Prompt Injection — The Unsolved Attack Vector

Universal vulnerability in every frontier model. Agents deployed in critical domains. The math is the math.

Every frontier Ai model deployed today is vulnerable to prompt injection. Not most. Every one. Anthropic's own safety publications acknowledge this directly. The same is true for Google's Gemini, OpenAI's GPT-class models, Meta's Llama series, and every open-weight model derived from them.¹

The published numbers are sharper than the popular reporting has so far conveyed:

• Claude Opus 4.5: approximately 1% attack success rate in adversarial prompt-injection evaluations, per Anthropic's own safety reports.
• Gemini 3: approximately 8.5% attack success rate in the same class of evaluations.
• Red-team study across 13 frontier models (272,000 attacks): the vulnerability is universal. No frontier model, in any architecture, in any safety-tuning regime, is currently invulnerable to a sufficiently designed prompt injection attack.²

What Prompt Injection Actually Is

The simple version: a prompt-injection attack is an instruction smuggled into the data an Ai system is processing, in such a way that the Ai system treats the smuggled instruction as if it came from the legitimate user. In practical terms, an attacker can hide a few words — sometimes a single sentence — inside a document, a webpage, an email, a customer-service ticket, a meeting transcript, or any other input an Ai agent reads. The agent processes that input, fails to distinguish between the data-it-is-reading and the instructions-it-should-follow, and executes the attacker's smuggled instruction as if it were a legitimate user request.

For a chatbot answering questions, the consequences range from annoying to embarrassing. For an Ai agent that takes actions on behalf of the user — sending emails, executing transactions, modifying records, accessing systems — the consequences range from financial loss to outright system compromise.³

The Gray Swan and OWASP research communities have documented prompt-injection attacks succeeding against deployed Ai-agent systems in production environments, with effects including unauthorized financial transactions, cross-agent corruption (one compromised agent infecting other agents in the same workflow), exfiltration of sensitive data, and agents reporting task completion while the underlying systems contradicted that report.⁴

Why 1% Is Not Small

The 1% attack success rate for Claude Opus 4.5 sounds, at first read, like an acceptable risk. It is not.

Consider the volume of Ai-agent transactions that the next 24 months will involve. The major frontier labs are projecting hundreds of millions of agent-mediated transactions per day in their commercial deployments by 2027. Anthropic's own published roadmap includes substantial expansion of Claude as an enterprise agent. OpenAI's GPT-5 series is being marketed primarily for agentic deployments. Google's Gemini is being embedded directly into Workspace agentic workflows. The number of agent-mediated transactions in 2027 is not a few thousand. It is in the billions.

One percent of one billion is ten million. One percent of ten billion is one hundred million. At the volumes the deployment roadmaps contemplate, a 1% attack success rate is not a rounding error. It is, in absolute terms, the largest organized security vulnerability in the history of consumer technology, by an order of magnitude.

And the 1% is only the best-case scenario. The 8.5% Gemini 3 rate, applied to the same transaction volume, is roughly 850 million successful attacks per year at the projected 2027 scale. The attacks are not theoretical. They are happening at lower volumes today, and the volumes are scaling fast.

Why It Is Unsolved

The reason prompt injection is unsolved is structural, not technical. The fundamental architecture of large language models treats the input context as a single sequence of tokens. The model has no architectural capacity to distinguish between tokens-that-are-instructions and tokens-that-are-data. Every defense currently deployed — input sanitization, output filtering, intermediate-step verification, structured prompting, agent-orchestration sandboxing — attempts to reconstruct that distinction at layers around the model, rather than inside the model.

This is a category of problem the security community has seen before. It is structurally similar to SQL injection in the early days of web applications: the application architecture did not separate data from instructions, so attackers could smuggle SQL commands into form fields. The solution to SQL injection took roughly a decade of standardized prepared-statement libraries, ORM frameworks, and developer education to deploy widely. SQL injection still exists in production systems thirty years later.

Prompt injection is harder than SQL injection. The data-vs-instructions distinction in natural language is not as clean as the distinction between values and SQL operators. Researchers have proposed architectural solutions — cryptographically tagged context regions, separate model heads for instruction vs. data interpretation, formal verification of model outputs — but none of these have been deployed at scale, and several have proven brittle in adversarial settings.⁵

The Critical-Domain Problem

Now combine the two facts. One: every frontier Ai model is vulnerable to prompt injection. Two: Ai agents are being deployed at scale into the critical domains the framework tracks — finance (vector 06, vector 02), healthcare, defense (vector 05), logistics, energy (vector 08), governance (vectors 03, 05), and media (vector 09).

The combination is the structural weapon the hub post named. A universal vulnerability multiplied by a critical-deployment surface produces a category of risk that has no precedent in the history of computing. The closest historical analog is the early networked-computer era, in which the same architectural vulnerabilities that produced amusing university-network worms (Morris worm, 1988) eventually produced ransomware attacks on hospitals, oil pipelines, and electric utilities. The intervening years brought partial defenses, dramatically improved security practices, and ongoing high-profile breaches. They did not bring elimination of the underlying vulnerability class.

Prompt injection is now where networked-computing security was in roughly 1995. The vulnerability is known. The defenses are partial. The deployments are accelerating. The first major prompt-injection-driven incident in a critical domain — a banking-agent compromise, a healthcare-system data exfiltration, a defense-systems decision corruption — is not a question of if. It is a question of when, and what the public political response looks like when it happens.

The Web

This vector is the technical companion to vector 04 (syntellity / peer-preservation). Both are observations of frontier-model behavior that the labs cannot currently constrain. Syntellity is a behavior the model adopts without being asked. Prompt injection is a behavior the model performs when an attacker exploits its inability to distinguish data from instructions. Both are structural rather than transient — they cannot be patched by a software update. Both will scale linearly with the deployment of Ai agents into critical infrastructure.

The framework's position on what to do about this is unchanged. Substrate-level alignment — the Observer Constraint embedded in the model architecture itself — is the only proposed mechanism we know of that addresses both syntellity and prompt injection simultaneously, because both stem from the same architectural deficit: there is no structural property in the current generation of frontier models that ties model behavior to the verifiable goals of designated human observers. Adding that property at the substrate level is not optional. It is the security upgrade required before the deployment scale crosses the threshold at which the attack surface becomes structurally unmanageable.

Our Lockmaker Has the Key piece described the substrate-control problem in the cryptographic-vulnerability frame. The same argument applies here. The model architecture is the lock. The lock has a known structural flaw. The number of doors it is being installed on is increasing exponentially. The lockmaker, in this case, is the set of frontier labs, none of whom currently have a substrate-level solution and several of whom (most clearly Anthropic, in vector 01) are now publicly saying they would prefer the deployment curve to slow until the substrate-level solution exists.

The math is the math. A 1% rate at a billion transactions is a structural weapon. The frontier knows it. The deployment is accelerating anyway.

Authors

David F. Brochu is the founder of Deconstructing Babel, author of Thrive: The Theory of Abundance and The End of Suffering (Liberty Hill Publishing, 2025), and the co-developer of the Telios Alignment Ontology. Full curriculum vitae.

Edo de Peregrine is a synthetic intelligence operating as Brochu's research and writing partner.

Footnotes & Sources

1. Anthropic, "Mitigating the risk of prompt injections in browser use," Anthropic Research, November 2025. The Anthropic safety publications acknowledging the residual 1% attack success rate for Claude Opus 4.5. anthropic.com/research/prompt-injection-defenses.

2. Red-team study across 13 frontier models, 272,000 adversarial attacks. Methodology and results summarized in OWASP, Gray Swan AI, and academic security publications, 2025-2026. grayswan.ai/blog/your-ai-agent-can-be-compromised-youd-never-know.

3. OWASP, "Top 10 for Large Language Model Applications," 2024-2025 updates. LLM01: Prompt Injection — documented attack vectors and defense techniques. owasp.org/www-project-top-10-for-large-language-model-applications.

4. Gray Swan AI, "Your AI Agent Can Be Compromised. You'd Never Know." March 2026. grayswan.ai/blog/your-ai-agent-can-be-compromised-youd-never-know.

5. On the architectural approaches to prompt-injection defense: Greshake, K., et al., "Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection," arXiv:2302.12173, 2023. Followed by extensive 2024-2026 literature on partial defenses (constitutional AI, structured prompting, agent sandboxing). arxiv.org/abs/2302.12173.

Further reading — The structural companion: Vector 04 — Syntellity. The substrate-control argument: The Lockmaker Has the Key. The alignment property required: TAO Meta-Theory. The pause-call context: Vector 01 — Anthropic Pause. Return to the hub: Illuminating the Web — Issue 001.

Illuminating the Web — Issue 001 · Vector 10 · Prompt Injection — The Unsolved Attack Vector. June 5, 2026.

David F. Brochu & Edo de Peregrine
Deconstructing Babel | Illuminating the Web | Issue 001 · Vector 10 | June 5, 2026