SAIL 2.0

/

Deploy - Runtime Guardrails

/

Indirect / Cross-Source Prompt Injection (XPIA)

5.4

.

Indirect / Cross-Source Prompt Injection (XPIA)

sail
5.4
Risk

Indirect / Cross-Source Prompt Injection (XPIA)

Description

Malicious content in external sources the agent reads at runtime (documents, web pages, tickets, retrieved knowledge) triggers unintended agent actions.

Example

A poisoned PDF in a shared document store causes the agent to exfiltrate cross-tenant data when summarizing it.

Assets Affected

Dataset / RAG

Tool

3rd-Party AI Integration

AI Agent

Mitigation
  • Sanitize and validate external content
  • restrict sources to allowlisted origins
  • monitor for indirect injection
  • treat retrieved content as untrusted.
Standards Mapping
  • ISO: A.7.6
  • OWASP agentic: ASI01, ASI06
  • OWASP LLM: LLM01:2025
  • EU AI Act: Art. 15(5)
  • DASF: Model Serving 9.9, Agents-MCP Server 13.24
  • AIUC-1: B001, B005