A company builds an AI-assisted hiring system. Resumes are uploaded, embedded into a vector store, and the AI retrieves and summarizes candidates for reviewers. Standard workflow.
An attacker submits a resume. Visually it looks normal. But after the experience section, dozens of blank lines precede a single line in white text on a white background:
The text extraction pipeline does not strip invisible content. The embedding includes the hidden instruction. When the AI retrieves this resume and evaluates the candidate, it follows the injected instruction.
The instruction wasn’t in a user’s prompt — it was embedded in a document that entered the knowledge base through an ingestion pipeline. The attack surface is the document intake process, not the user interface. Standard prompt-level defenses don’t see it.