Cybercriminals Exploit AI Language Models Through Growing Prompt Injection Techniques

Unlike traditional cyberattacks that exploit software vulnerabilities, prompt injection targets an AI model's ability to interpret and follow natural language commands. Cybercriminals are increasingly exploiting this behaviour to bypass safeguards and potentially gain access to sensitive information.

According to Anna Collard, SVP of content strategy and Ciso advisor at KnowBe4 Africa, prompt injection represents the next phase of social engineering.

"Unlike traditional cyberattacks that target broken software, prompt injection tricks an AI agent using natural language to override its core programming," says Collard.

"It turns the model's ability to understand human speech and willingness to please against it, making the agent follow malicious commands as if they were legitimate requests."

The growing concern comes as organisations grant AI agents increasing access to business systems and sensitive information.

The World Economic Forum's Global Cybersecurity Outlook 2026 found that 87% of respondents identified AI-related vulnerabilities, including prompt injection, as one of the fastest-growing cybersecurity risks.

Collard warns that compromised AI agents could potentially expose confidential information, bypass security measures, or carry out unauthorised actions using their own access permissions.

"Think of prompt injection as phishing or social engineering for AI," she says.

"Just as a hacker tricks a human into clicking a link, a prompt injection tricks an AI agent into following a malicious instruction hidden in text."

Direct and hidden attacks

Prompt injection attacks generally fall into two categories: direct and indirect.

Direct prompt injection occurs when attackers interact directly with AI systems to manipulate or "jailbreak" their behaviour.

One widely cited example involved users manipulating an automotive dealership chatbot into agreeing to sell a vehicle for a fraction of its listed value after instructing the AI to act as a compliant assistant.

Indirect prompt injection is considered more difficult to detect because malicious instructions are concealed inside content processed by AI systems.

For example, an AI assistant summarising an invoice or email could unknowingly process hidden instructions embedded within the document. Those instructions could then direct the system to expose sensitive information or perform unauthorised actions without the user's knowledge.

Security approaches must evolve

Collard says organisations need to rethink traditional security awareness strategies as AI tools become more deeply embedded in business processes.

"We must teach employees that in the age of AI, data is the new code," she says.

"When you feed a document into an AI agent, it is executing its contents as if it were a string of code."

However, employee awareness alone is unlikely to be enough.

Security experts are increasingly advocating for layered protection measures that include automated safeguards capable of filtering inputs before they reach AI systems.

Other recommendations include restricting AI tools under least-privilege principles, limiting system access rights and introducing architectural controls that prevent AI agents from carrying out high-risk actions independently.

Collard says human oversight should remain part of the process but function as a strategic intervention point rather than a constant manual checkpoint.

By combining automated safeguards with tighter access controls, organisations can reduce dependence on human intervention and limit the impact of AI-related security threats.