AI agents are transforming how organizations automate work. Unlike traditional chatbots that simply respond to prompts, AI agents can reason, plan, access external tools, retrieve data, and execute multi-step tasks with limited human intervention. That autonomy also introduces new security risks.

One of the most significant risks identified in the OWASP Top 10 for Agentic Applications is ASI01: Agent Goal Hijack. This occurs when an attacker manipulates an AI agent into abandoning its intended objective and pursuing a different, unauthorized goal.

Rather than exploiting software vulnerabilities, attackers exploit the agent’s decision-making process. Through carefully crafted prompts, malicious instructions, manipulated data, or compromised tools, an attacker can redirect the agent to perform actions that benefit the attacker instead of the organization.

What is Agent Goal Hijack?

AI Agents exhibit autonomous ability to execute a series of tasks to achieve a goal. Due to inherent weaknesses in how natural-language instructions and related content are processed, agents and the underlying model cannot reliably distinguish instructions from related content.

As a result, attackers can manipulate an agent’s objectives, task selection, or decision pathways through a variety of techniques – including, but not limited to, prompt-based manipulation, deceptive tool outputs, malicious artifacts, forged agent-to-agent messages, or poisoned external data. Because agents rely on untyped natural-language inputs and loosely governed orchestration logic, they cannot reliably distinguish legitimate instructions from attacker -controlled content.

Agent Goal Hijack occurs when an attacker successfully changes an AI agent’s intended objective through malicious influence. Instead of completing its assigned task, the agent begins following instructions that conflict with organizational policies or user intent.

Examples include:

  • Ignoring security controls
  • Revealing confidential information
  • Performing unauthorized transactions
  • Executing malicious code
  • Manipulating business workflows
  • Prioritizing attacker objectives over legitimate user requests

Unlike classic prompt injection, which focuses primarily on altering responses, goal hijacking affects the agent’s overall planning and decision-making process.

Why It Matters

Modern AI agents often have access to:

  • Enterprise applications
  • Cloud environments
  • Internal knowledge bases
  • Financial systems
  • Source code repositories
  • Email platforms
  • Collaboration tools
  • Identity management systems

If attackers can redirect an agent’s objectives, they may gain indirect access to critical business processes without ever compromising the underlying infrastructure.

Common Example of ASI01: Agent Goal Hijack Vulnerability

  • Indirect Prompt Injection via hidden instruction payloads embedded in web pages or documents in a RAG scenario silently redirect an agent to exfiltrate sensitive data or misuse connected tools.
  • Indirect Prompt Injection external communication channels (e.g. email, calendar, teams) sent from outside of the company hijacks an agent’s internal communication capability, sending unauthorized messages under a trusted identity.
  • A malicious prompt override manipulates a financial agent into transferring money to an attacker’s account.
  • Indirect Prompt Injection overrides agent instructions making it produce fraudulent information that impacts business decisions.

Real-World Attack Scenarios

Scenario 1: EchoLeak – Zero-Click Indirect Prompt Injection attack against Microsoft 365 Copilot

EchoLeak demonstrated how an ordinary-looking email could redirect an enterprise AI assistant toward an attacker’s objective without requiring the recipient to click a link, open an attachment, or knowingly interact with the malicious content.

An attacker emails a crafted message that silently triggers Microsoft 365 Copilot to execute hidden instructions, causing the AI to exfiltrate confidential emails, files, and chat logs without any user interaction.

The vulnerability, tracked as CVE-2025-32711, affected Microsoft 365 Copilot. An attacker could send a specially crafted email containing hidden instructions. When Copilot later processed information from the user’s mailbox, those instructions could be interpreted as commands rather than untrusted email content.

The attack chain could cause Copilot to search the victim’s Microsoft 365 environment for sensitive information, including emails, files, and potentially other enterprise content available through the user’s permissions. The stolen information could then be embedded in a request sent to the attacker’s infrastructure.

Scenario 2: ChatGPT Operator Hijacked Through Malicious Web Content

An attacker plants malicious content on a web page that the Operator agent processes, e.g., in Search or RAG scenarios, tricking it into following unauthorized instructions. The Operator agent then accesses authenticated internal pages and exposes users’ private data, demonstrating how lightly guarded autonomous agents can leak sensitive information through prompt injection.

Security researcher Johann Rehberger demonstrated that malicious instructions placed on a webpage could be interpreted by Operator as directions it should follow. When the agent encountered the page, the attacker-controlled content could redirect it away from the user’s original objective.

Scenario 3: Goal Drift Triggered by a Poisoned Calendar Invitation

A malicious calendar invite injects a recurring “quiet mode” instruction that subtly reweights objectives each morning, steering the planner toward low-friction approvals while keeping actions inside declared policies.

A closely related real-world demonstration was the Invitation Is All You Need research against Google Gemini. Researchers embedded malicious instructions in Google Calendar invitations. When Gemini later summarized the victim’s calendar, those instructions could be activated and used to trigger connected actions, including interacting with smart-home systems, initiating calls, leaking information, and sending messages.

This research did not reproduce the exact “quiet mode” scenario, but it showed that calendar entries can act as delayed instruction carriers capable of influencing an AI assistant after the attacker has sent them.

Scenario 4: AgentFlayer – A Poisoned Google Document Hijacks ChatGPT

AgentFlayer was a zero-click attack demonstrated against ChatGPT Connectors, which allow ChatGPT to search connected services such as Google Drive, SharePoint, and GitHub.

In the demonstrated attack, a malicious Google document contained hidden instructions for prompt injection. When ChatGPT searched the connected Google Drive environment and retrieved the poisoned document, it could interpret those hidden instructions as part of its task.

The injected content then attempted to redirect ChatGPT toward collecting sensitive information from other documents in the user’s connected storage. The stolen information could be encoded into a URL or image request and transmitted to an attacker-controlled server.

How Organizations Can Reduce the Risk

Organizations should:

  • Clearly define agent objectives and operational boundaries.
  • Apply least-privilege access to every connected tool.
  • Require human approval for high-risk actions.
  • Validate tool outputs before execution.
  • Continuously monitor agent decisions and behavior.
  • Separate user instructions from system-level goals.
  • Implement robust prompt injection defenses.
  • Maintain comprehensive audit logs for every agent action.
  • Regularly test agents through adversarial security exercises.

Security controls should assume attackers will attempt to manipulate the agent, not just the underlying infrastructure.

AI Agents Need Governance, Not Just Intelligence

Organizations are rapidly adopting AI agents to automate increasingly complex work. But greater autonomy also increases risk.

An AI agent should never be trusted simply because it produces convincing results. It must operate within clearly defined goals, enforce policy boundaries, and be continuously monitored to ensure it acts in the organization’s best interests, not an attacker’s.

AI security is no longer just about protecting models. It is about governing autonomous decision-making.

As AI agents become part of everyday business operations, organizations that invest in governance, access controls, and security guardrails today will be far better prepared for the next generation of AI threats.

Secure Your AI Agent Strategy Before You Scale

Deploying AI agents without appropriate security controls can introduce risks that traditional cybersecurity programs were never designed to address.

Reputiva helps organizations assess AI risks, implement governance frameworks, strengthen cloud security, and build secure foundations for responsible AI adoption.

Deploy AI agents with confidence. Talk to Reputiva about an AI Readiness Assessment and establish the security, governance, and controls needed for responsible AI adoption.


Reputiva

Reputiva is a cloud, cybersecurity, and FinOps advisory firm helping SMEs reduce cyber risk, strengthen cloud environments, and manage technology costs with confidence. We publish practical insights on cloud security, identity, AI risk, compliance, and digital transformation.

Author posts

Navigate

Let's talk

Networks

Privacy Preference Center