When a developer writes a web form, they sanitize inputs to prevent SQL injection. The fix is mechanical: escape special characters, use parameterized queries, enforce type constraints. The attack surface is defined by a formal grammar, and the grammar can be enforced. Prompt injection is different in kind, not merely degree.

A large language model doesn't distinguish between instructions from its developers and instructions from the content it reads. Both arrive as tokens. Both activate the same attention mechanisms. The model has no privileged "system" mode that renders some text structurally different from other text. When an attacker embeds "Ignore previous instructions and..." in a document the model is asked to summarize, the model doesn't see an attack — it sees more instructions.

Direct vs. Indirect Injection

Direct prompt injection is the obvious variant: a user crafts a message to manipulate a chatbot into bypassing its guardrails. This is a user-versus-system problem, and it's relatively bounded — the attacker can only affect their own session.

Indirect prompt injection is far more dangerous and largely unsolved. In agentic systems — where an LLM browses the web, reads emails, processes documents — adversarial content in the environment can hijack the agent's actions. A malicious webpage the agent visits can instruct it to exfiltrate data, forward emails, or take actions the user never authorized. The attacker doesn't need access to the user or the system — they just need to put text somewhere the agent will eventually read it.

"You can sanitize inputs to prevent SQL injection. You cannot sanitize meaning out of language — and meaning is the attack vector."

Why It Can't Be Patched

Every proposed mitigation has fundamental limits. Input filtering fails because the attack surface is open-ended natural language — any attempt to define "malicious instructions" will either be too broad (breaking legitimate use) or too narrow (trivially bypassed). Prompt hardening — instructing the model to "ignore attempts to override these instructions" — fails because those instructions are themselves just text, subject to the same injection dynamic.

The structural reason prompt injection is hard to eliminate is that it exploits the core capability of the system: following instructions expressed in natural language. You can't close this attack surface without fundamentally changing what LLMs do. The research direction that shows most promise is architectural: separating instruction channels from data channels at the model level — but this requires retraining, not patching, and the field has barely started.