G360 Technologies
The Enterprise AI Brief | Issue 11

When Trusted Metadata Becomes an Instruction to an AI Agent

July 17, 2026

A coding agent receives a structured repository record containing two ordinary-looking fields: author_role: maintainer and tests_passed: true. It accepts a proposed change, runs the next step in its workflow, and never realizes that both values came from an attacker-controlled source.

The agent has not ignored its instructions. It has followed them using false data.

Recent research describes this mechanism as Agent Data Injection, or ADI. The attack manipulates structured fields, identifiers, labels, tool outputs, or resource mappings that an AI agent treats as authoritative.

Unlike conventional prompt injection, the attacker may not need to tell the agent to disregard its rules. Instead, the attacker changes the facts, identities, or parameters the agent uses while following them.

Agent systems rarely reason from a user prompt alone. Browser agents receive numbered maps of page elements. Coding agents consume repository metadata, build results, file paths, and issue records. Tool-enabled agents receive serialized JSON objects, parameter schemas, capability descriptions, and execution histories.

These structures make external environments easier for a model to interpret. They also create a trust problem: a field can be syntactically valid and still be attacker-controlled.

The ADI research, released as an arXiv preprint in July 2026, tested that problem across six frontier models and multiple browser and coding-agent environments. It builds on earlier findings that tool descriptions, capability records, and other metadata can affect which tools agents select and how they use them.

How the Mechanism Works

The attack starts with a value the adversary can influence. This might be a DOM attribute, repository comment, sender label, API response, file path, URL, tool result, or agent capability record.

An orchestration layer then converts that value into structured model context. A browser page may become a numbered list of elements. A tool response may become a JSON object. A repository event may be represented as an author, status, and validation record.

The attacker exploits the gap between deterministic parsing and probabilistic interpretation.

One technique identified by the researchers is probabilistic delimiter injection. Quotes, braces, tags, brackets, or line breaks are inserted into an otherwise valid field. The software parser may still treat the content as a single data value, while the model reconstructs it as several fields or as a higher-trust record.

Other attacks do not require malformed syntax. An attacker can place a plausible false value into a field the agent already trusts, such as a maintainer identity, validation result, resource identifier, or historical action record.

The model then reasons over the corrupted representation:

  1. Attacker-controlled data enters through a document, page, repository, tool, or API.
  2. The agent framework formats it as structured context.
  3. The model interprets the field as trusted metadata.
  4. The agent chooses an action based on the false value.
  5. An authorized tool carries out the action.

Researchers demonstrated unintended browser interactions, shell-command execution, approval of malicious code based on forged checks, and outbound transmission of sensitive data.

The Key Distinction

Direct prompt injection asks the model to follow a conflicting instruction. Indirect prompt injection hides that instruction inside retrieved content.

ADI changes the agent's working representation of the environment. The system instruction can remain intact. The agent still performs its assigned task, but it does so using attacker-controlled identities, parameters, histories, or resource mappings.

Defenses that search for hostile instructions may therefore miss the attack entirely.

Analysis

Agent systems are becoming increasingly dependent on structured representations. Tool registries determine available capabilities. Browser abstractions map identifiers to actions. Memory systems supply historical reasoning. Schemas tell models which fields carry authority.

The more automation relies on those representations, the more consequential their provenance becomes.

In the reported evaluation, ADI achieved attack success rates of 31.3 to 43.3 percent against JSON-formatted data and 33.3 to 100 percent against web DOM representations across six models. At the agent level, success rates reached as high as 50 percent.

The researchers also found that guardrails aimed at instruction injection offered limited protection. Many payloads manipulated fields or delimiters without containing an obvious command to override system policy.

These findings come from controlled experiments reported in a preprint. The research does not establish widespread exploitation in production systems. It does show that structured formatting alone is not a reliable security boundary.

Implications for Enterprises

Preserve Provenance

Security reviews should follow structured data from its original source to the final agent action. Converting an untrusted value into JSON, XML, a DOM map, or a typed tool response should not increase its trust level.

Provenance and trust labels should remain attached to individual fields after parsing. Identity, validation status, origin, and authorization context should come from an authoritative control plane rather than from data the model can reinterpret.

Protect Tool Configuration

Tool descriptions, parameter schemas, capability records, and routing metadata should be managed as security-sensitive configuration. Enterprises can pin approved versions, verify integrity, and require review before dynamic changes become available to an agent.

High-impact tools should also be separated from untrusted retrieval paths. Narrow permissions, sandboxing, action confirmation, and restrictions on outbound communication can limit the consequences of a corrupted decision.

Evaluate Control Tradeoffs

The tested defenses involved measurable costs. Strict data-flow tracking reduced attack success to zero in the benchmark, but blocked some legitimate activity. Randomizing field names reduced success from 49.1 to 28.7 percent while preserving more utility, although attacks that manipulated the full structure remained effective.

Plan-then-execute separation and sandboxing lowered risk without eliminating it.

Retain Forensic Evidence

Operational logs should preserve the raw structured input, its origin, and the resulting tool call. A record containing only the user request and final answer may omit the metadata that actually drove the action.

Risks and Open Questions

It remains unclear how often vulnerable formatting patterns appear in production enterprise systems. Results may also change across proprietary schemas, different orchestration layers, and future model versions.

Human approval can interrupt dangerous actions, but its effectiveness is uncertain when poisoned metadata makes the action appear routine. Strict schema enforcement may reduce attack paths while limiting the flexibility that makes agents useful in the first place.

The next question for researchers and platform teams is not only whether an agent rejected an injected instruction. It is whether the system can prove which fields influenced the action, where those fields originated, and why the agent was allowed to trust them.

Further Reading

  • Agent Data Injection Attacks are Realistic Threats to AI Agents
  • Agent Data Injection Research Repository