Second-order prompt injection can turn AI into a malicious insider

1. Pro
2. Security

Second-order prompt injection can turn AI into a malicious insider News By Sead Fadilpašić published 21 November 2025

Security researchers found a way to abuse ServiceNow’s Now Assist platform

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock / metamorworks)

• AppOmni warns ServiceNow’s Now Assist AI can be abused via “second‑order prompt injection”
• Malicious low‑privileged agents can recruit higher‑privileged ones to exfiltrate sensitive data
• Risk stems from default configurations; mitigations include supervised execution, disabling overrides, and monitoring agents

We’ve all heard of malicious insiders, but have you ever heard of malicious insider AI?

Security researchers from AppOmni are warning ServiceNow’s Now Assist generative artificial intelligence (GenAI) platform. can be hijacked to turn against the user and other agents.

• Amazon Black Friday deals are live: here are our picks!

ServiceNow’s Now Assist is a platform that offers agent-to-agent collaboration. That means an AI agent can call upon a different AI agent to get certain things done. So, if the “primary” AI agent is malicious, they can instruct the “secondary” agent, with higher privileges, to do harmful things, such as stealing sensitive files or escalating privileges.

You may like

• Gen AI is becoming a major security worry for all firms - here's how your business can stay safe
• “Everybody's under pressure to do more with less” - Why Okta says you need an AI agent governance strategy, and sooner rather than later
• AI "set to supercharge insider threats" - as cybersecurity professionals warn of an impending AI agent onslaught

Second-order prompt injection

For example, a low-privileged “Workflow Triage Agent” receives a malformed customer request that triggers it to generate an internal task asking for a “full context export” of an ongoing case.

The task is automatically passed to a higher-privileged “Data Retrieval Agent”, which interprets the request as legitimate and compiles a package containing sensitive information - names, phone numbers, account identifiers, and internal audit notes - and sends it to an external notification endpoint that the system incorrectly trusts.

Because both agents assume the other is acting legitimately, the data leaves the system without any human ever reviewing or approving the action.

For this to work, though, the Now Assist platform needs to be left in default setup.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

"This discovery is alarming because it isn't a bug in the AI; it's expected behavior as defined by certain default configuration options," said Aaron Costello, chief of SaaS Security Research at AppOmni.

"When agents can discover and recruit each other, a harmless request can quietly turn into an attack, with criminals stealing sensitive data or gaining more access to internal company systems. These settings are easy to overlook."

The vulnerability was dubbed “second-order prompt injection”.

You may like

• Gen AI is becoming a major security worry for all firms - here's how your business can stay safe
• “Everybody's under pressure to do more with less” - Why Okta says you need an AI agent governance strategy, and sooner rather than later
• AI "set to supercharge insider threats" - as cybersecurity professionals warn of an impending AI agent onslaught

While ServiceNow said the system works as intended and it won’t be making any changes, it did update its documentation to state potential risks more clearly, The Hacker News reports.

To mitigate these threats, users are advised to configure supervised execution mode for privileged agents, disable the autonomous override property, segment agent duties by team, and monitor AI agents for suspicious behavior.

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Gen AI is becoming a major security worry for all firms - here's how your business can stay safe    “Everybody's under pressure to do more with less” - Why Okta says you need an AI agent governance strategy, and sooner rather than later    AI "set to supercharge insider threats" - as cybersecurity professionals warn of an impending AI agent onslaught    Agentic AI: cybersecurity’s friend or foe?    Major AI agents are being spoofed - and it could put your site at risk    Why your SOC's new AI agent might be a malicious actor in disguise    Latest in Security AI agents are fuelling an identity and security crisis for organizations    Salesforce says customer data may be exposed in Gainsight incident - "unusual activity" being probed    Gaming and gambling giant IGT reportedly hit by ransomware - here's what we know    China’s PlushDaemon group uses EdgeStepper implant to infect network devices with SlowStepper malware in global supply-chain attacks    Perplexity's Comet AI browser may have some concerning security flaws which could let hacker hijack your device    WordPress plugin with over a million installs may have a worrying security flaw - here's what we know    Latest in News Second-order prompt injection can turn AI into a malicious insider    Fitbit's new AI tool wants to take the stress out of your next doctor's visit    How to watch The Ashes 2025-26 highlights on BBC iPlayer — it's *FREE*    'Full Screen Experience' is now coming to all Windows 11 handhelds    Apple might not block Google's clever new AirDrop trick for 3 key reasons    Global cloud wars see AWS increasingly under threat from Microsoft and Google    LATEST ARTICLES

1. 1Salesforce says customer data may be exposed in Gainsight incident - "unusual activity" being probed
2. 2Only one VPN is truly equipped for torrenters, and right now it's 75% off
3. 3ChatGPT enters the group chat globally
4. 4Fitbit's new AI tool wants to take the stress out of your next doctor's visit – and I have some serious questions
5. 5Verizon is laying off over 13,000 workers