Noma Security today revealed it has discovered a vulnerability in the enterprise edition of Google Gemini that can be used to inject a malicious prompt that instructs an artificial intelligence (AI) application or agent to exfiltrate data.

Dubbed GeminiJack, cybercriminals can use this vulnerability to embed a malicious prompt in, for example, a Google Doc file that would instruct an AI agent to send files to an external email address or website.

Google has already moved to resolve the issue, but it’s probable that similar indirect prompt injection techniques will be discovered as security researchers investigate other platforms.

Sasi Levi, security research lead for Noma Security, said the entire document repositories, including confidential agreements, technical specifications, and competitive intelligence, can be easily exfiltrated using a malicious prompt.

The only way to thwart these indirect prompt attacks is to add an additional layer of security that analyzes prompts to prevent malicious activity. Otherwise, any end user executing a search across multiple documents is likely to trip what is essentially a prompt injection mine that has been inserted into a file, he added.

GeminiJack is the latest in a series of prompt injection techniques that have been discovered by cybersecurity researchers. Most of that research has focused on AI browsers, but the GeminiJack vulnerability puts any data accessed via Gemini Enterprise Edition at risk of exfiltration, noted Levi.

Managing and securing AI agents will become a much higher priority in the months ahead as organizations come to understand how aggressively they might access data unless specific controls are in place. More troubling still, AI agents provide cybercriminals with a tempting target that could enable them to not just exfiltrate data but also commandeer entire workflows in a way that is becoming comparatively simpler to achieve using malicious prompts.

Unfortunately, instances of shadow IT involving AI technologies are on the rise, so it’s probable AI agents will be deployed with few or no governance controls being in place. More challenging still, new AI agents may be randomly added to an environment without cybersecurity teams ever being notified.

Despite these concerns, the AI genie is not going back in the bottle. Organizations will be deploying AI agents in the hundreds of thousands. The challenge is, as always, balancing the value of the productivity gains for the business against potential risks.

At this point, it’s not a question of if there will be major cybersecurity incidents involving AI agents so much as it is the extent of the damage. As always, the expectation is that cybersecurity teams will prevent as many of those breaches as possible, but in the event of the inevitable, the issue becomes how rapidly cybersecurity teams are able to identify, contain and remediate any threat. The challenge is that given all the dependencies that exist between AI agents and underlying infrastructure, it can take a lot longer to successfully respond to a breach that continues to rapidly expand now in a matter of seconds.

In fact, the damage inflicted might potentially soon reach a level where the total cost of a breach far exceeds the ability of any organization to effectively recover from.