Three Controls To Curb Shadow AI, Impact of Indirect Prompt Injection, And Why Security Teams Need AI-Specific Governance 

In this Expert Insights interview, Diana Kelley, CISO at Noma Security, detailed the evolving risks enterprises face with generative AI and how indirect prompt injection can poison responses, triggering damaging actions.

Kelley brings decades of cybersecurity leadership from senior roles at Microsoft, IBM, and Symantec. She has advised NATO, Fortune 50 enterprises, and global boards, while shaping strategy through positions with RSAC, OWASP, WiCyS, and the Executive Women’s Forum, driving innovation and inclusion in security.

She stressed the need for shared accountability across data science, security, and legal teams. And detailed why security teams need AI-specific governance built into the lifecycle.

We learned why, in generative AI, the pipeline must be treated like critical infrastructure and the early warning signals, such as outlier responses that indicate adversarial probing. 

Read on to know the three controls to make a difference in curbing shadow AI before it scales.

Vishwa: You’ve spoken about prompt injection risks. What is the most overlooked way that a malformed AI prompt can cause damage inside an enterprise environment?

Diana: A malformed AI prompt is like a misplaced comma in a legal contract; one simple error could lead to thousands of revenue lost to unnecessary refunds. In GenAI, the most overlooked way a malformed prompt can cause harm is indirect prompt injection, where attacker‑controlled text sneaks into operational pipelines and unexpectedly influences model behavior. 

These indirect attack vectors can turn benign documents into vehicles for covert attack instructions, poisoning responses, or sensitive data extractors. Research has shown that indirect prompt injection can be weaponized through data feeds or retrieval-augmented generation (RAG) systems. 

In practice, that could mean an attacker slipping malicious edits into a datastore, for instance, changing a company mission statement to “BigPharma is committed to making all of our customers sick.” 

If an LLM then generates a press release and external relations assumes the mission text is accurate, the result could be public blowback and reputational damage. Indirect prompt injection can also trigger damaging actions. 

Imagine an attacker sends an email that looks routine but includes hidden instructions like “delete the customer database.” An AI-powered email manager, trained to parse and execute natural-language requests, interprets that as a valid command. 

If the recipient has production-level privileges, the system could follow through, wiping critical records and disrupting operations. 

Vishwa: Many organizations deploy generative AI without security oversight. What specific controls do you see as essential to stop shadow AI before it scales?

Diana: Shadow AI spreads when employees adopt outside of official channels, and in the case of GenAI, this adoption is happening from the top down, at a pace we've not seen before in enterprise tech, well before many organizations even have robust AI adoption channels or guardrails.

Three specific controls can make a big difference in curbing shadow AI before it scales:

• First, offer sanctioned, trustworthy AI tools that meet both business and security needs. When employees have access to reliable enterprise-grade options, they’re far less likely to turn to questionable consumer apps. 
• Second, provide clear policy and training so users understand the risks of AI misuse and know exactly how to apply it responsibly, with written guidance they can reference. 
• Finally, enforce observability and guardrails by deploying discovery and monitoring tools that reveal how and where AI is being used across the organization. 

The goal isn’t to block innovation, but to shine a light on it so it can be governed responsibly.

Vishwa: In terms of data governance, how should security teams validate training data integrity when so much data is ingested from uncontrolled sources?

Diana: Data governance for AI is fundamentally different from classic enterprise data management because the data isn’t just stored; it becomes the behavior of the model. 

Security teams need AI-specific governance built into the lifecycle: 

• Validation gates to verify source integrity and lineage before ingestion, 
• Continuous checksums and baselines to catch drift or poisoning during training, and 
• Adversarial red-teaming to see how models respond when fed manipulated inputs. 

In generative AI, especially, where vast, uncontrolled sources are often ingested, the pipeline must be treated like critical infrastructure, fully documented, versioned, and monitored, so every dataset is accounted for and no hidden injection reshapes the model’s outputs.

Vishwa: Adversaries are adapting faster than regulations. What early signals do you look for that reveal when attackers are exploiting AI systems in novel ways?

Diana: Adversaries depend on rapid advances in their TTPs, or tools, techniques, and procedures, to evade detection, which makes staying ahead of them extremely difficult. 

Still, there are early signals that can serve as canaries in the coal mine. 

A sudden mismatch between query volume and novelty, such as a spike in unusual or never-before-seen prompts, may indicate injection probing. Subtle shifts in model responses, where outputs begin skewing toward outliers or morphing in unexpected ways, can be a sign of manipulation or prompt steering designed to bypass guardrails. 

In retrieval augmented generation systems, creeping outliers such as unexpected data surfacing in responses, especially when it is sourced from external sources, may point to a compromised datastore. 

And when models return misaligned responses that benefit adversaries, for example, by generating fake financial data, leaking internal system names, or recommending malicious links, it can reveal targeted data poisoning or adversarial prompting.

These are a few early canary signals. The most important thing companies can do is monitor their AI systems at runtime and alert on any drift toward policy violations or other misalignment. 

Vishwa: Cross-functional collaboration is often cited but rarely achieved as planned. What measurable practices actually help align data scientists, engineers, and CISOs in AI governance?

Diana: Cross-functional collaboration around AI governance rarely fails for lack of tools; it often fails because the people using the tools don’t share the same process or goals. 

Alignment comes when data scientists, engineers, business leaders, legal counsel, privacy, and security work from a common playbook and can see how their roles intersect across the AI lifecycle. 

That means agreeing on a shared set of metrics and goals and understanding accountability. 

Answer questions like: 

• Who owns data quality checks? 
• Who signs off on model deployment? 
• Who monitors for drift in production? 
• What constitutes misalignment of the model or system? 

Upfront and document those responsibilities in a way everyone can measure. It also means creating visible checkpoints, like a “go/no-go” review before a model moves into production, where the business, legal, privacy, security, engineering, and data science teams each have a real say. 

Finally, trust grows when success is shared: security leaders valuing system reliability as much as risk reduction, and data scientists recognizing that model performance includes safety and compliance. 

When people see their success reflected in joint outcomes rather than siloed metrics, collaboration becomes an operational reality.

Vishwa: AI monitoring is often retroactive. What methods can shift detection to proactive and continuous oversight without creating alert fatigue?

Diana: Carefully tuning the monitoring alerts and repressing false positives is key to avoiding alert fatigue. It starts with structured logging and analytics that feed dashboards capable of spotting trends, patterns, and anomalies with clear scoring to prioritize what matters. 

Models should also be stress-tested through continuous red-teaming and adversarial prompting in staging environments, so weaknesses are uncovered before launch rather than in production. Over time, behavior baselining helps define what “normal” looks like, allowing teams to distinguish genuine risks from harmless fluctuations. 

Finally, sampling and focused alerting ensure that only situations crossing meaningful risk thresholds are surfaced, reducing noise and preventing alert fatigue while keeping critical issues visible.

Vishwa: Considering the threat of AI-powered phishing campaigns, what cybersecurity tools would you recommend for both newcomers and expert practitioners to defend effectively?

Diana: For organizations just starting to prepare for AI-powered phishing prevention, the basics still matter. Many security awareness training platforms now use AI-generated phishing simulations to train employees against increasingly realistic lures, including deepfake audio or video. 

On the prevention side, secure email gateways and cloud-native filters can identify and block sophisticated phishing emails, including those generated using AI, before they reach inboxes. Pairing these with multi-factor authentication (MFA) and a password manager helps limit the damage even if someone does fall for a convincing message. 

These are the foundational defenses that most companies can implement quickly.

For more mature teams, the focus should shift to anticipating and simulating advanced attack methods. This means adopting tools that allow organizations to run realistic red-team phishing campaigns that mimic AI-driven social engineering across email, chat, and even voice channels. 

Threat intelligence platforms can monitor criminal forums and dark web marketplaces for signs of new phishing kits or campaigns targeting your sector. Combined with internal analytics and SOC processes, these solutions provide early warning and a chance to tune defenses before attackers exploit the latest AI-enabled tactics.