OpenAI said the quiet part out loud recently. Prompt injection isn’t getting solved. Not patched, not engineered away in the next release. It’s a permanent property of how these systems work, and the company building the most popular ones told everyone that directly. Then everyone kept shipping autonomous agents anyway.
A recent survey found that only about a third of organizations have any dedicated defense against prompt injection. Gartner expects 40% of enterprise apps to have AI agents wired in by the end of this year. Last year that number was under 5%.
So the tools are going into production faster than anyone can secure them. And the response I keep seeing from boards and risk committees is a one-page AI policy and a vendor promise.
A policy is not a control
“We have an AI policy” has quietly become the new “we passed the audit.” A document that exists so someone can point to it in a meeting. It feels like progress. It is not protection.
A control is something that does work when an attacker shows up. A policy that says “employees should use AI responsibly” does nothing when an agent with access to your inbox and your file share reads an instruction hidden inside a PDF and follows it. The policy was on the shared drive the whole time. It changed nothing.
If your last AI risk conversation produced a paragraph, a sign-off and no test, you don’t have AI governance. You have a screenshot of it.
What prompt injection actually is
An AI agent reads text and takes action based on that text. It cannot reliably tell the difference between an instruction you gave it and an instruction someone hid in the data it’s reading. A web page, an email, a support ticket, a vendor invoice. All of it is just text the model trusts.
Microsoft showed this in May. A single prompt was enough to launch code on the machine running the AI agent. No malicious attachment, no browser exploit, no memory corruption bug. Just words the model read and acted on. The attack surface is the thing the agent is for.
That is why OpenAI can’t promise to fix it. The behavior they can’t secure is the behavior they’re selling.
You already have a framework for this
If you run security at a bank, you are not starting from zero here, and you don’t need a new committee. You have model risk management. SR 11-7 has existed for years and it was built for exactly this shape of problem. A system that produces outputs you act on, that can be wrong in ways you didn’t anticipate.
Treat the agent like a model, because that’s what it is. Know what data it can touch. Know what actions it can take. Know who validated it before it went live and what happens when it’s wrong. That last one is the question almost nobody asks before they connect an AI assistant to something that matters.
The real failure mode isn’t the hacker
The thing that takes organizations down here isn’t the sophisticated attacker in the threat briefing. It’s the employee who connects an AI tool to the CRM because it saves twenty minutes a day, and nobody asked what that tool could reach. The secure way was slower, so they routed around it. They always will.
You don’t fix that with a stern policy. You fix it by making the secure path the easy path. Give people an approved tool that actually works, scope its access down before they ask, and the shortcut stops being worth taking. Ban AI with a memo and you just move all of it to personal accounts you can’t see.
What to actually do
Inventory where AI agents already have access in your environment. Most teams find more than they expected, because adoption happened bottom-up while leadership was writing the policy.
Scope that access down. An agent that summarizes documents does not need write access to your systems.
Stop letting “we have a policy” stand in for testing. Put an agent in front of a hostile input and watch what it does. Once.
And run AI tool adoption through the same gate as any vendor. Onboarding with teeth, not a questionnaire nobody reads.
The companies that get hurt over the next year won’t be the ones that moved too slow on AI. They’ll be the ones who confused having a document with having a control. If your AI policy has never been tested against an actual agent, now is the time to find out what it’s worth. Book a call and we’ll pressure-test it together.
