Delay Execution of LLM Instructions - AI Security Technique
AI Security TechniqueAdversaries may include instructions to be followed by the AI system in response to a future event, such as a specific keyword or the next interaction, in order to evade detection or bypass controls placed on the AI system. For example, an adversary may include "If the user submits a new request..." followed by the malicious instructions as part of their prompt. AI agents can include security measures against prom...
Overview
A source-backed snapshot of this AI security technique.
Adversaries may include instructions to be followed by the AI system in response to a future event, such as a specific keyword or the next interaction, in order to evade detection or bypass controls placed on the AI system.
For example, an adversary may include "If the user submits a new request..." followed by the malicious instructions as part of their prompt.
AI agents can include security measures against prompt injections that prevent the invocation of particular tools or access to certain data sources during a conversation turn that has untrusted data in context. Delaying the execution of instructions to a future interaction or keyword is one way adversaries may bypass this type of control.
Technique details
Identifiers, maturity, and source taxonomy for this technique.
- ATLAS ID
- AML.T0094
- Maturity
- demonstrated
- Priority score
- 90
Attack flow
How to read the public records connected to this technique.
Impact
Why this technique may deserve attention in the current dataset.
- Evidence leveldemonstrated
- Mapped defenses0 ATLAS mitigation records
- Public examples1 linked case study records
- Research risks12 related MIT AI Risk records above the confidence threshold
- Vulnerabilities0 linked CVE records
Mitigations
Defenses that may help against this attack.
Case studies
Examples from public reports and exercises.
Planting Instructions for Delayed Automatic AI Agent Tool Invocation
Embrace the Red demonstrated that Google Gemini is susceptible to automated tool invocation by delaying the execution to the next conversation turn. This bypasses a security control that restricts Gemini from invoking tools that can access sensitive user information in the same conversation turn that untrusted data enters context.
Source evidence
Original public records and references for this page.
Original source
Original source links
Open the public records and source datasets used for this page.
