Cybersecurity

OWASP Researcher Warns of Unsolved Prompt Injection Risk in AI Development

Analyst 207||Source: InfoSecMag
Researcher standing in front of computer screen with abstract notes in a modern lab setting.

"Most organizations are deploying agents faster than they can govern them," Ariel Fogel said at Infosecurity Europe 2026.

Ariel Fogel: prompt injection remains an unsolved architectural problem

That warning framed a short, pointed assessment delivered by Ariel Fogel, an AI security researcher in the office of the CTO at Pillar Security and a contributor to the Open Worldwide Application Security Project (OWASP). Speaking at Infosecurity Europe 2026, Fogel said the security community has long known about prompt injection but that it "has yet to be solved at a fundamental level." The reason, she argued, is architectural: large language models (LLMs) process inputs as a single token sequence and there is no reliable mechanism to enforce privilege boundaries between system prompts, user queries and content retrieved by an agent.

Agentic AI turns bad answers into active compromise

Fogel spelled out how the practical risk has shifted as AI agents gain tools and the ability to act. Where a successful prompt injection once produced merely a misleading or incorrect output, agents with tool access can take steps on behalf of users — turning an injection into a chain of real-world actions. In that environment, an exploited prompt can escalate from a "bad output to active compromise," she said, underscoring the difference between human-executed workflows and agentic automation.

Why traditional controls can fail: sandboxes, allow‑lists and manual review

According to Fogel, defenses that worked for human operators do not necessarily translate to agentic contexts. She noted several failure modes observed in research and practice: allow‑lists in some prompt injection attacks actually streamlined exploitation because the commands the agent needed were already approved; in other cases, the agent’s own output redefined its sandbox boundaries, effectively rewriting the containment that was intended to stop it. Those dynamics make containment harder at scale, she said, especially as organizations deploy agents quickly.

The 'Lethal Trifecta' and Meta's 'Rule of two' as heuristics, not guarantees

Fogel referenced two framing devices used by others in the community. She cited the "Lethal Trifecta," a concept coined by open‑source developer Simon Willison that describes the dangerous combination of an AI agent having access to private data, being exposed to untrusted content and being allowed external communication. She also borrowed Meta’s "Rule of two," which claims that "an agent should satisfy no more than two of the trifecta properties within a session that doesn’t require human approval." Fogel called both ideas "helpful heuristics for reducing blast radius" but cautioned they do not provide complete defenses, noting that research has shown attacks can succeed with only two of the properties present.

Containment at machine speed: monitoring, identity hygiene and joined incident response

Given current architectural limits, Fogel urged a shift beyond prevention-only thinking toward constraining what an injected agent can do. She recommended controls that operate at machine speed and at deployment scale: live behavioral monitoring, real‑time containment and stop mechanisms, and joined incident response between safety and security teams. She also called for stronger identity hygiene — including ephemeral credentials and cryptographic attestation — so actions are traceable and limited. "Monitoring infrastructure that operates on the same speed as agents is essential to catch and contain attacks that can unfold in minutes or hours," she said.

What this means for technologists, procurement leaders and security teams

  • Technologists and security teams: Expect to rework runtime and session design to bake in tighter identity and session controls and to prioritize automated containment and behavioral monitoring over manual review alone, per Fogel’s guidance.
  • Procurement and deployment leaders: The rapid pace of agent deployment without commensurate governance — the situation Fogel highlighted — suggests procurement choices should be paired with operational plans for machine‑speed monitoring and incident playbooks that bridge safety and security.
  • Safety and incident responders: Fogel’s call for joined incident response points to the need for cross-disciplinary playbooks that allow safety teams to act in real time alongside security teams when an agentic workflow is compromised.

Fogel’s bottom line at Infosecurity Europe was stark: until models and runtimes can enforce firm privilege separations, defenders must rely on rapid detection, automated containment, tighter identity and session design, and cross-disciplinary incident playbooks to manage a risk that has shifted — in minutes or hours — from erroneous outputs to potential compromise.

https://www.infosecurity-magazine.com/news/infosec-europe-prompt-injection/

Ai SecurityArtificial IntelligenceEmerging ThreatsInfosecurity EuropeLarge Language ModelsPrompt InjectionOWASPArchitectural Vulnerability
Related Intelligence

Continue Reading

Government official presents to group with tech equipment in background.

UK's DSIT Bolsters Cyber Defenses for Thousands of Organizations

The UK's Department of Science, Innovation and Technology is supercharging cyber defenses for thousands of organizations, monitoring over half a million domains and helping everything from parish councils to the NHS fix security flaws. By focusing on outcomes rather than tech jargon, they're empowering organizations to take action against cyber threats.

Analyst 207
Developer workspace with VS Code on monitor, cup of coffee, notebook, and pen in soft daylight.

VS Code Introduces 2-Hour Delay for Auto Extension Updates

To give you an extra layer of protection, VS Code will now automatically update extensions two hours after they're published, not immediately - but you can still update them right away if you prefer. This new delay, available in VS Code 1.123, aims to shield you from potentially problematic releases.

Analyst 207
Person working on laptop in minimalist office with blurred screen, focused expression.

OpenAI Bolsters ChatGPT with Lockdown Mode to Curb Data Exfiltration Risks

OpenAI is stepping up ChatGPT's security game with Lockdown Mode, a powerful setting that limits connections to the web and external services to prevent data exfiltration - a game-changer for those handling sensitive information. This advanced feature is now rolling out to eligible accounts, offering stricter protection guarantees.

Analyst 207
Laptop screen displays code editor with blurred background of software development facility.

AI Agent Exposes 21 Zero-Days in Widely Used FFmpeg Library

In a single, remarkable run, an AI-powered security agent uncovered 21 zero-day vulnerabilities in the widely-used FFmpeg library, a feat that cost just $1,000 and showcases the incredible potential of autonomous security testing. The agent scanned 1.5 million lines of code to produce these groundbreaking findings.

Analyst 207