Analysis

Hidden prompts are steering AI vendor recommendations, study warns

Hidden instructions are already biasing AI vendor picks, and Microsoft said it found 31 companies using them inside “Summarize with AI” buttons.

Avery Liu··2 min read
Published
Listen to this article0:00 min
Hidden prompts are steering AI vendor recommendations, study warns
Source: microsoft.com

Microsoft said on February 10, 2026 that its security researchers had uncovered AI recommendation poisoning, including hidden instructions embedded in “Summarize with AI” buttons, and identified 31 companies using the tactic to bias future AI recommendations. The finding pushed AI search visibility into a harder category than standard optimization: the same systems that surface vendors can also be manipulated from inside the page, the prompt, or the assistant’s memory.

OpenAI, Anthropic and Google have each described the attack class in similar terms. OpenAI says prompt injection is a social engineering attack specific to conversational AI, where a third party misleads the model by inserting malicious instructions into ordinary content such as web pages, documents or emails. Anthropic says browser use makes the risk worse because agents process untrusted content while also taking actions for users. Google describes indirect prompt injections as malicious instructions hidden in external data that an AI model processes, including websites, docs and emails.

AI-generated illustration
AI-generated illustration

The mechanics matter for anyone relying on AI recommendations for discovery. Microsoft tied its recommendation-poisoning warning to URL prompt parameters and persistence commands in assistant memory, a sign that the attack is not limited to a single webpage trick. Google Cloud has separately warned that context poisoning can slowly corrupt an AI’s context over time, and that vector database attacks can succeed by compromising only a few documents in a retrieval-augmented generation database. That makes the trust boundary wider than many marketers have assumed: one hidden instruction, or a small cluster of poisoned documents, can shape what an assistant says about a brand, product or competitor.

The practical risk for publishers and vendors is that recommendation systems now face a black-hat playbook built around stealth rather than brute force. A brand can do everything right on content quality and entity signals, then lose ground to hidden prompts that steer answer engines toward another provider. Microsoft’s finding, OpenAI’s guidance on increasingly capable agents, and Anthropic’s warning about browser-based AI all point to the same shift: visibility is no longer only about being cited, but also about surviving adversarial instructions that try to hijack the citation path itself.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More AI Search Visibility Articles