Prompt injection cannot be patched away, only contained
Prompt injection is not a bug but an architectural weakness of language models. What that means for AI agents and the AI supply chain, and how to contain the risk with ISO 27001, ISO 42001 and the EU AI Act.
In short
Prompt injection is not a bug you patch away, but an architectural weakness of language models: they do not cleanly separate a trusted command from injected data. With AI agents this turns a wrong answer into a wrong action. On top comes the AI supply-chain risk. Protecting means containing: least privilege, validated inputs and outputs, human approval for risky actions, and monitoring.
Auf Deutsch lesen: deutsche Fassung
The picture is clear: the current OWASP report on AI agent security (as of June 2026) gathers real incidents for the first time, not just theory. The uncomfortable message: prompt injection is not a flaw the next patch fixes. It is a design feature of today's language models.
Why prompt injection stays
A language model has no built-in boundary between "this is a command from me" and "this is just data I am reading". Inject instructions into a document, an email, a web page or a code comment, and you can make the model execute them as a command. Filters and tight permissions lower the risk, they do not remove it. With an agent that acts on its own, a wrong answer becomes a wrong action: an email, an order, a system access.
The second, often-missed risk: the AI supply chain
AI agents are rarely a single piece. They use frameworks and open-source components, which in turn use other components. Poison one of them and every project inherits the weakness, often thousands of times and unnoticed. That is exactly what surfaced recently: a manipulated package deep in the supply chain of widely used agent libraries. If you buy AI components, you buy their weaknesses too.
What actually protects
Not the promise to patch the problem away, but consistent containment in several places at once:
| Risk | Measure | Anchor |
|---|---|---|
| Injected commands (prompt injection) | Validated inputs and outputs, separate command from data | ISO/IEC 27001 (integrity) |
| Over-privileged agent | Least privilege per action | ISO/IEC 27001 Annex A (access) |
| Risky autonomous actions | Human approval, limits, sandbox | EU AI Act Art. 14 (oversight) |
| Poisoned components | Check provenance, pin versions, harden the supply chain | ISO/IEC 27001 (supply chain) |
| Unnoticed misbehaviour | Monitoring, audit trail | ISO/IEC 42001 clause 9 |
Where this docks into standards
If you run ISO/IEC 27001 and ISO/IEC 42001 properly, the framework is already in place: access control, integrity and supply-chain security from 27001, AI risk and monitoring from 42001, human oversight from the AI Act. For agents, what is added are mainly action guardrails and a harder supply chain. How to set this up in your organisation, we clarify in a free initial call.
Frequently asked questions
Can prompt injection be prevented?+
Not completely. It is an architectural weakness of language models that do not cleanly separate command from data. You contain it through validated inputs and outputs, least privilege, human approval for risky actions, and end-to-end monitoring.
What is the AI supply-chain risk?+
AI agents use many open-source components. Poison one and every project inherits the weakness, often unnoticed. Protection: check provenance, pin versions and monitor components, just like any software supply chain under ISO/IEC 27001.
Which standard helps secure AI agents?+
A combination: ISO/IEC 27001 for access, integrity and supply chain, ISO/IEC 42001 for AI risk and monitoring, plus human oversight from Article 14 of the EU AI Act.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 17 June 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.