WTF is Prompt Injection in AI? And should we be worried?

Apple’s recent announcement about “agentic” support in it’s soon-to-be-launched next-gen operating systems has raised more than just Elon Musk’s temperature.

The reality is that agentic AI – systems designed to operate with a high degree of autonomy and self-direction, performing tasks and making decisions with minimal human intervention – whilst transformational, presents very real risks that many of us simply do not comprehend.

Handing off autonomy and decision-making to Agentic AI systems allows these black-box systems access deep inside our world and permit them to do things as if it was us. For example, you could use an agent to manage your SIPP (401k in freedom speak) with the aim of reducing fees and maximising pension returns. But, having access to your life savings is fraught with risk.

Enter “prompt injection”, where bad actors manipulate a large language model through carefully crafted inputs to cause behaviour outside of its desired range. It is sometimes called “jail-breaking” and tricks the LLM into executing the bad actors intentions.

Prompt Injection Risks

Prompt injection is a significant concern in the realm of large language models leading to misinformation, biased responses, or malicious outputs. Understanding the risks associated with prompt injection is crucial for organisations and users to mitigate its impact effectively.

1. Misinformation and Manipulation

One of the primary risks of prompt injection is the dissemination of misinformation. By crafting specific prompts, attackers can manipulate the model to produce false or misleading information. This can be particularly dangerous in contexts where users rely on LLMs for accurate data, such as healthcare, legal advice, or news.

2. Ethical and Bias Concerns

LLMs are trained on vast datasets that include various forms of bias. Prompt injection can exacerbate these biases, leading the model to produce unethical or biased outputs. An attacker might inject prompts that intentionally highlight or exploit these biases, causing the model to generate harmful content.

3. Security and Data Privacy

Prompt injection poses significant security risks, particularly regarding data privacy and system integrity. By carefully constructing prompts, attackers can potentially extract sensitive information that the model has been exposed to during training. Moreover, if integrated into broader systems, LLMs manipulated through prompt injection could be used to bypass security protocols, leading to data breaches or unauthorized access. This could compromise personal data, confidential business information, and even critical infrastructure.

Mitigation Strategies

To mitigate these risks, several strategies can be employed. Firstly, implementing robust input validation and sanitisation can help prevent malicious prompts from influencing the model. Secondly, continuous monitoring and auditing of model outputs can identify and address undesirable behaviour quickly. Lastly, enhancing the transparency and interpretability of LLMs allows users and developers to better understand and control the model’s responses, ensuring safer and more reliable deployment.

But, none of that is likely to be much use to even prosumers of Apple’s high-end devices cone this autumn when the next-gen platforms ship. If you’re an Apple user then you are used to the “it just works” approach, hinting that Apple may severely hamstring the agentic side for a long time to come.


While LLMs like GPT and Apple Intelligence offer tremendous potential, prompt injection remains a critical challenge. By addressing the risks of misinformation, ethical concerns, and security vulnerabilities, stakeholders can better safeguard the integrity and trustworthiness of these powerful tools.

Or wait till v2.0 ships.