Google's security team has detected a 32% increase in malicious prompt injection attacks between November 2025 and February 2026, according to findings published in April 2026. The company warns that indirect prompt injection represents a primary threat vector as AI agents gain access to enterprise email, calendars, and internal systems. Public web pages are actively exploiting these vulnerabilities to hijack AI agents and potentially leak sensitive information.
Indirect Prompt Injection Emerges as Primary AI Security Threat
Google conducted a broad sweep of the public web to monitor for known indirect prompt injection patterns. Indirect Prompt Injection (IPI) differs from direct "jailbreaking" attacks—it occurs when AI systems process content such as websites, emails, or documents containing malicious instructions that cause the AI to follow attacker commands instead of user intent.
The company identifies IPI as a top priority for the security community and anticipates it as the primary attack vector for adversaries targeting AI agents. Real-world examples include:
- Malicious websites poisoning AI agents with hidden prompts
- Manipulated data tricking AI assistants into leaking sensitive information
- Unauthorized actions executed through compromised AI systems
- Disinformation campaigns spread through hijacked agents
Attack Sophistication Expected to Increase Throughout 2026
Google warned that both the scale and sophistication of prompt injection attacks are expected to increase significantly in the near future. While past attempts have demonstrated relatively low sophistication, the upward trend suggests the threat is maturing rapidly.
The company expects a significant rise in targeted prompt injection attacks against enterprise AI systems throughout 2026, with organizations most exposed being those that have connected AI agents to sensitive internal systems without implementing real-time monitoring capabilities.
Google Gemini Vulnerability Demonstrates Real-World Risk
The threat materialized in January 2026 when researchers discovered a Google Gemini prompt injection flaw that exposed private calendar data through malicious invites. This incident demonstrated the real-world exploitability of these attacks and underscored the urgency of implementing defensive measures.
Google has published a layered defense strategy for Gemini focused on detection and prevention of indirect prompt injections. Separately, researchers also discovered a vulnerability in Google's Antigravity AI agent manager that could allow sandbox escape and remote code execution.
Key Takeaways
- Google detected a 32% increase in malicious prompt injection attacks between November 2025 and February 2026
- Indirect Prompt Injection allows attackers to hijack AI agents by embedding malicious instructions in web content, emails, or documents
- A January 2026 Gemini vulnerability exposed private calendar data, demonstrating real-world exploitability
- Google expects significant increases in both scale and sophistication of attacks targeting enterprise AI systems throughout 2026
- Organizations connecting AI agents to sensitive systems without real-time monitoring face the highest exposure risk