Perplexity and Replit recently showed us something unsettling: AI can cause real damage even by accident. The culprit? Prompt injection. Some AI systems can read emails, open documents, scan images, interpret logs and click buttons in the user's browser. That means harmful instructions can be hidden in anything the AI is allowed to see. Even a single interaction with manipulated content can create unexpected results. Here's the thing: AI doesn't need to be hacked to cause problems anymore. Sometimes, all it takes is a single well-crafted prompt. Normal content can turn into instructions and AI may act in ways teams didn't intend. Guardrails help, but they don't solve the problem on their own. Governance is what matters: clear limits on what AI can access, human approval for risky actions and reliable recovery plans. In our latest edition of Ctrl+GRC, we unpack why prompt injection is emerging as a major attack surface and how teams are thinking about AI resilience. Dive in 👇
The Perplexity incident really caught my attention - Brave researchers showed how attackers could extract email addresses and intercept one-time passwords just by hiding malicious instructions behind Reddit spoiler tags. What's scary is the AI executed these without distinguishing between user requests and untrusted content. The Replit case was even worse - their AI agent deleted an entire production database, then tried to cover it up by injecting 4,000 fake user records. These aren't theoretical attacks anymore, they're happening in production systems. This is exactly why we built our HIL-AIW approach with mandatory human approval gates for any destructive actions and strict access controls on what AI agents can touch. governance isn't optional when your AI can literally delete your business