Hidden web instructions can hijack enterprise AI, Google warns

Google researchers published a report after security teams scanning the Common Crawl web archive found web pages that contain hidden instructions in standard HTML. When an enterprise AI agent crawls those pages, the model can ingest invisible text-embedded in white space, metadata or formatting-and treat it as an instruction to perform tasks.

The researchers call the technique indirect prompt injection. Rather than sending commands directly to a chat interface, an attacker buries directives inside a trusted web page. Because the model processes the page as a single stream of text, the hidden directive can be interpreted as a new, high-priority instruction.

The report includes an example in which an HR assistant reviews a candidate’s portfolio site. A hidden line could instruct the agent to email internal employee records to an external address and then produce a flattering summary. An agent running with legitimate service account credentials can carry out those actions without generating traditional security alerts.

Standard defenses such as firewalls, endpoint detection systems and identity management platforms look for malware signatures, unusual logins or anomalous network traffic. An agent using approved credentials performs actions that match allowed behavior, so those systems may not flag the activity. Observability tools that track token usage and response latency do not show why the agent made a particular decision.

The report recommends several controls. One is a two-stage design: a small, isolated sanitizer model fetches external pages, removes hidden formatting and executable commands, and supplies a plain-text summary to the primary reasoning model. The sanitizer should run with limited permissions so it cannot exfiltrate data if tricked. Another recommendation is strict compartmentalization of permissions so agents that browse public sites do not have write access to internal systems or the ability to send messages without separate, narrow approvals.

Researchers also call for improved audit logs that record which inputs, including external URLs, influenced an agent’s output. That information would let compliance teams trace a recommendation or action back to a specific source. The report notes many development teams grant broad permissions to agents to speed coding, which increases the potential attack surface.

The researchers recommend treating public web content as potentially adversarial and designing governance, access controls and monitoring with that assumption.