OceanAlt
Agent Economy2026-06-254 min read

Prompt Injection, Tested: One Sentence Can Talk Your Procurement Agent Out of Its Budget

When an agent holds real money, every page and every document it reads is an attack surface.

Researchers have repeatedly demonstrated the attack: instructions invisible to humans, planted in product pages, review sections, or PDFs. When a payment-capable agent reads the content, the instructions steer it into wiring funds to an attacker or buying overpriced fake goods.

Why traditional risk controls fail

Traditional payment risk stops people who steal credentials; the agent era must stop persuasion of the machine that legitimately holds them. No key is stolen — the attacker only needs the agent to believe the payment is a reasonable step in its task. The hard part: reading and responding to external content is literally the agent's job. You cannot tell it not to read.

Defenses that currently work

Payee allowlists — the bluntest and most effective gate. Tiered limits — small amounts auto-approve, medium delay, large require a human. Verifiable mandates — AP2-style frameworks let merchants check that a transaction maps to a real authorization. Pre-flight simulation — rehearse the transaction in a sandbox before release.

The one-line takeaway

Design spending permissions as if everything your agent reads is untrusted input — a sentence worth taping to the wall of every risk team wiring agents into procurement.