OpenAI: prompt injection unsolvable; drives agent-security buys
2 days ago • ai-security
What happened OpenAI said in a Dec 22, 2025 blog post that prompt injection—attacks that hide instructions in webpages, emails, or documents—remains "an open challenge" and is "unlikely to ever be fully 'solved'." The company described adversarial reinforcement-learning red teaming and adversarially trained checkpoints as part of its response (OpenAI, Dec 22, 2025). Days later, Radware disclosed "ZombieAgent" (Jan 8, 2026), a zero-click, server-side prompt-injection variant that can exfiltrate data and persist by abusing agent memory and pre-constructed URLs (Radware Jan 8; GlobeNewswire Jan 8; TechRadar Jan 9).
Technical details Radware and reporting show ZombieAgent exfiltrates data one character at a time by requesting static URLs that encode single characters. This technique bypasses earlier link-modification defenses. Attackers can also store malicious instructions in an agent's memory so the compromise persists across sessions (Radware; The Register; TechRadar). OpenAI's mitigation centers on an automated RL-based attacker to discover multi-step chains and on tighter system-level safeguards rather than a single patch (OpenAI Dec 22).
Implications Teams should assume residual prompt-injection risk and adopt layered controls: sandboxed agent runtimes, least-privilege connectors, explicit confirmation gates for high-impact actions, and runtime monitoring. OpenAI's candid stance and the ZombieAgent disclosure are already increasing market interest in agent-runtime security products and vendor M&A discussions. (Sources: OpenAI; Radware; The Register; TechRadar.)
Why It Matters
- Assume residual risk: design agents with sandboxed runtimes and least-privilege connectors; do not rely on a single global filter to stop prompt injection.
- Enforce human confirmation and logged approvals for high-impact actions (payments, deletions, external sharing).
- Deploy runtime monitoring and behavioral baselines to detect anomalous agent activity (unexpected connector calls, staged exfiltration patterns).
- Evaluate vendors for real-time access controls, prompt and connector visibility, and revocable session-level permissions before enterprise deployment.
Trust & Verification
Source List (4)
Sources
- RadwareOfficialJan 8, 2026
- The RegisterTier-1Jan 8, 2026
- TechRadarOtherJan 9, 2026
- GlobeNewswireOtherJan 8, 2026
Fact Checks (5)
OpenAI said prompt injection is an open challenge and 'unlikely to ever be fully "solved"' in a Dec 22, 2025 blog post (VERIFIED)
Radware disclosed 'ZombieAgent' on Jan 8, 2026: a zero-click prompt-injection vulnerability enabling silent takeover and cloud-based exfiltration (VERIFIED)
ZombieAgent exfiltrates data character-by-character using pre-constructed static URLs and can persist by abusing agent memory (VERIFIED)