Cross-Prompt Injection Attack (XPIA)

XPIA highlights how prompt injection becomes a cross-tenant or cross-user risk in collaborative environments. The attacker does not need to interact with the target directly; they only need their content to be retrieved later.

XPIA scenarios commonly include:

• Email-driven injection: Hostile messages crafted to manipulate the recipient's Copilot.
• Shared document injection: Files in SharePoint or wikis affecting later readers' agents.
• Calendar and meeting payloads: Invites or notes that route into AI summarization.
• RAG corpus poisoning: Cross-tenant data seeded into shared retrieval indices.
• Cross-app spillover: Content from one SaaS app influencing another through agent context.

XPIA is particularly hazardous in enterprise environments because the attacker only needs to land content in a shared store. Inspecting retrieved content before it reaches the model is the most direct mitigation and the hardest one to retrofit after the fact.

Programs that mature fastest also segment retrieval indices by sensitivity, so a single poisoned document cannot reach into highly confidential corpora.

How PointGuard AI Helps

PointGuard AI Runtime Guardrails inspect retrieved enterprise content for injection patterns, and AI Data Protection enforces classification-aware policy on outputs that could carry sensitive context across users. Together they neutralize XPIA at the point where it would otherwise become a cross-tenant data flow.

Learn More

• OWASP Top 10 for LLM Applications
• Greshake et al., Indirect Prompt Injection arXiv:2302.12173
• NIST AI 600-1 Generative AI Profile