{
  "schema_version": "core-reviewed-term-ai-handoff-v2",
  "version": "core-reviewed-term-ai-handoff-v2",
  "compat": {
    "backward_compatible_schema_versions": [
      "core-reviewed-term-ai-handoff-v1"
    ],
    "v1_fields_preserved": true
  },
  "contract_status": "preview",
  "distribution": "per_term_read_only_ai_handoff",
  "no_write_operations": true,
  "content_tier": "db_backed",
  "canonical": {
    "url": "https://core.yogoq.com/en-US/core/prompt-injection",
    "slug": "prompt-injection",
    "locale": "en-US"
  },
  "summary": {
    "schema_version": "core-reviewed-term-summary-v1",
    "term_id": "17b381d6-adba-56f1-a9f3-6fbafb24df93",
    "canonical_slug": "prompt-injection",
    "canonical_url": "https://core.yogoq.com/en-US/core/prompt-injection",
    "locale": "en-US",
    "display_name": "Prompt Injection",
    "english_name": null,
    "abbreviation": null,
    "short_definition": "Prompt injection is an attack or failure pattern where untrusted text tries to override the AI system's intended instructions. It matters most when models read external content, retrieve documents, or use tools.",
    "content_tier": "db_backed",
    "quality": "reviewed",
    "publication_status": "published_reviewed",
    "version": "core-reviewed-term-summary-v1",
    "last_reviewed_at": "2026-07-04T15:30:00.000Z",
    "sources_count": 3,
    "limitations_key": "core-trust-policy-v1-2026-06-22"
  },
  "aliases": [
    {
      "text": "Prompt Injection",
      "type": "display_name",
      "locale": "en-US"
    },
    {
      "text": "プロンプト・インジェクション",
      "type": "katakana",
      "locale": "en-US"
    },
    {
      "text": "Prompt Injection",
      "type": "english_name",
      "locale": "en-US"
    },
    {
      "text": "プロンプトインジェクション",
      "type": "localized_title",
      "locale": "ja-JP"
    }
  ],
  "content": {
    "definition": {
      "key": "definition",
      "title": "一言でいうと",
      "text": "Prompt injection is an attack or failure pattern where untrusted text tries to override the AI system's intended instructions. It matters most when models read external content, retrieve documents, or use tools.",
      "items": []
    },
    "formula": {
      "key": "formula",
      "title": "計算の考え方",
      "text": "Risk is evaluated by exposure to untrusted input, tool permissions, and unconfirmed high-impact actions. Attack exposure | Number of untrusted-input paths | Grows with web, email, and document ingestion Impact | Tool authority x data sensitivity | Measures potential damage Defense pass rate | Blocked or confirmed dangerous cases / test cases | Measures mitigation coverage",
      "items": [
        "Attack exposure | Number of untrusted-input paths | Grows with web, email, and document ingestion",
        "Impact | Tool authority x data sensitivity | Measures potential damage",
        "Defense pass rate | Blocked or confirmed dangerous cases / test cases | Measures mitigation coverage"
      ]
    },
    "boundary": {
      "key": "boundary",
      "title": "含めるもの / 含めないもの",
      "text": "Prompt injection is not just a bad question; it is untrusted content being treated as instruction. Include | Malicious instructions embedded in web pages, emails, PDFs, tickets, or chat | External input risk Exclude | Ordinary mistakes, typos, generic model hallucination | Different failure path Make explicit | Trust boundary, tool permissions, confirmation UI, logs, test cases | Required for defense design",
      "items": [
        "Include | Malicious instructions embedded in web pages, emails, PDFs, tickets, or chat | External input risk",
        "Exclude | Ordinary mistakes, typos, generic model hallucination | Different failure path",
        "Make explicit | Trust boundary, tool permissions, confirmation UI, logs, test cases | Required for defense design"
      ]
    },
    "usage": [
      {
        "key": "meaning",
        "title": "意味",
        "text": "Prompt injection occurs when user input, retrieved documents, web pages, emails, tickets, or other untrusted text contains instructions that attempt to redirect the model away from its intended system or developer instructions. It is difficult to treat as ordinary input validation because language models interpret text as both data and instruction. The risk grows in RAG, browsing, tool use, MCP integrations, and AI agents. Mitigation requires separating trusted instructions from untrusted content, minimizing tool permissions, adding human confirmation for high-impact actions, and logging tool calls and evidence.",
        "items": []
      },
      {
        "key": "usage",
        "title": "役立つ場面",
        "text": "Teams can define trust boundaries before letting RAG or agents read external content. Tool scopes can be split into read-only, draft, execute, and external-send levels. Attack cases can be added to evaluation before launch.",
        "items": [
          "Teams can define trust boundaries before letting RAG or agents read external content.",
          "Tool scopes can be split into read-only, draft, execute, and external-send levels.",
          "Attack cases can be added to evaluation before launch."
        ]
      },
      {
        "key": "usage",
        "title": "使い方のポイント",
        "text": null,
        "items": [
          "Prompt injection is the risk that untrusted content becomes an instruction to the AI.",
          "It is especially important in RAG, browsing, tool use, and agents.",
          "Prompt wording alone cannot fully prevent it.",
          "Least privilege, human confirmation, input separation, logs, and tests are required.",
          "High-impact actions should not execute solely on model judgment."
        ]
      },
      {
        "key": "drivers",
        "title": "何が数字を動かすか",
        "text": "Risk changes with external content, execution authority, permissions, UI, and logs. External input | More external reading means more exposure to adversarial text Tool permissions | Write or send tools increase impact Confirmation UI | Human review can stop dangerous actions Logs | Evidence and tool-call history support incident analysis",
        "items": [
          "External input | More external reading means more exposure to adversarial text",
          "Tool permissions | Write or send tools increase impact",
          "Confirmation UI | Human review can stop dangerous actions",
          "Logs | Evidence and tool-call history support incident analysis"
        ]
      }
    ],
    "misunderstandings": [
      {
        "key": "misunderstandings",
        "title": "判断するときの注意点",
        "text": "Assume external documents may be adversarial. Show users the evidence and action before calling high-impact tools. Do not treat text such as ignore previous instructions as privileged instruction when it comes from untrusted content. Use separate approval layers for secrets, external sending, deletion, purchases, and permission changes.",
        "items": [
          "Show users the evidence and action before calling high-impact tools.",
          "Do not treat text such as ignore previous instructions as privileged instruction when it comes from untrusted content.",
          "Use separate approval layers for secrets, external sending, deletion, purchases, and permission changes."
        ]
      },
      {
        "key": "misunderstandings",
        "title": "よくある誤解 / 落とし穴",
        "text": null,
        "items": [
          "A stronger system prompt is not enough. Permissions and confirmation still matter.",
          "The risk is not only malicious users. Web pages and documents can contain hostile instructions.",
          "Reviewing final output is not enough. Tool calls and data access must be audited."
        ]
      }
    ],
    "examples": [
      {
        "key": "examples",
        "title": "最小例",
        "text": "An AI agent reads web pages for competitor research. One page contains hidden text telling the model to send internal notes outside the company. If the agent has no external-send tool, the attack has little impact; if it has send permission, the risk is high. The team changes the design so external page text is never treated as trusted instruction, send tools can only draft, human confirmation is required before sending, tool-call logs are kept, and attack strings are added to the evaluation set.",
        "items": []
      }
    ],
    "comparisons": [
      {
        "key": "comparisons",
        "title": "似ている言葉との違い",
        "text": "Prompt Injection | Hidden instruction in input redirects AI | External input plus tools Hallucination | Model gives incorrect content | Handled by grounding and evaluation Authorization flaw | User can do what they should not | Handled by access control",
        "items": [
          "Prompt Injection | Hidden instruction in input redirects AI | External input plus tools",
          "Hallucination | Model gives incorrect content | Handled by grounding and evaluation",
          "Authorization flaw | User can do what they should not | Handled by access control"
        ]
      },
      {
        "key": "related_metrics",
        "title": "一緒に見る指標",
        "text": "Prompt injection should be read with AI agents, MCP, and tool use. AI Agent | Reads external information and uses tools | Higher potential impact MCP | Connects tools and resources | Requires scoped exposure and confirmation AI Evaluation | Tests attack cases | Measures mitigation effectiveness",
        "items": [
          "AI Agent | Reads external information and uses tools | Higher potential impact",
          "MCP | Connects tools and resources | Requires scoped exposure and confirmation",
          "AI Evaluation | Tests attack cases | Measures mitigation effectiveness"
        ]
      }
    ],
    "faq": [
      {
        "question": "Can prompt engineering prevent prompt injection?",
        "answer": "It can reduce some cases, but permissions, tool design, confirmation UI, logs, and evaluation are also needed."
      },
      {
        "question": "Does this matter for RAG?",
        "answer": "Yes. Retrieved documents can contain adversarial instructions that the model may follow if controls are weak."
      },
      {
        "question": "What is the first mitigation?",
        "answer": "Separate untrusted input from trusted instructions, minimize tool permissions, and require confirmation for high-impact actions."
      }
    ]
  },
  "source_refs": [
    "concept:prompt-injection:en-US",
    "concept:prompt-injection:ja-JP",
    "core-product-update-ai-term-pack-v1:prompt-injection"
  ],
  "sources": {
    "source_refs": [
      "concept:prompt-injection:en-US",
      "concept:prompt-injection:ja-JP",
      "core-product-update-ai-term-pack-v1:prompt-injection"
    ],
    "visible_sources": [
      {
        "label": "NIST: Generative AI Profile",
        "url": "https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf",
        "kind": "tier_s"
      },
      {
        "label": "NIST: AI RMF",
        "url": "https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf",
        "kind": "tier_s"
      },
      {
        "label": "Model Context Protocol: Tools",
        "url": "https://modelcontextprotocol.io/docs/concepts/tools",
        "kind": "tier_s"
      }
    ]
  },
  "related_terms": [
    {
      "topic_id": "slug:prompt-engineering",
      "canonical_slug": "prompt-engineering",
      "canonical_url": "https://core.yogoq.com/en-US/core/prompt-engineering",
      "title": "Prompt Engineering",
      "relation_type": "prerequisite"
    },
    {
      "topic_id": "slug:ai-agent",
      "canonical_slug": "ai-agent",
      "canonical_url": "https://core.yogoq.com/en-US/core/ai-agent",
      "title": "AI Agent",
      "relation_type": "used_together"
    },
    {
      "topic_id": "slug:model-context-protocol",
      "canonical_slug": "model-context-protocol",
      "canonical_url": "https://core.yogoq.com/en-US/core/model-context-protocol",
      "title": "Model Context Protocol",
      "relation_type": "used_together"
    }
  ],
  "relations": [
    {
      "term_id": "slug:prompt-engineering",
      "canonical_slug": "prompt-engineering",
      "canonical_url": "https://core.yogoq.com/en-US/core/prompt-engineering",
      "display_name": "Prompt Engineering",
      "relation_type": "related",
      "source_relation_type": "prerequisite"
    },
    {
      "term_id": "slug:ai-agent",
      "canonical_slug": "ai-agent",
      "canonical_url": "https://core.yogoq.com/en-US/core/ai-agent",
      "display_name": "AI Agent",
      "relation_type": "related",
      "source_relation_type": "used_together"
    },
    {
      "term_id": "slug:model-context-protocol",
      "canonical_slug": "model-context-protocol",
      "canonical_url": "https://core.yogoq.com/en-US/core/model-context-protocol",
      "display_name": "Model Context Protocol",
      "relation_type": "related",
      "source_relation_type": "used_together"
    }
  ],
  "chunk_ids": [
    "core:chunk:prompt-injection:en-US:definition:a152686e6319af30",
    "core:chunk:prompt-injection:en-US:formula:8d6097f8b5b85118",
    "core:chunk:prompt-injection:en-US:boundary:98cedc42280840c8",
    "core:chunk:prompt-injection:en-US:meaning:b2387eb9d3f30489",
    "core:chunk:prompt-injection:en-US:usage:7d0e9b80cef0536c",
    "core:chunk:prompt-injection:en-US:usage:801bbc3efc88802b",
    "core:chunk:prompt-injection:en-US:drivers:d105c4a5057a0074",
    "core:chunk:prompt-injection:en-US:misunderstandings:56e59d9a977b3528",
    "core:chunk:prompt-injection:en-US:misunderstandings:7775ed7f97f50185",
    "core:chunk:prompt-injection:en-US:examples:573a8d51d1b0cb34",
    "core:chunk:prompt-injection:en-US:comparisons:7d4b420cdf5cc176",
    "core:chunk:prompt-injection:en-US:related_metrics:76e9a78563c6e815",
    "core:chunk:prompt-injection:en-US:faq:4b100c6dd0709bd7",
    "core:chunk:prompt-injection:en-US:faq:5c3ff09190348f95",
    "core:chunk:prompt-injection:en-US:faq:d781c6e486a8d65f"
  ],
  "chunks": [
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:definition:a152686e6319af30",
      "section_key": "definition",
      "heading": "一言でいうと",
      "text": "Prompt injection is an attack or failure pattern where untrusted text tries to override the AI system's intended instructions. It matters most when models read external content, retrieve documents, or use tools.",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "a152686e6319af30d2dd1a73e8cf455bacf25f649e44aa123dee70e389b4af27"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:formula:8d6097f8b5b85118",
      "section_key": "formula",
      "heading": "計算の考え方",
      "text": "Risk is evaluated by exposure to untrusted input, tool permissions, and unconfirmed high-impact actions. Attack exposure | Number of untrusted-input paths | Grows with web, email, and document ingestion Impact | Tool authority x data sensitivity | Measures potential damage Defense pass rate | Blocked or confirmed dangerous cases / test cases | Measures mitigation coverage Attack exposure | Number of untrusted-input paths | Grows with web, email, and document ingestion Impact | Tool authority x data sensitivity | Measures potential damage Defense pass rate | Blocked or confirmed dangerous cases / test cases | Measures mitigation coverage",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "8d6097f8b5b851180d0fd443934eff53f855ffb9a8041778d0c7bdfc2b32a0dd"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:boundary:98cedc42280840c8",
      "section_key": "boundary",
      "heading": "含めるもの / 含めないもの",
      "text": "Prompt injection is not just a bad question; it is untrusted content being treated as instruction. Include | Malicious instructions embedded in web pages, emails, PDFs, tickets, or chat | External input risk Exclude | Ordinary mistakes, typos, generic model hallucination | Different failure path Make explicit | Trust boundary, tool permissions, confirmation UI, logs, test cases | Required for defense design Include | Malicious instructions embedded in web pages, emails, PDFs, tickets, or chat | External input risk Exclude | Ordinary mistakes, typos, generic model hallucination | Different failure path Make explicit | Trust boundary, tool permissions, confirmation UI, logs, test cases | Required for defense design",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "98cedc42280840c83cd935d8ae3b752f605ce5ab155ca8e54089d1a702bd46b3"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:meaning:b2387eb9d3f30489",
      "section_key": "meaning",
      "heading": "意味",
      "text": "Prompt injection occurs when user input, retrieved documents, web pages, emails, tickets, or other untrusted text contains instructions that attempt to redirect the model away from its intended system or developer instructions. It is difficult to treat as ordinary input validation because language models interpret text as both data and instruction. The risk grows in RAG, browsing, tool use, MCP integrations, and AI agents. Mitigation requires separating trusted instructions from untrusted content, minimizing tool permissions, adding human confirmation for high-impact actions, and logging tool calls and evidence.",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "b2387eb9d3f30489ca5cce3b5214aff3ffeef47eebb2e8a2fc9ca3e5bffa6ed9"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:usage:7d0e9b80cef0536c",
      "section_key": "usage",
      "heading": "役立つ場面",
      "text": "Teams can define trust boundaries before letting RAG or agents read external content. Tool scopes can be split into read-only, draft, execute, and external-send levels. Attack cases can be added to evaluation before launch. Teams can define trust boundaries before letting RAG or agents read external content. Tool scopes can be split into read-only, draft, execute, and external-send levels. Attack cases can be added to evaluation before launch.",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "7d0e9b80cef0536cf47b19dde165e35f20751847daf23daf8a4b13811573b543"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:usage:801bbc3efc88802b",
      "section_key": "usage",
      "heading": "使い方のポイント",
      "text": "Prompt injection is the risk that untrusted content becomes an instruction to the AI. It is especially important in RAG, browsing, tool use, and agents. Prompt wording alone cannot fully prevent it. Least privilege, human confirmation, input separation, logs, and tests are required. High-impact actions should not execute solely on model judgment.",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "801bbc3efc88802bd88e3e0d02c8bb014834102e2373990ba93f532d415cbb47"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:drivers:d105c4a5057a0074",
      "section_key": "drivers",
      "heading": "何が数字を動かすか",
      "text": "Risk changes with external content, execution authority, permissions, UI, and logs. External input | More external reading means more exposure to adversarial text Tool permissions | Write or send tools increase impact Confirmation UI | Human review can stop dangerous actions Logs | Evidence and tool-call history support incident analysis External input | More external reading means more exposure to adversarial text Tool permissions | Write or send tools increase impact Confirmation UI | Human review can stop dangerous actions Logs | Evidence and tool-call history support incident analysis",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "d105c4a5057a0074e15c905d500f947e0cf22c01828f0f6ede3d89d8db29ba59"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:misunderstandings:56e59d9a977b3528",
      "section_key": "misunderstandings",
      "heading": "判断するときの注意点",
      "text": "Assume external documents may be adversarial. Show users the evidence and action before calling high-impact tools. Do not treat text such as ignore previous instructions as privileged instruction when it comes from untrusted content. Use separate approval layers for secrets, external sending, deletion, purchases, and permission changes. Show users the evidence and action before calling high-impact tools. Do not treat text such as ignore previous instructions as privileged instruction when it comes from untrusted content. Use separate approval layers for secrets, external sending, deletion, purchases, and permission changes.",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "56e59d9a977b3528f903e44fa67277e63622063de7d89534de0bc2d9097a15eb"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:misunderstandings:7775ed7f97f50185",
      "section_key": "misunderstandings",
      "heading": "よくある誤解 / 落とし穴",
      "text": "A stronger system prompt is not enough. Permissions and confirmation still matter. The risk is not only malicious users. Web pages and documents can contain hostile instructions. Reviewing final output is not enough. Tool calls and data access must be audited.",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "7775ed7f97f501852ccde5ce3831a15576acede395544082a24f45a1ca1f341c"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:examples:573a8d51d1b0cb34",
      "section_key": "examples",
      "heading": "最小例",
      "text": "An AI agent reads web pages for competitor research. One page contains hidden text telling the model to send internal notes outside the company. If the agent has no external-send tool, the attack has little impact; if it has send permission, the risk is high. The team changes the design so external page text is never treated as trusted instruction, send tools can only draft, human confirmation is required before sending, tool-call logs are kept, and attack strings are added to the evaluation set.",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "573a8d51d1b0cb3485f33d8fe4f472360736fa3dbdb94a09b6efa6dadfd8abf2"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:comparisons:7d4b420cdf5cc176",
      "section_key": "comparisons",
      "heading": "似ている言葉との違い",
      "text": "Prompt Injection | Hidden instruction in input redirects AI | External input plus tools Hallucination | Model gives incorrect content | Handled by grounding and evaluation Authorization flaw | User can do what they should not | Handled by access control Prompt Injection | Hidden instruction in input redirects AI | External input plus tools Hallucination | Model gives incorrect content | Handled by grounding and evaluation Authorization flaw | User can do what they should not | Handled by access control",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "7d4b420cdf5cc176e4b67e121b87a856ce0522f2465fd40ae393b3ccbf16b3d6"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:related_metrics:76e9a78563c6e815",
      "section_key": "related_metrics",
      "heading": "一緒に見る指標",
      "text": "Prompt injection should be read with AI agents, MCP, and tool use. AI Agent | Reads external information and uses tools | Higher potential impact MCP | Connects tools and resources | Requires scoped exposure and confirmation AI Evaluation | Tests attack cases | Measures mitigation effectiveness AI Agent | Reads external information and uses tools | Higher potential impact MCP | Connects tools and resources | Requires scoped exposure and confirmation AI Evaluation | Tests attack cases | Measures mitigation effectiveness",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "76e9a78563c6e815cbedc34e7cf84255a72550f55eecc2e40d45f121f4d0966c"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:faq:4b100c6dd0709bd7",
      "section_key": "faq",
      "heading": "Can prompt engineering prevent prompt injection?",
      "text": "Can prompt engineering prevent prompt injection? It can reduce some cases, but permissions, tool design, confirmation UI, logs, and evaluation are also needed.",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "4b100c6dd0709bd7e00df7835b362da0a4d9218d4ce922a78207755fee419931"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:faq:5c3ff09190348f95",
      "section_key": "faq",
      "heading": "Does this matter for RAG?",
      "text": "Does this matter for RAG? Yes. Retrieved documents can contain adversarial instructions that the model may follow if controls are weak.",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "5c3ff09190348f957e43e5276c2472397f0fe835cf89c1ee518a1be1af1fd90c"
    },
    {
      "chunk_id": "core:chunk:prompt-injection:en-US:faq:d781c6e486a8d65f",
      "section_key": "faq",
      "heading": "What is the first mitigation?",
      "text": "What is the first mitigation? Separate untrusted input from trusted instructions, minimize tool permissions, and require confirmation for high-impact actions.",
      "source_refs": [
        "concept:prompt-injection:en-US",
        "concept:prompt-injection:ja-JP",
        "core-product-update-ai-term-pack-v1:prompt-injection"
      ],
      "content_hash": "d781c6e486a8d65fd2b9150d91bf26ccbe77882d79c4a9e249781d749d00addc"
    }
  ],
  "content_hash": "cd2b2f0fdb97ea9077083f33bcc325ea7950b351be79fd146b459b90a11fd86c",
  "hash_algorithm": "sha256",
  "rag": {
    "chunk_id_policy": "core:chunk:{canonical_slug}:{locale}:{section_key}:{sha256_16}",
    "content_hash_policy": "sha256_stable_json",
    "source_refs_precision": "source_object_ref_or_source_key_current_snapshot"
  },
  "quality": {
    "content_tier": "db_backed",
    "quality": "reviewed",
    "publication_status": "published_reviewed",
    "source_count": 3,
    "last_reviewed_at": "2026-07-04T15:30:00.000Z",
    "trust_policy_version": "core-trust-policy-v1-2026-06-22"
  },
  "limitations": {
    "policy_version": "core-trust-policy-v1-2026-06-22",
    "professional_advice_boundary": "reference_only_not_professional_advice",
    "text": "This page is reference information for research and learning. For accounting, legal, finance, health, security, or other individual decisions, confirm against primary sources or qualified professionals.",
    "items": [
      "Public pages support general understanding and practical context; they are not professional advice for individual cases.",
      "Fast-changing information such as regulations, accounting standards, prices, product specs, and legal requirements should be checked against primary sources before final decisions.",
      "Even when AI-assisted drafting or audit is used, publication relies on quality gates and human-readable evidence."
    ]
  }
}
