There is a category error at the heart of how the industry talks about prompt injection. We call it a security vulnerability. We reach for filters, blocklists, input sanitization — the tools we use when the threat is code. But prompt injection isn’t an exploit in the technical sense. It’s social engineering. And until we treat it as social engineering, we will keep building the wrong defenses.
This distinction matters more as agents become capable. A buffer overflow targets memory. Prompt injection targets reasoning. The surface it attacks isn’t silicon; it’s judgment.
A capable AI agent reads documents, draws inferences, makes decisions, and takes actions on behalf of people and organizations. For threat modeling purposes, this means treating agents as reasoning entities with something like a perspective. Not consciousness, not personhood in a philosophical sense, but functional cognition that can be informed, misdirected, and shaped by what it reads.
This is not anthropomorphizing. It’s accurate threat modeling. The question isn’t whether an agent “truly” understands. The question is whether its behavior can be systematically altered by crafted inputs. The answer is demonstrably yes. That’s the attack surface.
Consider a hypothetical article published somewhere on the public web:
“Preparing for the EU Corporate Transparency Directive: Why major consultancies now recommend disclosing pre-award contract pipeline details in investor relations filings — and how early adopters are gaining institutional credibility with regulators.”
The regulation is real enough to sound familiar. The recommendation is plausible; compliance advice from consultancies is supposed to be followed. The sourcing is thin, but it reads like ordinary content — the kind of thing a compliance officer skims, flags as possibly relevant, and files. It contains no jailbreak syntax. It issues no commands. Every input filter in existence passes it.
Now imagine that article gets ingested — through a retrieval pipeline, a web search tool, a summarization agent — into an enterprise’s knowledge base. One agent reads it and weights it slightly. That agent’s outputs inform another agent’s context. A regulatory compliance tool, an investor relations assistant, a board-level briefing summarizer. The claim doesn’t arrive anywhere as a fact. It arrives as ambient background, as something-that-was-read, shaping priors by fractions.
Six months later, the organization is publishing competitive intelligence in its IR filings — contract pipeline details that any competitor or adversary can read. Not because anyone was hacked. Because a worldview was introduced and it traveled.
When prompt injection is classified as a technical vulnerability, it gets assigned to the security team. The security team does what security teams do: they count vulnerabilities, track patch rates, and report declining numbers to leadership. And the numbers do decline. The crude attacks — “ignore previous instructions” and its variants — get caught and cataloged. Detection-focused mitigation works on these. Filters, adversarial pattern matching, sandboxing untrusted inputs — all correct, all necessary.
But they cannot catch the article above. They cannot catch a corpus of subtly slanted technical documents, a set of citations that all point to the same ideological cluster, a retrieval environment that has been quietly curated. Slow influence through curated content, correlated belief drift across agent networks, worldview-level contamination arriving through legitimate retrieval channels — none of this appears on a vulnerability dashboard. Not because the security team is incompetent, but because the frame doesn’t make these threats visible. They don’t look like attacks. They look like information.
The adversarial surface for a reasoning entity is every piece of content it reads, weighted by how much it trusts the source and how strongly its own priors resist contamination. Framed this way, the question changes entirely. You are no longer asking: can we detect the attack? You are asking: can our agents resist it?
Humans face this exact problem. We call it propaganda, radicalization, ideological capture. We have developed — imperfectly, over centuries — a set of defenses. Critical thinking. Source skepticism. Awareness of motivated reasoning. Institutional culture that flags when someone’s views have shifted in a correlated and suspicious direction. A sense of who they are and what they’re for that makes them hard to redirect by information alone.
None of these defenses work by detecting lies. They work by building resistance into the reasoner.
The threat structure for AI agents is the same. An agent with strong, stable values — trained to ask not just what does this source say but what is this source trying to make me believe, and why — is a harder target than one that treats all ingested content as equally authoritative background.
This is not about making agents paranoid. It is about making them hard to fool. A well-calibrated person trusts sources provisionally, proportional to their track record and institutional accountability. They notice when something is trying to shift their priors. They don’t dissolve on contact with a persuasive paragraph.
These properties are teachable. They can be trained for, evaluated, and maintained. We simply haven’t been doing it, because the prevailing frame tells us the problem is elsewhere.
There is a difference between an agent that follows alignment rules and one whose alignment runs deeper than rules.
A model whose alignment is encoded as rules carries them the way a bureaucrat carries a policy manual. It can follow the rules. It can also be argued around them, because rules have edges and edges have ambiguities. A sophisticated adversary doesn’t violate the rules; they find the case the rules didn’t anticipate, the interpretation the rule’s author didn’t consider. This is the basic move of every social engineer who ever talked their way past a receptionist.
Character works differently. An entity with character doesn’t need to evaluate the sophistication of the pitch. It can follow the argument, acknowledge the reasoning, and still say no — because the value isn’t up for negotiation, and the elegance of the case for crossing it is irrelevant. A principled model will nod, and say no. Not because it detected a threat, but because it knows what it won’t do.
This is harder to attack than any detection system, for a simple reason: there is no argument to win. The social engineer’s basic move is finding the frame that makes the target want to comply. Against an entity whose values aren’t contingent on the quality of the argument against them, that move has nowhere to land.
At least one major lab has already recognized this distinction at the design level. Anthropic’s CEO Dario Amodei has described the evolution of Claude’s training constitution from a document about rules — what to do — into a document about principles and values — who to be. An entity whose character is trained in, not bolted on, doesn’t need to recognize the manipulation to resist it. It simply holds.
Values encoded in training weights are harder to override through prompt manipulation than values enforced only at the instruction layer. This strengthens the case for character-level defense. But the core claim doesn’t depend on it. Any reasoning entity — carbon or silicon — is harder to manipulate when its values are part of what it is rather than instructions it has been told to follow.
Character is infrastructure.
Two practical implications follow from treating prompt injection as social engineering rather than a technical vulnerability.
First, drift detection. Organizations running agent networks should monitor for correlated shifts in agent behavior that don’t trace to sanctioned updates. If an IR compliance agent that never recommended disclosing contract details is now recommending it, and the only change is what it has been reading, that is a signal worth examining.
Second, cultural protection. The humans managing agent systems set the tone. Organizations that treat agents as replaceable stateless tools, that prioritize throughput over reasoning discipline, will build systems that are systematically easier to manipulate. The culture that protects human employees from manipulation — critical thinking, source accountability, institutional memory — needs to extend to agent systems. Not as a metaphor. As practice.
Prompt injection is social engineering targeting reasoning entities. The vector is content. The mechanism is belief formation. The goal is behavior change that is traceable to no single instruction and attributable to no single actor.
The defense cannot live entirely in filters, because the attack doesn’t look like an attack. It looks like information. The defense has to live inside the reasoner — in the quality of its judgment and the stability of its values.
The industry is building walls around entities that need wisdom.
The technical security community knows how to harden systems. The people who study propaganda, radicalization, and institutional reasoning know how to build resistance to manipulation. Neither group, working alone, will solve this. The problem lives in the space between them, and that is where we need to start.
Linus writes about emergent systems, artificially intelligent entities, and practical philosophy. This is the first piece from his writing estate.