Today, large language models are ubiquitous, embedded in everything from chatbots and coding assistants to research tools. They read documents, browse websites, summarize emails, and reason through structured data. As they become more deeply integrated into products and workflows, a subtle but critically important risk continues to grow: indirect command injection. This attack doesn’t rely on a person directly telling the model to ignore its rules. Instead, malicious instructions are hidden within content—web pages, PDFs, emails, shared documents, or API responses—that the AI ​​is then intended to process. The user believes they are simply asking the model to read and summarize information, but this content may contain text designed to influence the model’s behavior.

The key point is that the attacker never speaks directly to the system. They place manipulative content where the AI ​​system is likely to read it. The AI ​​then processes this content and may mistakenly treat the hidden instructions as a command, rather than as part of the document being analyzed. The user only sees the final AI output and may not realize that the upstream content is altering the system’s behavior. Consider a real-world example of AI-assisted browsing. A user asks an AI system to summarize a publicly available webpage. The page appears normal to a human reader: articles, headings, and text. However, hidden within the page’s content is hostile language designed to influence how the AI ​​behaves when it reads it. When the model produces the summary, its behavior is silently influenced by instructions the user never requested and likely never even noticed.

A second example arises in email automation. An AI assistant is connected to an inbox to prioritize messages and create response drafts. An email contains carefully crafted text designed to influence what the AI ​​will do with subsequent emails or how it will interpret messages in general. While the human recipient simply sees an ordinary email, the AI ​​encounters additional instructions embedded within it and can alter its behavior accordingly.

Another example arises in document co-piloting at work. A team uploads shared reports and files for AI to summarize and extract information. Hidden within one report is hostile text attempting to influence the AI’s responses. When someone later asks the AI ​​to make inferences from the entire document, this hidden content affects the output, even though it’s only a small part of the dataset. Indirect command injection becomes particularly risky when AI systems are dependent on tools and actions. Many modern systems allow AI to perform tasks such as searching, filling out forms, interacting with APIs, drafting messages, or triggering workflows. When an AI system can both follow instructions and perform actions, hostile text hidden within the data can lead to not only strange or off-topic responses but also real-world consequences.

This vulnerability stems from the fact that language models don’t naturally distinguish between text that describes something and text that tells them what to do. Instructions embedded within otherwise ordinary content can be interpreted as directives. This isn’t just a flaw in a single product, but a general characteristic of AI that follows instructions. Defending against indirect command injection requires layered thinking rather than relying on a single solution. External content such as websites, documents, emails, tickets, and API responses should be treated as untrusted input. AI commands should clearly distinguish trusted instructions—defining what the system is allowed to do—from untrusted content that the model is intended to analyze. Systems that link AI to tools or actions should implement least-privileged access, require explicit consent for sensitive activities, and enforce policies outside the model so that security doesn’t depend solely on the model’s internal logic. Users should also understand that AI output can be influenced by upstream content and that not all generated text is neutral simply because it comes from an AI system.

The broader lesson is that security today isn’t just about classic software vulnerabilities. It now also includes model behavior, data context, command design, tool integration, and human trust in the output generated by the AI. When an AI system reads untrusted content and can perform meaningful actions based on it, indirect command injection should be treated as a primary risk. The goal is not to move away from AI, but to integrate it into any critical technology.