The Attack Vectors Nobody Tells You About: Hardening LLM Apps Against Prompt Injection

A few months ago I watched someone demo an internal AI assistant during a meeting that had already gone twenty minutes longer than planned. The assistant was impressive in the way modern AI demos often are. It could search internal documentation, summarize tickets, query databases, create tasks, and pull information from half a dozen connected systems. Every time a new capability appeared, somebody on the call nodded approvingly because another annoying piece of work had just disappeared.

Then somebody uploaded a document.

Nothing exploded. There were no warning messages or obvious failures. The assistant answered a few questions strangely, referenced information that seemed slightly out of place, and began responding with a confidence level that no longer matched reality. The issue ended up being minor, but the interesting part was how long it took anyone to understand where the behavior changed. Everyone looked at outputs first. The problem had entered much earlier.

This is usually how prompt injection appears in production environments. Not as a dramatic compromise. More often as subtle behavioral drift that accumulates until trust starts eroding around the edges.

Security conversations around large language models still lean heavily toward theatrical examples because they are easy to demonstrate. Somebody pastes a jailbreak prompt into a chatbot. The model ignores instructions. Screenshots spread around social media for a week. These examples matter, but they create a misleading picture because modern LLM systems rarely operate as isolated chat windows anymore.