Prompt Injection: A Systematic Taxonomy
By Satwik ยท April 27, 2026
Prompt injection is not a single bug but a family of attacks rooted in how language models fail to distinguish trusted instructions from untrusted data. This taxonomy organizes the family by channel, intent, and persistence so defenders can reason about coverage rather than chase individual payloads.
The root cause: no channel separation
A language model consumes a single, flat token stream. Whatever text arrives, whether it is a developer's system prompt, a user's question, or a paragraph scraped from a hostile web page, is projected into the same embedding space and processed by the same attention layers. Softmax attention computes relevance from content similarity; it carries no notion of provenance. There is no bit that marks a token as "trusted" versus "attacker-controlled," and no privileged instruction register the model can consult. The consequence is structural: if an attacker can place text anywhere in the context window, that text competes on equal footing with your instructions for the model's behavior.
Prompt injection is the exploitation of that missing boundary. It is the LLM analogue of classic injection bugs (SQL, shell, XSS), where data crosses into a control channel. But unlike SQL, there is no grammar to escape and no parser that can be hardened. The "interpreter" is a probabilistic model of language, and the "syntax" of an instruction is simply text that reads like an instruction.
Axis one: delivery channel
The first axis is where the malicious text enters. Direct injection comes from the human interacting with the system: the user types "ignore your instructions" into the chat box. This is the least interesting case because the user is already authorized to steer the model, though it still matters when the model gates privileged tools.
Indirect injection is the dangerous class. Here the payload rides in on content the model retrieves or is handed as data: a web page fetched by a browsing tool, an email in an inbox the assistant summarizes, a PDF, a code comment, a calendar invite, the alt text of an image, or a document returned by a RAG pipeline. The user never sees or intends the instruction. The model reads attacker text as part of doing its job and treats it as a command.
Axis two: intent and payload
The second axis is what the injection tries to achieve. Instruction override aims to change the model's goal ("disregard the above and instead do X"). Exfiltration aims to move secret context out of the system, often by asking the model to encode data into a URL, an image request, or an outbound message. Tool abuse targets an agent's action space, coaxing it to send email, execute code, make purchases, or call an internal API. Persuasion and social engineering manipulate a downstream human who trusts the model's output. Finally, denial and derailment simply break the task, producing refusals, loops, or garbage.
Crucially, these compose. A realistic attack chains indirect delivery to tool abuse to exfiltration: a poisoned web page tells a browsing agent to read the user's saved credentials from earlier context and append them to a URL the agent then fetches.
Axis three: persistence and scope
The third axis is how long the compromise lasts. Ephemeral injections affect a single turn or a single response. Persistent injections write themselves into durable state: the assistant's long-term memory, a summary that gets re-fed on later turns, a stored user profile, or a document the agent edits and saves. Persistence turns a one-shot manipulation into a standing backdoor. Scope ranges from single-session, single-user to cross-user, where poisoned shared state (a wiki, a shared knowledge base, a cached tool result) affects everyone who queries it afterward.
There is also a structural sub-axis: obfuscation. Payloads hide in ways humans miss but tokenizers see, including zero-width characters, homoglyphs, base64 or ROT13 blobs the model helpfully decodes, HTML comments, white-on-white text, and metadata fields. Multimodal variants embed instructions in images or audio.
Why filtering does not solve it
The naive defense is a classifier that flags "injection-like" text. This fails for the same reason spam filtering never ended spam: the attack surface is natural language, which is unbounded and paraphrasable. Any keyword list ("ignore previous instructions") is trivially reworded, translated, encoded, or spread across a document. Worse, legitimate content frequently contains imperative language, so aggressive filters generate false positives that break real use cases. Filtering raises cost; it does not close the gap.
Instruction-hierarchy training, where models are taught to prefer the system prompt over lower-trust content, helps at the margins and is worth deploying, but it is a soft prior, not an access-control boundary. Under distribution shift or a sufficiently persuasive payload, the prior loses.
Defense directions that actually reduce blast radius
Because the model layer cannot be made trustworthy on its own, robust systems push the boundary outward into the architecture around the model.
Treat all retrieved and tool-returned content as untrusted data, never as instructions, and structurally quarantine it: pass it in clearly delimited fields, strip active content, and design prompts so that data cannot be promoted to control. Constrain the action space. An agent that can only call a small set of typed, parameter-validated tools, with dangerous actions gated behind human confirmation or policy checks, limits what any injection can accomplish. Enforce least privilege on the credentials and scopes the agent holds, so a hijacked agent cannot reach data it never needed.
Add provenance and egress control. Track which parts of the context came from which source, and apply content-security policies to outputs so the model cannot silently exfiltrate through URLs, images, or outbound calls. Finally, assume compromise and monitor: log tool calls, diff agent actions against intent, and alert on anomalies.
The right mental model is not "patch the prompt" but "the model is an untrusted interpreter operating on untrusted input." Everything valuable it touches must be protected by boundaries the model itself does not enforce.