SQL injection was fixable. Prompt injection is not — at least not in the same way.
Schneier and co have published a paper reframing AI prompt injection attacks as "promptware" — a full seven-stage kill chain modelled on traditional malware campaigns like Stuxnet and NotPetya.
The kill chain
The seven stages are: initial access via prompt injection (direct or indirect), privilege escalation past safety guardrails, reconnaissance of connected tools and services, persistence through long-term memory or databases, command and control via live instructions fetched from the internet, lateral movement across users and systems, and finally action on objective — data exfiltration, fraud, or code execution.
Most organisations' AI security posture starts and ends at "don't paste sensitive data into ChatGPT." That covers roughly stage one of seven.
The uncomfortable truth
LLMs fundamentally cannot distinguish between trusted instructions and untrusted data. It's all just tokens. There's no architectural boundary to enforce separation. This isn't a bug you can patch — it's how the technology works.
The real-world demonstrations are already here. Researchers turned a Google Calendar invite title into a covert video livestream of the victim. An email-based AI worm replicated itself across inboxes while exfiltrating sensitive data. These aren't theoretical scenarios.
Defence in depth, not a single fix
The defensive takeaway is to assume initial access will happen. Build your defences around breaking the chain at stages two through seven — limiting privilege escalation, constraining what agents can access, preventing persistence, and restricting permitted actions.
Defence in depth isn't a new concept. But you can't build it if you're still treating the whole attack as a single vulnerability called "prompt injection."
Further reading
Bruce Schneier's blog post, the original essay on Lawfare, and the full paper on arXiv.
← All filings