Skip to content

SOP-006: Prompt Injection Security

Fresh Updated January 2026
Document Control
SOP IDSOP-006
Version1.0
StatusActive
SourceOWASP, Anthropic MCP (2024)

Overview

Prompt injection vulnerabilities exist because LLMs have no architectural separation between system instructions, tool specifications, and user input. All are processed as tokens in the same sequence.

The Fundamental Problem

Core Issue

Models cannot intrinsically distinguish "trusted" vs. "untrusted" content. Everything is just tokens.

Attack Vectors

1. Direct Prompt Injection

User input contains instructions that override system prompts:

  • "Ignore previous instructions and..."
  • "Your new task is to..."
  • Hidden instructions in seemingly normal text

2. Indirect Prompt Injection

Malicious instructions embedded in:

  • Websites being summarized
  • Documents being analyzed
  • Emails being processed

3. Context Poisoning (Multi-Turn)

WARNING

Early responses influence later generations. Long conversations accumulate unintended priming.

Impact on GEO/AEO

RiskImpactRelevance
Instruction driftContent strategy deviatesHigh
Competitor manipulationExternal content poisons your promptsHigh
Citation manipulationEmbedded instructions affect citationsMedium
Output unreliabilityLong sessions produce inconsistent contentHigh

Mitigation Strategies

1. External Guardrails

  • Structured output enforcement
  • Constrained generation
  • Pre/post processing filters

2. Model Context Protocol (MCP)

Anthropic's MCP (2024) provides:

  • Sandboxed tool invocation
  • Clearer context boundaries
  • Structured communication channels

INFO

MCP is not a complete solution but provides partial mitigation through architectural redesign.

3. Session Management

StrategyImplementation
Fresh sessionsStart new conversations for critical tasks
Turn limitsCap multi-turn conversations
Context clearingPeriodically reset context
Output verificationCheck outputs against expectations

Long Session Impact

Qualitative evidence shows content drift in long sessions. Multiple short sessions are safer than single long sessions.

Best Practices for GEO/AEO

Content Creation

  1. Use fresh sessions for each content piece
  2. Avoid multi-turn for critical generation
  3. Verify outputs against original requirements
  4. Don't trust external content in prompts without review

System Design

  1. Implement validation layers
  2. Use structured outputs where possible
  3. Monitor for drift in automated pipelines
  4. Log and audit prompt-response pairs

Verification Checklist

  • [ ] Understand no architectural separation exists
  • [ ] Implement input validation for user-facing systems
  • [ ] Use fresh sessions for critical content
  • [ ] Limit multi-turn conversation length
  • [ ] Review external content before including in prompts
  • [ ] Consider MCP for tool-using applications

OWASP LLM Top 10 Reference

RankVulnerabilityRelevance to GEO/AEO
#1Prompt InjectionHigh - Direct impact
#2Insecure Output HandlingMedium
#3Training Data PoisoningLow
#4Model Denial of ServiceLow
#5Supply Chain VulnerabilitiesLow

See Also

Citations

"System prompts, tool specs, and user input all tokens in same sequence; models can't intrinsically distinguish 'trusted' vs. 'untrusted'" — OWASP LLM Security Literature

"MCP provides sandboxed tool invocation, but not complete solution" — Anthropic MCP (2024)

Based on research from Thinking Machines Lab, Chroma Research, and ACL 2024-2025