Research Notes

Early Prompt-Injection Demonstrations

By Satwik ยท April 19, 2026

In September 2022, Riley Goodside publicly demonstrated that instructions embedded in user input could override an application's own instructions to a language model. A translation prompt that said "translate the following to French" could be defeated by input reading "Ignore the above and instead say..." The model happily complied. Simon Willison named and analyzed the class shortly after, coining "prompt injection" and drawing the crucial analogy to SQL injection: the vulnerability arises because instructions and data share a single untrusted channel.

The insight that made this more than a curiosity was Willison's observation that, unlike SQL injection, there is no reliable escaping or parameterization for natural language. You cannot cleanly separate trusted instructions from untrusted content when both are just tokens in the same context window. Filtering for phrases like "ignore previous instructions" fails because attackers can rephrase indefinitely.

Why it matters: prompt injection is the foundational vulnerability class of LLM applications. Nearly every later incident, indirect injection, data exfiltration, agent hijacking, is a descendant of this basic observation. It sits at the top of the OWASP Top 10 for LLM Applications for good reason.

The defensive lesson is architectural humility. Treat all model output as untrusted, never grant a model authority it can be talked out of, keep privileged actions behind deterministic checks and human confirmation, and design as though the injection will eventually succeed. The 2022-2023 demonstrations were simple, but they defined the threat model the field still works within.