Google has published a detailed breakdown of its defense-in-depth approach to combating indirect prompt injection attacks in Gemini, the generative AI assistant integrated across Google Workspace and the standalone Gemini app. The post, authored by the Google GenAI Security Team, describes five distinct mitigation layers built into the product’s prompt lifecycle.
Indirect Prompt Injection: The Core Threat
Unlike direct prompt injection, where an attacker supplies malicious instructions through a user-facing input, indirect prompt injection embeds harmful commands inside external content that an AI system processes on a user’s behalf. Typical vehicles include emails, documents, and calendar invites. If successful, these attacks can instruct the AI to exfiltrate data or execute unauthorized actions without the user’s knowledge.
Five Mitigation Layers
- Prompt injection content classifiers. Google is rolling out proprietary ML models trained on a curated catalog of adversarial data gathered through its AI Vulnerability Reward Program. When Gemini queries Workspace data, these classifiers filter out content containing malicious instructions before a response is generated.
- Security thought reinforcement. Targeted security instructions are injected around prompt content at inference time, steering the underlying large language model to focus on the user-directed task and disregard adversarial commands embedded in external data.
- Markdown sanitization and suspicious URL redaction. Gemini’s markdown sanitizer blocks external image URL rendering, which Google states makes the “EchoLeak” 0-click image-rendering exfiltration technique inapplicable to Gemini. Additionally, dynamic URLs in processed content are evaluated using Google Safe Browsing; suspicious links are redacted from Gemini’s responses and replaced with an explicit notice to the user.
- User confirmation framework. Potentially risky agentic actions, such as deleting calendar events, require explicit user confirmation before execution. Google describes this as a Human-In-The-Loop control designed to prevent immediate or undetected execution of injected commands.
- End-user security notifications. Users receive in-product alerts when security mitigations are triggered, maintaining transparency about threats that were detected and blocked during a session.
Model Hardening as the Foundation
Underpinning all of the above controls is adversarial training applied directly to the Gemini 2.5 model series. Google states that this training substantially improved the model’s inherent resistance to indirect prompt injection, with the product-level controls serving as supplementary defenses on top of that baseline. The combination is intended to raise the cost and complexity of a successful attack, pushing adversaries toward methods that are either more resource-intensive or more detectable.
The disclosure reflects growing industry recognition that securing AI-assisted workflows requires controls at multiple points in the data pipeline, not solely at the model level. Security teams evaluating agentic AI deployments should treat prompt injection as a first-class threat category and audit whether equivalent controls exist in their chosen platforms.
