In the late 1990s, computer viruses crossed a line. They went from a hobbyist curiosity to something every IT department had to plan around — not because the code got dramatically smarter, but because the conditions for spreading it went mainstream all at once. Email on every desk, macros in every document, executables traded without a second thought. The attack surface arrived years before the defenses did, and for a while the attackers simply had the run of the place.
Prompt injection is in that window right now.
The conditions went mainstream
Every organization is suddenly wiring language models into the places its sensitive data already lives — inboxes, ticket queues, documents, codebases, customer chats. Each of those connections turns untrusted input into instructions the model might follow. That's the whole vulnerability, and it's now everywhere, installed faster than anyone is securing it. The same pattern as 1999: capability shipped first, safety second.
The attacks work — even against strong teams
And they're not theoretical. The payload is data exfiltration: a model coaxed into handing back a secret, a record, or a credential it was trusted with. We've measured bare frontier models leaking a protected secret in 39.8% of a structured attack set. Well-resourced teams are not exempt — IBM put the share of organizations reporting a breach of an AI model or application at 13%, 97% of them without proper AI access controls, at an average cost of $4.44M (IBM, 2025). When the surface is new, being well-funded mostly means you have more of it.
What ended the virus era wasn't smarter users or better-worded warnings. It was a protection layer that sat outside the thing being attacked and stayed current — because the threat kept moving. That lesson translates directly, with one correction: the answer to prompt injection isn't signature-scanning text and hoping to recognize an attack. A rephrase defeats that, every time. It's containment — constraining what the model is allowed to emit, in-process, so a successful injection still can't walk your data out the door.
What Bridgekeeper does
Two things, together. We contain: an in-process layer in front of your model that runs DLP on what comes back, so a leak is stopped before it leaves. And we keep it current: a subscription feed that brings the newest attack techniques to your models as fast as we see them in the wild. Last month's coverage is worth less than this month's, because the attackers don't stop — and neither do we.
Protecting your data and your models is the entire job. That's what we do.