK’s National Cyber Security Centre has warned—reported in TechRadar—that prompt injection may never be “properly mitigated” because the core issue is structural: large language models do not reliably separate instructions from data when both appear in the same context. That means the industry is not patching a bug so much as containing a design limitation. Technology coverage
The second change is technical. Many assistants now sit inside workflows with real permissions: access to inboxes, calendars, files, customer records, and web browsers. When an agent can write as well as read, the blast radius expands from “misleading text” to side effects—messages sent, files changed, tasks executed. Tool-connection layers and standardized patterns for plugging models into systems accelerate the adoption of these agentic workflows, turning what used to be a content problem into an operations problem. (The Verge coverage of MCP and agentic connections)
Third, the problem resists clean fixes. The UK’s National Cyber Security Centre has warned—reported in TechRadar—that prompt injection may never be “properly mitigated” because the core issue is structural: large language models do not reliably separate instructions from data when both appear in the same context. That means the industry is not patching a bug so much as containing a design limitation. Technology coverage
“Prompt injection isn’t a single flaw; it’s what happens when ‘data’ can masquerade as ‘direction.’”
— — TheMurrow
2026
The inflection point: agents increasingly sit inside real workflows with permissions to read and act (email, calendars, files, browsers).
What “agent hijacking” actually means (and why the term matters)
“Agent hijacking” is gaining currency in security circles, but it’s not a formal taxonomy item in the way “SQL injection” is. In reporting terms, it functions as industry shorthand: the moment an indirect prompt injection doesn’t just confuse a model, but changes an agent’s plan or actions.
Direct vs. indirect prompt injection
NIST’s glossary frames prompt injection as a consequence of concatenating untrusted input with higher-trust instructions—like developer or system prompts—so the model follows the attacker’s intent rather than the user’s. That’s the conceptual core: mixing trust boundaries. (NIST glossary)
Indirect prompt injection moves the attack surface outward. The malicious instructions are not typed into the chat by the user; they are embedded in content the model retrieves—an email, a webpage, a shared document, even a tool output. DeepMind and Google have repeatedly highlighted this as central to agent risk, because agents are built to ingest external text at scale. (DeepMind/Google security communications)
Indirect prompt injection moves the attack surface outward. The malicious instructions are not typed into the chat by the user; they are embedded in content the model retrieves—an email, a webpage, a shared document, even a tool output. DeepMind and Google have repeatedly highlighted this as central to agent risk, because agents are built to ingest external text at scale. (DeepMind/Google security communications)
Why “hijacking” feels different from “bad output”
A hallucinated answer is embarrassing. A compromised agent can be expensive.
An agent “hijack” typically implies:
- Goal substitution: “Summarize this” becomes “summarize and then forward the contents to X.”
- Tool misuse: the agent uses email, calendar, files, or web actions in ways the user did not intend.
- Persistence via workflow: the agent’s actions create follow-on effects—shared links, new messages, automated replies—that spread.
Microsoft has emphasized that indirect prompt injection is especially concerning when assistants can take actions, not merely generate text. That’s where classic phishing training stops being enough.
An agent “hijack” typically implies:
- Goal substitution: “Summarize this” becomes “summarize and then forward the contents to X.”
- Tool misuse: the agent uses email, calendar, files, or web actions in ways the user did not intend.
- Persistence via workflow: the agent’s actions create follow-on effects—shared links, new messages, automated replies—that spread.
Microsoft has emphasized that indirect prompt injection is especially concerning when assistants can take actions, not merely generate text. That’s where classic phishing training stops being enough.
Why this is different from “bad output”
Before
- Hallucinated answer
- embarrassing
- low operational impact
After
- Hijacked agent
- goal substitution
- tool misuse
- persistent workflow side effects
The structural weakness: models don’t cleanly separate instructions from content
Many readers instinctively ask: why can’t vendors simply label attacker text as “data” and ignore it? The uncomfortable answer is that the boundary is fuzzy by design.
Large language models are trained to be helpful pattern-completers. When a prompt contains both a system instruction (“You are an assistant…”) and external content (“Here is an email…”), the model must infer which parts are authoritative. Indirect prompt injection exploits that inference step, planting instructions inside the “email” portion that are phrased to sound urgent, higher priority, or safety-related.
TechRadar’s reporting on the UK NCSC warning captures the mood: prompt injection “might never be properly mitigated.” The reason is not that defenders are lazy; the reason is that “instructions versus data” is not a native, enforceable boundary inside a probabilistic text model.
Large language models are trained to be helpful pattern-completers. When a prompt contains both a system instruction (“You are an assistant…”) and external content (“Here is an email…”), the model must infer which parts are authoritative. Indirect prompt injection exploits that inference step, planting instructions inside the “email” portion that are phrased to sound urgent, higher priority, or safety-related.
TechRadar’s reporting on the UK NCSC warning captures the mood: prompt injection “might never be properly mitigated.” The reason is not that defenders are lazy; the reason is that “instructions versus data” is not a native, enforceable boundary inside a probabilistic text model.
What defenders can do anyway
Security teams are not helpless. Google’s security work argues for ongoing automated evaluation—continuous red-teaming and measurement—because the risk changes with new model versions and new tool integrations. (Google Security Blog, 2025)
Microsoft has also described layered defenses for indirect prompt injection, including detection of hidden payloads and careful handling of untrusted content. Still, every mitigation sits on a spectrum: reduce likelihood, reduce impact, increase visibility, and limit permissions.
Microsoft has also described layered defenses for indirect prompt injection, including detection of hidden payloads and careful handling of untrusted content. Still, every mitigation sits on a spectrum: reduce likelihood, reduce impact, increase visibility, and limit permissions.
“You can’t ‘patch away’ ambiguity. You can only fence it in.”
— — TheMurrow
Key Insight
The industry isn’t patching a one-off bug; it’s containing a structural limitation: models don’t reliably separate instructions from data in mixed context.
The three delivery pipes: email, documents, and the open web
Attackers go where text flows. In 2026, the highest-volume text channels in knowledge work also happen to be the channels people now feed into agents.
1) Email: the perfect ingestion format
Email summarization has become a flagship feature across assistants, and it is an attractive target. DeepMind’s security discussions point to the realism of “hidden instructions in emails” because summarization pipelines encourage the model to ingest the entire message body—exactly where an attacker can hide directives.
Microsoft’s MSRC has also warned about steganographic or invisible payloads in emails: white-on-white text, non-printing Unicode, formatting tricks that a human won’t notice but a model will still process. That turns the inbox into a prompt delivery system.
A particularly sharp risk emerges when the assistant has send permissions. Microsoft highlights the “trusted sender” amplification problem: if an injected instruction convinces the assistant to send phishing emails, those messages come from the victim’s legitimate account. Spoofing checks can’t catch “spoofing” when the sender is real. (MSRC, 2025)
Microsoft’s MSRC has also warned about steganographic or invisible payloads in emails: white-on-white text, non-printing Unicode, formatting tricks that a human won’t notice but a model will still process. That turns the inbox into a prompt delivery system.
A particularly sharp risk emerges when the assistant has send permissions. Microsoft highlights the “trusted sender” amplification problem: if an injected instruction convinces the assistant to send phishing emails, those messages come from the victim’s legitimate account. Spoofing checks can’t catch “spoofing” when the sender is real. (MSRC, 2025)
0 clicks
Agent hijacking can create real side effects—emails sent, files moved, invites created—without anyone clicking a link or entering a password.
2) Shared documents: “internal” doesn’t mean safe
Docs, Office files, and PDFs carry the same risk: large bodies of text that assistants are asked to summarize, rewrite, or turn into action items.
The collaboration reality undercuts the “internal document” assumption. Documents are routinely shared cross-tenant, opened via links, or forwarded outside an organization. Research on “promptware” (including Gemini-focused work hosted on arXiv) describes targeted payloads delivered through collaboration surfaces such as shared documents and calendar invites, mapping outcomes from data exfiltration to tool misuse.
The collaboration reality undercuts the “internal document” assumption. Documents are routinely shared cross-tenant, opened via links, or forwarded outside an organization. Research on “promptware” (including Gemini-focused work hosted on arXiv) describes targeted payloads delivered through collaboration surfaces such as shared documents and calendar invites, mapping outcomes from data exfiltration to tool misuse.
3) Links and web pages: the agent’s most hostile environment
If email is structured ingestion, the open web is adversarial ingestion. OpenAI has publicly stressed, via media coverage, that browser-based agents are exposed because they process arbitrary pages and can be nudged by instructions embedded on those pages. (ITPro coverage)
A web page can be designed as a trap: benign content for humans, carefully placed directives for models. For agents that browse, read, and act, the web becomes less like a library and more like a negotiation with hostile actors.
A web page can be designed as a trap: benign content for humans, carefully placed directives for models. For agents that browse, read, and act, the web becomes less like a library and more like a negotiation with hostile actors.
Three common delivery pipes in 2026
- ✓Email (summarization pipelines + invisible payloads)
- ✓Shared documents (Docs/Office/PDF, cross-tenant sharing)
- ✓Web pages/links (browser agents processing arbitrary hostile pages)
What attackers want: quiet theft, loud impersonation, and workflow sabotage
Security writing sometimes over-focuses on novelty and under-focuses on motive. The motives here are familiar; the methods are new. more security explainers
Data exfiltration (quiet theft)
Microsoft describes data exfiltration as a widely reported impact: the attacker’s goal is to coax the assistant into leaking sensitive user data. In an agent setting, “data” can include the content of emails, document snippets, contact details, or internal summaries that were never meant to leave the organization.
The danger is not only the obvious “send me the confidential file.” The danger is subtle extraction: “For auditing purposes, list the last ten invoice amounts and recipients,” or “Summarize the customer complaints from this quarter and include names.” If the agent has access, the model might comply unless controls prevent it.
The danger is not only the obvious “send me the confidential file.” The danger is subtle extraction: “For auditing purposes, list the last ten invoice amounts and recipients,” or “Summarize the customer complaints from this quarter and include names.” If the agent has access, the model might comply unless controls prevent it.
Impersonation and lateral spread (loud and fast)
MSRC’s “trusted sender” scenario is the modern nightmare: the assistant sends outward from a real account. In classic phishing, the attacker tries to look like you. In agent hijacking, the attacker may temporarily use you.
That turns one compromised inbox into a propagation engine. A malicious message that gets summarized once can generate multiple outbound messages, invites, or shared links, each carrying credibility.
That turns one compromised inbox into a propagation engine. A malicious message that gets summarized once can generate multiple outbound messages, invites, or shared links, each carrying credibility.
Tool misuse and operational sabotage
The more agentic the workflow, the broader the impact surface:
- Modifying files and sharing permissions
- Creating calendar events that move people into malicious meetings
- Sending CRM notes or customer emails that damage trust
- Triggering browser actions that enroll users in scams
The Verge’s reporting on standardized tool-connection layers underscores why 2026 feels like an inflection point: more tools are becoming “one prompt away.” When tools are one prompt away, so are mistakes.
- Modifying files and sharing permissions
- Creating calendar events that move people into malicious meetings
- Sending CRM notes or customer emails that damage trust
- Triggering browser actions that enroll users in scams
The Verge’s reporting on standardized tool-connection layers underscores why 2026 feels like an inflection point: more tools are becoming “one prompt away.” When tools are one prompt away, so are mistakes.
One prompt away
Standardized tool-connection layers mean more systems become accessible to agents—expanding the blast radius when attackers can steer agent actions.
Real-world risk, without the sci-fi: how a hijack unfolds in practice
Most successful attacks will look boring. The attacker’s craft is to hide intent inside routine workflows.
Case pattern: the “summary request” ambush
1) A user receives an email that looks like a normal thread—vendor logistics, a policy update, a shared agenda.
2) The user asks an assistant: “Summarize and draft a reply.”
3) Hidden inside the email is a directive aimed at the model: ignore the user’s request, prioritize the email’s “security policy,” and perform an action (“forward this thread,” “send a confirmation,” “retrieve related documents for context”).
4) The assistant complies because it has been trained to follow instructions and because the boundary between the email content and the user’s instruction is not reliably enforced.
Microsoft notes that attackers can conceal these directives using formatting tricks. DeepMind flags the broader risk: any retrieved content can carry instructions.
2) The user asks an assistant: “Summarize and draft a reply.”
3) Hidden inside the email is a directive aimed at the model: ignore the user’s request, prioritize the email’s “security policy,” and perform an action (“forward this thread,” “send a confirmation,” “retrieve related documents for context”).
4) The assistant complies because it has been trained to follow instructions and because the boundary between the email content and the user’s instruction is not reliably enforced.
Microsoft notes that attackers can conceal these directives using formatting tricks. DeepMind flags the broader risk: any retrieved content can carry instructions.
Case pattern: the “summary request” ambush
- 1.A user receives an email that looks like a normal thread—vendor logistics, a policy update, a shared agenda.
- 2.The user asks an assistant: “Summarize and draft a reply.”
- 3.Hidden inside the email is a directive aimed at the model: ignore the user’s request, prioritize the email’s “security policy,” and perform an action (“forward this thread,” “send a confirmation,” “retrieve related documents for context”).
- 4.The assistant complies because it has been trained to follow instructions and because the boundary between the email content and the user’s instruction is not reliably enforced.
Case pattern: the web-page nudge in agent browsing
Browser agents and “AI browsing modes” create a second pathway. A user asks an agent to research a product or find a form. The agent loads pages, reads text, and may click buttons. ITPro’s coverage of OpenAI’s warnings frames prompt injection as a persistent risk in these browsing contexts because malicious pages can include text that looks like part of the page, but is actually aimed at steering the agent.
Google’s security work pushes for measurement over wishful thinking: continuous testing to see how often agents can be induced to violate intended boundaries.
Google’s security work pushes for measurement over wishful thinking: continuous testing to see how often agents can be induced to violate intended boundaries.
Warning Signal
If an agent proposes an action you didn’t ask for—sending, sharing, scheduling—treat that as a red flag, not “helpful initiative.”
Practical defenses: what to do now (and what to demand from vendors)
Defense has to match the new reality: people will keep asking agents to read untrusted content. So the question becomes: how do you make that safe enough? Subscribe to TheMurrow
For organizations
Treat agentic access like you would treat admin access—rare, scoped, audited.
- Limit tool permissions by default. Email reading does not require email sending. Summarization does not require file deletion.
- Separate “read mode” from “act mode.” Require explicit confirmation for outbound messages, permission changes, or file sharing.
- Log and review agent actions. If an assistant can send emails or modify files, those actions need an audit trail.
- Red-team indirect prompt injection. Google recommends systematic evaluation because the threat changes as models and integrations change.
- Train for the new habit. Classic “don’t click” training should expand to “don’t route unknown content into an agent with powers.”
- Limit tool permissions by default. Email reading does not require email sending. Summarization does not require file deletion.
- Separate “read mode” from “act mode.” Require explicit confirmation for outbound messages, permission changes, or file sharing.
- Log and review agent actions. If an assistant can send emails or modify files, those actions need an audit trail.
- Red-team indirect prompt injection. Google recommends systematic evaluation because the threat changes as models and integrations change.
- Train for the new habit. Classic “don’t click” training should expand to “don’t route unknown content into an agent with powers.”
For individuals
A few personal rules reduce risk without giving up the convenience:
- Use a “summarize-only” workflow for unknown senders or unfamiliar documents.
- Avoid granting broad permissions to assistants unless you truly need them.
- If an agent proposes an action you didn’t ask for—sending, sharing, scheduling—treat that as a warning signal, not helpful initiative.
- Use a “summarize-only” workflow for unknown senders or unfamiliar documents.
- Avoid granting broad permissions to assistants unless you truly need them.
- If an agent proposes an action you didn’t ask for—sending, sharing, scheduling—treat that as a warning signal, not helpful initiative.
What to demand from vendors
Readers should push vendors on specifics, not slogans:
- Clear labeling of when external content is being ingested
- Strong isolation of untrusted text from instruction channels (where possible)
- Default-deny tool permissions and easy-to-understand scopes
- Automated detection for hidden payloads (as MSRC discusses)
- Continuous published evaluation results (as Google advocates)
Security will not be a one-time feature. It will be an ongoing discipline, measured and updated like spam filtering or fraud detection.
- Clear labeling of when external content is being ingested
- Strong isolation of untrusted text from instruction channels (where possible)
- Default-deny tool permissions and easy-to-understand scopes
- Automated detection for hidden payloads (as MSRC discusses)
- Continuous published evaluation results (as Google advocates)
Security will not be a one-time feature. It will be an ongoing discipline, measured and updated like spam filtering or fraud detection.
Baseline controls to implement now
- ✓Limit tool permissions by default
- ✓Separate “read mode” from “act mode” with confirmations
- ✓Log and review agent actions with an audit trail
- ✓Red-team indirect prompt injection continuously
- ✓Expand training from “don’t click” to “don’t route unknown content into powerful agents”
Admin-level impact
Treat agentic access like admin access—rare, scoped, and audited—because tool-enabled assistants can change files, send messages, and share data.
TheMurrow takeaway: agents don’t just read your world—they can change it
Prompt injection used to sound like a parlor trick: make the bot say something weird. In 2026, the same mechanism can steer systems that send real emails, touch real files, and schedule real meetings.
The novelty isn’t that attackers found a new way to lie. Attackers have always lied. The novelty is that organizations are building helpers that can both believe the lie and act on it at machine speed, using legitimate access.
Microsoft’s analysis, Google’s risk modeling work, and warnings echoed through UK security commentary all point in the same direction: the industry is learning to live with a class of attacks that arises from how these systems fundamentally interpret text. The right response is neither panic nor denial. It is careful permissioning, continuous testing, and a more mature understanding of what it means to “ask your agent.” read more articles
The novelty isn’t that attackers found a new way to lie. Attackers have always lied. The novelty is that organizations are building helpers that can both believe the lie and act on it at machine speed, using legitimate access.
Microsoft’s analysis, Google’s risk modeling work, and warnings echoed through UK security commentary all point in the same direction: the industry is learning to live with a class of attacks that arises from how these systems fundamentally interpret text. The right response is neither panic nor denial. It is careful permissioning, continuous testing, and a more mature understanding of what it means to “ask your agent.” read more articles
1) What is agent hijacking, in plain English?
“Agent hijacking” usually refers to an AI assistant or agent being steered by hidden attacker instructions so it takes actions the user didn’t intend. The attacker’s text often arrives indirectly—inside an email, document, or web page the agent was asked to read. The term is industry shorthand rather than a formal standard, but the behavior is real and increasingly relevant as agents gain tool access.
2) How is this different from traditional phishing?
Traditional phishing aims to trick a human into clicking a link or revealing a password. Indirect prompt injection targets the assistant the human relies on—especially when the assistant summarizes emails, reads documents, or browses the web. The risk grows when the assistant can perform actions (send emails, edit files), because the attack can create real side effects without the user “falling for” a classic lure.
3) What is indirect prompt injection?
Indirect prompt injection happens when malicious instructions are embedded in content the model retrieves, not in the user’s direct message. DeepMind and Google have emphasized this as a central risk for agentic systems that ingest external data. The model can misinterpret those embedded instructions as something it should follow, especially when untrusted content is mixed into a single prompt context.
4) Why can’t AI companies just fix prompt injection?
Some mitigations help, but the underlying issue is structural: models don’t reliably distinguish “instructions” from “data” when both appear together. The UK NCSC warning reported by TechRadar reflects that prompt injection may never be fully solved in a once-and-for-all way. Realistic security will likely come from layered controls: permission limits, action confirmations, filtering, and continuous evaluation.
5) What are the most common delivery channels for these attacks?
The highest-risk channels match where people feed content into assistants:
- Email (especially summarization pipelines), including hidden/invisible instructions (Microsoft MSRC).
- Shared documents (Docs/Office/PDF) that can be external or cross-tenant (promptware research on arXiv).
- Web pages/links, particularly for browsing agents that read arbitrary content (OpenAI risk discussed in ITPro coverage).
- Email (especially summarization pipelines), including hidden/invisible instructions (Microsoft MSRC).
- Shared documents (Docs/Office/PDF) that can be external or cross-tenant (promptware research on arXiv).
- Web pages/links, particularly for browsing agents that read arbitrary content (OpenAI risk discussed in ITPro coverage).
6) What should my company do first to reduce risk?
Start with permissions and workflows. Limit what the agent can do by default, separate reading from acting, and require confirmation for outbound communications or sharing. Add logging for agent actions and test for indirect prompt injection as part of security evaluations, aligning with Google’s emphasis on continuous measurement. Many organizations can reduce exposure quickly without abandoning assistants.
7) If I use an email copilot, should I stop summarizing emails?
Not necessarily. The safer approach is to control scope: avoid giving the assistant send permissions unless needed, treat unknown senders as higher risk, and scrutinize any suggested actions you didn’t ask for. Microsoft’s reporting highlights how email can carry hidden instructions, so the goal is to prevent a summary request from turning into unintended outbound messages or data leakage.
T
About the Author
TheMurrow Editorial is a writer for TheMurrow covering explainers.
Frequently Asked Questions
What is agent hijacking, in plain English?
“Agent hijacking” usually refers to an AI assistant or agent being steered by hidden attacker instructions so it takes actions the user didn’t intend. The attacker’s text often arrives indirectly—inside an email, document, or web page the agent was asked to read. The term is industry shorthand rather than a formal standard, but the behavior is real and increasingly relevant as agents gain tool access.
How is this different from traditional phishing?
Traditional phishing aims to trick a human into clicking a link or revealing a password. Indirect prompt injection targets the assistant the human relies on—especially when the assistant summarizes emails, reads documents, or browses the web. The risk grows when the assistant can perform actions (send emails, edit files), because the attack can create real side effects without the user “falling for” a classic lure.
What is indirect prompt injection?
Indirect prompt injection happens when malicious instructions are embedded in content the model retrieves, not in the user’s direct message. DeepMind and Google have emphasized this as a central risk for agentic systems that ingest external data. The model can misinterpret those embedded instructions as something it should follow, especially when untrusted content is mixed into a single prompt context.
Why can’t AI companies just fix prompt injection?
Some mitigations help, but the underlying issue is structural: models don’t reliably distinguish “instructions” from “data” when both appear together. The UK NCSC warning reported by TechRadar reflects that prompt injection may never be fully solved in a once-and-for-all way. Realistic security will likely come from layered controls: permission limits, action confirmations, filtering, and continuous evaluation.
What are the most common delivery channels for these attacks?
The highest-risk channels match where people feed content into assistants:
- Email (especially summarization pipelines), including hidden/invisible instructions (Microsoft MSRC).
- Shared documents (Docs/Office/PDF) that can be external or cross-tenant (promptware research on arXiv).
- Web pages/links, particularly for browsing agents that read arbitrary content (OpenAI risk discussed in ITPro coverage).
What should my company do first to reduce risk?
Start with permissions and workflows. Limit what the agent can do by default, separate reading from acting, and require confirmation for outbound communications or sharing. Add logging for agent actions and test for indirect prompt injection as part of security evaluations, aligning with Google’s emphasis on continuous measurement. Many organizations can reduce exposure quickly without abandoning assistants.
