You can't secure what you can't see, and prompt injection is already slipping past traditional defences.
Prompt injection is no longer a theoretical risk. It’s a real-world threat vector that exploits how Large Language
Models (LLMs) interpret language-based instructions. As LLMs become embedded in cloud-native tools, internal
workflows, and customer-facing systems, this attack surface is growing fast, and in many cases, it’s still unmonitored.
In this post, we’ll explore how prompt injection works, why existing cloud security controls miss it, and what
Cybersecurity Leaders should prioritise to close the gap.
What Is Prompt Injection (and Why It’s Different)?
LLMs like those integrated into chatbots, support agents, and internal AI tools operate by following natural
language prompts. A prompt injection attack manipulates this logic, not by exploiting code, but by embedding
a harmful instruction inside user content.
This can lead to:
- Data leakage
- Misleading responses
- Triggered API calls or internal actions that should never have been executed
Because the model’s behaviour depends on text instructions, these attacks can be executed through chat
input, document uploads, or API-connected content. They often bypass filters and go unseen until harm is done.

Why Cloud Security Teams Miss It
Prompt injection is hard to catch with traditional controls. Here’s why:
- WAFs, DLP tools, and endpoint security don’t inspect prompt text.
- Most LLM-powered systems pass user input directly into prompts without sanitisation.
- LLM output can trigger real actions - API calls, service requests, ticketing changes - with no secondary validation.
- There’s often no visibility into how prompts are constructed or what actions the model can take.
This is especially dangerous in distributed environments where different teams own input flows, LLM chains,
and downstream automation.

What Can Go Wrong in Production
- Chatbots telling customers their accounts are closed (based on injected prompts)
- Internal tools leaking access tokens, emails, or HR records from summarised documents
- Service agents auto-escalating cases or performing backend actions based on hallucinated logic
These scenarios are already playing out in organisations testing or deploying LLMs. If the model has access
to anything sensitive or actionable, it needs to be treated as a privileged system.

What Cybersecurity Leaders Should Audit
- Are any LLMs in use allowed to ingest user-generated content?
- Are models able to trigger downstream workflows, emails, or API calls?
- Are prompts dynamically built, or are they template-controlled and segmented?
- Is output from the model filtered, audited, or sandboxed before action?
- Are red team scenarios covering prompt injection vectors?
If the answer to any of these is “unknown,” there’s likely a visibility or control gap.

What Controls Should Be in Place
At a minimum, implement:
- Input sanitisation and isolation: Never mix user content with control prompts.
- Prompt version control: Treat prompts as production code.
- Output moderation: Scan model responses before acting on them.
- Role- and scope-restricted API calls: Don’t give LLMs full access to internal systems.
- Logging and anomaly detection for LLM activity.
You should also ensure prompts and injection handling are included in your secure SDLC, especially if
you're using LangChain, Semantic Kernel, or similar orchestration layers.

Leadership Actions to Take
- Assign clear ownership of LLM security: treat it like application and API risk.
- Require prompt injection testing in pre-prod environments.
- Review vendor LLM APIs for scope control, output filtering, and monitoring hooks.
- Educate dev teams: prompt safety needs to be part of engineering reviews.
This isn’t about halting innovation. It's about setting safe boundaries for what AI is allowed to do.
Final Thoughts
Prompt injection is a cloud-native threat vector, one that’s often hiding in plain sight. It’s not detectable by
the tools most cloud security teams rely on. And if left unaddressed, it can cause quiet, cascading failures
that are hard to trace until damage is done.
Cybersecurity leaders should act now: get visibility into where LLMs live, what they’re allowed to do,
and who owns their safety.
If you wait until your first incident, it’s already too late.
Related Resources
Find your Tribe
Membership is by approval only. We'll review your LinkedIn to make sure the Tribe stays community focused, relevant and genuinely useful.
To join, you’ll need to meet these criteria:
> You are not a vendor, consultant, recruiter or salesperson
> You’re a practitioner inside a business (no consultancies)
> You’re based in Australia or New Zealand