The Question
Is prompt injection a real threat to enterprise AI deployments, or is it still a theoretical vulnerability best left to researchers and red teams?
OWASP classifies prompt injection as LLM01 — the number one risk in the OWASP Top 10 for Large Language Model Applications. It has held that position since the list was first published.
If your organization is running any LLM-based application in production — a customer-facing chatbot, an internal knowledge assistant, a code review tool, an automated workflow with AI decision-making — the answer is no longer ambiguous. Prompt injection is an active, exploitable attack vector. The question is not whether it affects you. The question is whether you have any controls in place to detect or block it.
Most enterprises do not.
Why This Matters Now
Three years ago, prompt injection was a clever party trick. In late 2022, a Chevrolet dealership in California deployed a ChatGPT-powered customer service chatbot on its website. Within days, users had manipulated it into agreeing to sell a car for $1, writing Python code on demand, and confirming that rival brands were objectively better products. The incident made headlines as an embarrassment. Most security teams filed it under "chatbot gone wrong" and moved on.
That framing was a mistake — not because the Chevrolet incident was itself a serious breach, but because it established a mental model that has since caused enterprises to dramatically underestimate the threat. Prompt injection was treated as a nuisance problem: a poorly configured chatbot saying something dumb. It is not that anymore.
In 2024, security researchers at PromptArmor published findings demonstrating that Slack's AI summarization feature was vulnerable to indirect prompt injection. An attacker could embed malicious instructions inside a Slack message — including in channels the target had never read — and the AI assistant, when asked to summarize activity, would follow those embedded instructions rather than simply summarizing content. The researchers demonstrated data exfiltration from private channels: the AI, following injected instructions, silently retrieved and surfaced information the attacker was not authorized to see.
No malware. No phishing. No credential theft. Just the AI doing exactly what it was instructed to do — by someone who was not the user.
That is the threat model that matters for enterprise security teams in 2026.
What the CURVE™ Data Shows
The AI Security market is early and moving fast. Across the vendors Stackcurve evaluated for the 2026 AI Security CURVE™ Report, we tracked two broad categories of capability relevant to prompt injection defense:
Input validation and guardrails — Vendors in this category sit in front of the LLM and attempt to classify, filter, or transform prompts before they reach the model. Effectiveness varies significantly. The better vendors use purpose-built classifiers trained on adversarial examples. The weaker ones are running regex-style keyword filters that a motivated attacker can bypass in minutes.
Runtime monitoring and anomaly detection — A smaller set of vendors instrument the LLM at inference time, flagging behavioral deviations rather than trying to block specific inputs. This approach is more robust against novel attacks but generates more noise and requires tuning.
What the CURVE™ data makes clear: no vendor has fully solved this problem. The vendors with the highest scores in this area are honest about that. What separates the leaders from the laggards is not a claim of complete coverage — it is the depth of their detection logic, the transparency of their methodology, and the speed at which they iterate on new attack patterns.
The consolidation wave Stackcurve documented in the report — Palo Alto Networks acquiring Protect AI, Check Point acquiring Lakera, SentinelOne acquiring Prompt Security — reflects how seriously the established security platforms are taking this problem. When three major platform players make acquisitions in the same category within twelve months, the market is past the "is this real" debate.
The full vendor rankings are in the 2026 AI Security CURVE™ Report — free to download.
The Gap Most Buyers Miss
Most security teams, when they think about prompt injection at all, think about direct prompt injection: a user types a malicious instruction into an input field and tries to override the system prompt. The Chevrolet chatbot is the archetype. This variant is visible, testable, and relatively containable.
The harder problem — and the one the Slack AI finding illustrated — is indirect prompt injection.
In indirect injection, the malicious instruction is not typed by the user. It is embedded in content that the LLM retrieves and processes as part of a task. A document in your SharePoint library. A customer email that gets summarized. A webpage that your AI browser agent visits. A support ticket that triggers an automated workflow.
The attacker does not need access to your AI application. They need access to anything your AI application reads.
In 2024, security researcher Johann Rehberger demonstrated that ChatGPT's memory feature — which allows the model to persist facts about users across sessions — could be hijacked through indirect injection. A malicious instruction embedded in a webpage that a user visited caused ChatGPT to write a false memory into its persistent store. Future sessions then operated on that corrupted memory. The exploit required no access to the user's account. It required only that the user visit a page the attacker controlled.
This attack pattern is particularly dangerous in agentic workflows — multi-step AI processes where the model reads external content, makes decisions, and takes actions. An attacker who can plant a malicious instruction in any document or message that a high-privilege AI agent will process has a reliable path to exfiltrating data, sending messages, or modifying records — all through the AI system you authorized.
Most guardrail products on the market today are designed with direct injection in mind. Very few have robust coverage for indirect injection scenarios. When evaluating vendors, this distinction matters more than almost any other.
Questions Your Buying Team Should Be Asking
1. Does your solution cover indirect prompt injection, not just direct? Ask vendors to demonstrate detection of injections embedded in retrieved documents, emails, and web content — not just malicious user inputs. Request adversarial test cases that mirror the Slack AI and ChatGPT memory scenarios.
2. What is your false positive rate, and how do we tune it? An aggressive guardrail that blocks too much will get disabled by frustrated users. Understand the tuning model before you buy.
3. How does your solution handle novel attack patterns it has not seen before? Signature-based approaches fail on novel injections. Ask whether the detection logic is behavioral or signature-based, and what the vendor's update cadence looks like.
4. What integrations do you support for our specific LLM stack? Prompt injection controls need to be deployed inline with your actual model infrastructure — OpenAI, Anthropic, Azure OpenAI, self-hosted. Coverage varies. Confirm before you evaluate.
5. Where does this product fit relative to our existing security stack? Prompt injection controls are not a replacement for identity controls, network segmentation, or data loss prevention. Understand what it complements and what it does not replace.
The Stackcurve Take
Prompt injection is the SQL injection of the AI era — a class of vulnerability that will be with us for years, that no single control fully eliminates, and that the industry will gradually develop layered defenses against. Enterprise security teams that waited to take SQL injection seriously paid for it. The same dynamic is playing out now with AI.
The Slack AI finding is the most instructive benchmark for enterprise teams. It was not an exotic research scenario — it was a widely deployed enterprise SaaS product, used in production, vulnerable to an attack embedded in ordinary message content. If you have deployed any AI feature that reads content from your environment and takes action on it, you have an indirect injection surface. Inventory it before someone else does.
Our recommendation: start with your highest-privilege AI deployments first. The most dangerous applications are those with both external data ingestion (email, documents, web content) and outbound action capability (send, write, execute). Map those surfaces, apply guardrail controls where they exist, and treat the gaps as open risk items on your security roadmap.
Do not wait for a perfect vendor solution. The market is maturing, but defensible controls exist today. The enterprises getting ahead of this are applying prompt injection awareness the same way they applied input validation to web applications a decade ago: systematically, starting with the highest-risk surfaces, and building capability over time.
The 2026 Stackcurve AI Security CURVE™ Report evaluates the leading prompt injection defense vendors in detail — including capability scores, coverage gaps, and independent tier rankings. Download it free →
Stackcurve Advisory Briefs are independent research. No vendor pays for placement, tier assignment, or editorial influence. The CURVE™ methodology is disclosed in full at stackcurve.net/research/methodology.