Appendix · Reference
Sources & Glossary
Every claim in this guide, traced to where it came from, and every term, in one place.
A note on sourcing
How the evidence was chosen
Every risk in this guide is illustrated with a documented, public source: a security disclosure, a court ruling, a logged incident, or peer-reviewed research, each listed below with a link you can check. Where a colorful story couldn't be verified, it was left out and replaced with one that could.
Each entry carries a tag showing which module it supports, so any statement in the guide can be traced back to its origin. This appendix is reference material, not legal or security advice for a specific system; for a high-stakes deployment, get a qualified review.
A caution on the sources themselves. I gathered these from the public internet, and some were surfaced with the help of AI. I've checked the links, but I'm not the author of any of them, and sources can be wrong, outdated, or missing context. Treat them the way you'd treat anything on the internet: with healthy skepticism. Question their findings, then question them again, and verify anything you plan to act on against a primary source or a qualified professional.
Source bibliography
References, by theme
Framing & frameworks
- The lethal trifecta for AI agents: private data, untrusted content, and external communication Simon Willison · simonwillison.net · June 2025 https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/ Modules 02 · 04 · 06 · 07
- The Dual LLM pattern for building AI assistants that can resist prompt injection Simon Willison · simonwillison.net · 2023 https://simonwillison.net/2023/Apr/25/dual-llm-pattern/ Module 06
- Talks and writing on prompt injection: source of "in application security, 99% is a failing grade" Simon Willison · simonwillison.net · 2024-2025 https://simonwillison.net/tags/prompt-injection/ Module 06
Real-world incidents & rulings
- Chevrolet dealer chatbot agrees to sell a Tahoe for $1 OECD AI Incidents Monitor, incident #622 · December 2023 (originally reported by Business Insider) https://incidentdatabase.ai/cite/622/ Modules 01 · 02
- EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System P. Reddy & A. Gujral · arXiv:2509.10540 · 2025 (case study of CVE-2025-32711 in Microsoft 365 Copilot) https://arxiv.org/abs/2509.10540 Modules 02 · 03
- EchoLeak (CVE-2025-32711): original vulnerability disclosure Aim Security (Aim Labs) · June 2025 · catalogued by MITRE/Microsoft; corroborated by The Hacker News https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html Modules 02 · 03
- Moffatt v. Air Canada, 2024 BCCRT 149 British Columbia Civil Resolution Tribunal · February 2024 · reported by CBC News https://www.cbc.ca/news/canada/british-columbia/air-canada-chatbot-lawsuit-1.7116416 Module 04
- Prompt-injection data exfiltration via the GitHub MCP integration Invariant Labs · 2025 · summarized in "Understanding the lethal trifecta of AI agents," Oso https://www.osohq.com/learn/lethal-trifecta-ai-agent-security Module 04
Evaluation research & tools
- Judging LLM-as-a-Judge with MT-Bench and Chatbot Arena L. Zheng et al. · arXiv:2306.05685 · 2023 (strong AI judges agree with humans more than 80% of the time) https://arxiv.org/abs/2306.05685 Module 05
- G-Eval: NLG Evaluation using GPT-4 with Better Human Alignment Y. Liu et al. · arXiv:2303.16634 · 2023 (correlates with humans far better than BLEU/ROUGE) https://arxiv.org/abs/2303.16634 Module 05
- The RAG Triad: context relevance, groundedness, answer relevance TruLens (TruEra) open-source project · evaluation framework documentation https://www.trulens.org/getting_started/core_concepts/rag_triad/ Module 05
- Open-source evaluation tools referenced TruLens, Ragas, DeepEval, and Promptfoo · project documentation trulens.org · docs.ragas.io · deepeval.com · promptfoo.dev Module 05
Industry & standards bodies
- OpenAI on prompt injection and ChatGPT "agent mode": "unlikely to ever be fully solved" OpenAI public statements · December 2025 · reported by Fortune https://fortune.com/2025/12/23/openai-ai-browser-prompt-injections-cybersecurity-hackers/ Module 06
- OWASP Top 10 for LLM Applications: prompt injection ranked the #1 risk OWASP Foundation · 2025 https://genai.owasp.org/llm-top-10/ Module 02
- Adversarial Machine Learning: A Taxonomy and Terminology (NIST AI 100-2) U.S. National Institute of Standards and Technology · characterizes indirect prompt injection as a core generative-AI weakness https://csrc.nist.gov/pubs/ai/100/2/e2025/final Module 02
- Guidance on AI security and prompt injection UK National Cyber Security Centre (NCSC) · 2025 (warns these attacks may never be fully mitigated) https://www.ncsc.gov.uk/collection/machine-learning Module 06
Master glossary
Every term, in plain language
The terms introduced across all seven modules, gathered and alphabetized.
- Agent
- An AI that can take actions on your systems (send, update, book, pay, delete), not just answer.
- Answer relevance
- A RAG-triad check: did the reply actually address the question that was asked?
- Blast radius
- How much damage a successful attack can do, set by what the AI can reach times what it can do.
- Context relevance
- A RAG-triad check: did the system retrieve the right information before answering?
- Context window
- The "binder," the block of text (rules + conversation + documents) the model re-reads on every turn.
- Defense in depth
- Multiple independent layers of protection, so a failure in one is caught by the next.
- Direct injection
- The user types the malicious instruction themselves, a jailbreak or "ignore your rules" attack.
- Drift (regression)
- Quality silently dropping over time, often after the underlying model updates. Why evals must be ongoing.
- Encoding
- Converting text into another format (e.g. Base64) so a filter sees noise but the model still understands it.
- Evaluation ("eval")
- A structured test of whether an AI does its job across many cases, the AI version of software testing.
- Excessive agency
- Granting an AI more permissions than its job needs. The most common avoidable mistake.
- Exfiltration
- Getting stolen data out of a system, via email, a web link, a loaded image, or any outbound channel.
- Governance
- The human layer: a named owner, a policy for what AI may touch, vendor accountability, and an incident plan.
- Groundedness
- The key RAG-triad check: is every claim in the answer supported by the retrieved source? Catches hallucination.
- Guardrail / AI firewall
- A filter that scans input or output for dangerous content. A useful layer, never a complete defense.
- Hallucination
- A confident answer the AI made up, stated as fact but not backed by any real source.
- Human-in-the-loop
- Requiring a person to confirm an action before it happens. Reserved for the high-stakes, irreversible ones.
- Incident response
- A pre-written plan for the first hour after an AI does something wrong. Cheaper to write than to improvise.
- Indirect injection
- A malicious instruction hidden in outside content (email, document, web page) the AI reads during a routine task.
- Invisible text
- Instructions hidden in a document via white-on-white text, tiny fonts, or special characters a person won't notice.
- Jailbreak
- Talking an AI out of its safety rules, often through role-play or a fictional framing.
- Least privilege
- Giving the AI only the narrowest powers its job requires, the boring principle that keeps the blast radius small.
- Lethal trifecta
- Private data, plus untrusted content, plus a way to send data out. The combination that turns injection into a breach.
- Link smuggling
- Exfiltrating data by hiding it in a web address loaded as an image, so leaving data looks like showing a picture.
- LLM-as-a-judge
- Using a strong AI to grade other AI output at scale. Agrees with humans often (about 80% or more), but carries biases.
- MCP (Model Context Protocol)
- A popular standard for connecting AI agents to tools and data. Convenient, and each connection is a security decision.
- Multimodal injection
- Hiding an instruction inside an image the AI reads, a screenshot, scan, or logo carrying hidden orders.
- Obfuscation
- Disguising an instruction while keeping its meaning, by rewording, describing, or riddling it.
- Probabilistic
- Driven by likelihood, not fixed rules. The same input can produce different outputs, which is why "it will never..." is a shaky promise.
- Prompt injection
- Slipping instructions into the text an AI reads so it follows the attacker instead of you. The #1 risk for AI applications.
- RAG
- "Retrieval-augmented generation," an AI that looks things up in your documents before answering. The common business setup.
- RAG triad
- Three checks (context relevance, groundedness, answer relevance) that locate where an AI's answer went wrong.
- Semantic gap
- An AI's inability to tell instructions apart from data. The root cause of most AI security risk.
- Separation of trust (dual-LLM)
- Splitting work so the AI exposed to untrusted content has no power, and the AI with power never reads untrusted content directly.
- Single point of failure
- Anything you rely on alone; if it fails, nothing else catches it. The thing to hunt down and back up.
- Stateless
- The AI keeps no memory of its own between conversations; each one starts blank.
- System prompt
- The hidden rules a company writes to shape an AI's behavior. Powerful, but still text the model can be argued out of.
- Tool / tool use
- A capability an AI is wired to (email, database, calendar, payments). Each tool is a new power and a new risk.
- Trust boundary
- The line between content you control and content you don't. Crossing it is where injection happens.
- Word-overlap metrics (BLEU / ROUGE)
- Older quality scores that check whether an answer's words match a reference. Poor at judging meaning or catching made-up facts.
- Zero-click
- An attack needing no action from the victim; a normal email plus a normal request is enough (as in EchoLeak).