The Landscape of Prompt Injection Threats in LLM Agents: From Taxonomy to Analysis

TL;DR

This paper provides a comprehensive overview and analysis of prompt injection threats in LLM agents, introduces a new benchmark for context-dependent tasks, and evaluates existing defenses highlighting their limitations.

Contribution

It offers a taxonomy of prompt injection attacks and defenses, introduces AgentPI benchmark for context-aware evaluation, and empirically assesses defense effectiveness in realistic scenarios.

Findings

Many defenses fail to handle context-dependent tasks effectively.

Existing benchmarks often overlook real-world environmental interactions.

No single defense approach achieves optimal trustworthiness, utility, and latency.

Abstract

The evolution of Large Language Models (LLMs) has resulted in a paradigm shift towards autonomous agents, necessitating robust security against Prompt Injection (PI) vulnerabilities where untrusted inputs hijack agent behaviors. This SoK presents a comprehensive overview of the PI landscape, covering attacks, defenses, and their evaluation practices. Through a systematic literature review and quantitative analysis, we establish taxonomies that categorize PI attacks by payload generation strategies (heuristic vs. optimization) and defenses by intervention stages (text, model, and execution levels). Our analysis reveals a key limitation shared by many existing defenses and benchmarks: they largely overlook context-dependent tasks, in which agents are authorized to rely on runtime environmental observations to determine actions. To address this gap, we introduce AgentPI, a new benchmark designed to systematically evaluate agent behavior under context-dependent interaction settings. Using AgentPI, we empirically evaluate representative defenses and show that no single approach can simultaneously achieve high trustworthiness, high utility, and low latency. Moreover, we show that many defenses appear effective under existing benchmarks by suppressing contextual inputs, yet fail to generalize to realistic agent settings where context-dependent reasoning is essential. This SoK distills key takeaways and open research problems, offering structured guidance for future research and practical deployment of secure LLM agents.