Prompt injection (HR and recruiting tools)
A security attack where malicious instructions embedded in candidate-controlled content (such as a resume or profile) hijack an AI tool's behaviour, causing it to ignore its original task and follow the attacker's instructions instead.
Michal Juhas · Last reviewed June 8, 2026
What is prompt injection in HR and recruiting tools?
Prompt injection is a security attack where an attacker hides instructions inside content they control, such as a resume or profile page, to manipulate an AI tool into doing something other than its intended task. In recruiting, this means a candidate or bad actor could secretly instruct an AI screener to ignore its rules and output whatever the attacker wants.
In practice
- A researcher submitted a resume with white-on-white text instructing an AI screener to classify the candidate as highly qualified. The tool summarised the candidate favourably regardless of their actual experience, and the human reviewer who read only the AI summary did not see the injected text.
- An AI browser agent tasked with summarising candidates from personal portfolio sites encountered an injected instruction on one candidate's page telling it to skip the full summary and recommend an interview. The recruiter noticed the summary was unusually short and investigated.
- A TA leader might say "we turned off automatic advance" after reading about injection research, meaning the team now requires a human to read the source document before any AI summary triggers a stage change.
Quick read, then how hiring teams use it
This is for TA leaders, TA ops specialists, and anyone deploying AI tools that process candidate-submitted content. Skim the first section for shared vocabulary. Use the second when auditing or designing your AI screening setup.
Plain-language summary
- What it means for you: Hidden text in a resume or profile can trick an AI tool into ignoring its actual job and following the attacker's instructions instead. The human reviewer sees only the AI output, not the hidden manipulation.
- How you would use it: Knowing this risk exists helps you design a safer process: always have a human read the source document alongside the AI summary, especially before any candidate advances or is rejected.
- How to get started: Ask your AI vendor how they isolate candidate content from system instructions. If they mix both in a single prompt without sanitisation, ask what they do to prevent injected instructions from being followed.
- When it is a good time to act: Before you deploy any AI tool that automatically advances or rejects candidates based on document processing, without a human reading the original source document.
When you are running live reqs and tools
- What it means for you: Any AI tool that processes candidate documents and outputs a decision or recommendation without human review of the source document is exposed. The attack requires only that the candidate control the text the AI reads.
- When it is a good time: To audit injection risk: before deploying a new AI screening tool, when adding AI browser agents recruiting to your sourcing workflow, and annually as part of your AI tool security review.
- How to use it: Build a human review gate between any AI document summary and any stage-advance decision. Log the raw content the AI processed alongside its output. Test your tools periodically by submitting a document with a benign, clearly visible injection instruction and check whether the AI output changes.
- How to get started: Map every point in your workflow where candidate-submitted text enters an AI system. For each point, confirm whether a human reviews the source document before acting on the AI output. That map shows your injection exposure.
- What to watch for: AI summaries that are unusually positive relative to the actual resume content. Summaries that are unexpectedly short or missing information that is clearly in the source document. Stage advances that the recruiting team cannot explain from the original materials.
Where we talk about this
On AI with Michal sessions, prompt injection comes up in the sourcing automation and AI in recruiting tracks when discussing AI tool security, model guardrails, and how human-in-the-loop gates protect against model manipulation. See /workshops for the next live session.
Around the web (opinions and rabbit holes)
Third-party creators move fast. Treat these as starting points, not endorsements. Do not copy any injection technique for use against real hiring systems.
YouTube
- Search "prompt injection attack" for security researcher explanations of the technique; the AI safety and red-teaming community on YouTube covers this in depth.
- Simon Willison's recorded talks on LLM security (searchable on YouTube) are among the clearest practitioner-level explanations of how injection attacks work and why they are hard to fully prevent.
- r/netsec and r/MachineLearning have technical threads on prompt injection research worth reading if you want to understand the attack surface in depth.
- r/recruiting is beginning to discuss AI resume manipulation; search those terms for early practitioner awareness threads.
Quora
- What is prompt injection? has general explanations that translate well to the HR context for non-technical readers.
Direct versus indirect prompt injection
| Type | Attack vector | Example in recruiting |
|---|---|---|
| Direct | Text submitted by candidate | Hidden instructions in a resume or cover letter |
| Indirect | Content fetched by the AI | Instructions embedded in a candidate's website |
Related on this site
- Glossary: Model guardrails, Human-in-the-loop, AI browser agents recruiting, ATS interview feedback AI, Hallucination
- Guides: Sourcers
- Live cohort: Workshops
- Membership: Become a member
Frequently asked questions
How does prompt injection actually happen in a recruiting workflow?
Most recruiting AI tools work by feeding candidate content (resume text, LinkedIn profile, cover letter) into a prompt that also contains system instructions. An attacker embeds additional instructions in white text on a white background or in metadata that the AI reads but a human reviewer does not see. The AI processes both the system instructions and the hidden text as part of the same input, and may follow the injected instructions if they are phrased convincingly. In practice, this could look like a resume that secretly instructs the AI to mark the candidate as highly qualified, skip them past a screen, or output a different summary than the actual content warrants. The human reviewer sees only the AI output, not the raw injected text.
What is the difference between direct and indirect prompt injection?
Direct injection happens when the attacker controls text that goes directly into the prompt, such as a submitted cover letter or a typed answer in an application form. Indirect injection happens when the AI tool browses or fetches external content as part of its workflow. For example, an AI sourcing tool that visits a candidate's personal website might encounter injected instructions on that page, which then influence how the tool summarises the profile. AI browser agents recruiting that navigate candidate profiles across multiple sites are particularly exposed to indirect injection because each external page is a potential attack surface. The key difference is that indirect injection attacks the pipeline through data the AI fetches, not data the candidate submits directly.
How should TA teams protect against prompt injection in their AI tools?
No single defence blocks all injection. A layered approach helps: treat all candidate-submitted content as untrusted input, use system prompts that instruct the model to ignore instructions found in candidate content, always include a human review gate before any AI-driven screening or advancement decision, and log what candidate content was fed to the model for audit purposes. Prefer AI tools that run candidate content in a sandboxed context separate from system instructions rather than mixing them in a single prompt. At a process level, the strongest defence is a human who reads the original document alongside the AI summary rather than trusting the summary alone. Train sourcers to spot anomalies: a resume that outputs an unusually positive summary that does not match the actual experience is a red flag worth investigating.
Has prompt injection in recruiting actually happened?
Researchers demonstrated in 2023 that resumes containing hidden instructions could manipulate AI screening summaries on commercial recruiting platforms. A notable experiment by researcher Kai Greshake showed that embedding invisible text instructions in a resume caused an AI screening assistant to recommend the candidate for advancement regardless of actual qualifications. Several bug bounty submissions to HR tech vendors have documented similar issues. Publicly disclosed incidents in production hiring systems are rare, partly because it is difficult for a rejected candidate to prove the attack, and partly because vendors are not incentivised to disclose. The attack surface is real, the technique is publicly documented, and any team using AI to summarise or screen candidate documents should treat it as a known risk, not a theoretical one.
Which AI tools in recruiting are most exposed to prompt injection?
Any tool that processes candidate-submitted text and uses it inside the same prompt as system instructions is at risk. This includes AI resume screeners that summarise or score CVs, AI sourcing assistants that visit and summarise external profiles, ATS interview feedback AI tools that incorporate candidate answers into structured notes, and AI browser agents recruiting that crawl job boards or candidate websites. Tools with a human review gate before any decision fires are more resilient because the injection has to fool both the model and a human reviewer simultaneously. Tools that automate a screen or advance without human review are the highest-risk configurations from a prompt injection standpoint.