PRODUCTS OVERVIEW
ShadowPlex Advanced Threat Defense
Deception for early detection of cyber threats with precision and speed
ShadowPlex Identity Protection
Visibility of identity attack surface and comprehensive detection of identity threats
cloud secuirty icon acalvio
ShadowPlex Cloud Security
Multi-cloud Security Built on Enterprise-scale honeytokens
ShadowPlex Targeted Threat Intel
Targeted Threat Intel Providing Preemptive Cyber Security
360 Deception
Next-generation cyber deception that disrupts and denies agentic and AI-assisted attacks
Agentic AI
Runtime protection for agentic AI systems and workflows
ShadowPlex Preemptive Cybersecurity Platform
Comprehensive and Award-winning Distributed Deception Platform
What is Preemptive Cybersecurity?
Preemptive Cybersecurity detects and diverts attacks.
SOLUTIONS OVERVIEW
Technology
acalvio active defense icon
Active Defense
Active Directory Protection
Agentic AI
Agentic AI Security
Cloud Detection and Response (CDR)
Early Threat Detection
Honeytokens for CrowdStrike
Identity Threat Detection & Response
Insider Threats
OT Security
Ransomware
Red Teaming
Incident Response and Operations Hub
Threat Hunting
Zero Trust
SOLUTIONS OVERVIEW
Industry
Healthcare
Financial Services
Public Sector
KEY RESOURCES
Blog
Events
Cyber Deception Glossary
How-tos & Guides
Competitive Intelligence
RESOURCES OVERVIEW
Analyst Reports
Case Studies
Data Sheets
E-Books
Solution Briefs
Webinars
Whitepapers
How-tos & Guides
COMPANY OVERVIEW
About Acalvio
Leadership
Investors
Press Center
In The News
Why Preemptive Cybersecurity
Contact
PARTNERS OVERVIEW
Strategic Partners
Technology Integrations
Partner Program
Become a Partner
PREEMPTIVE SECURITY OVERVIEW
Agentic AI
Agentic AI Security
Competitive Intelligence
Competitive Intelligence
Deception and Active Defense
Deception and Active Defense
Incident Response and Operations
Incident Response and Operations
Threat Actors and AI Attack Techniques
Threat Actors and AI Attack Techniques
Cloud and Application Security
Cloud and Application Security
Cyber Resilience and Zero Trust
Cyber Resilience and Zero Trust
Identity and Access Protection
Identity and Access Protection
Network and Endpoint Defense
Network and Endpoint Defense
Blog Cyber Deception The Ghost in Your AI Stack
Ram Varadarajan
|
May 5, 2026

The Ghost in Your AI Stack

GrafanaGhost made the rounds this month, and the headlines did what headlines do. Silent. Zero-click. Autonomous. The reality is more nuanced, and the nuance is where the real story lives.

Noma Labs disclosed an indirect prompt injection vulnerability in Grafana’s AI assistant. By planting a malicious instruction inside a log entry the assistant later processed, an attacker could coax the system into rendering an external image and exfiltrating sensitive data along the way. Grafana Labs patched it quickly and pushed back on parts of the framing, noting that the exploit required a user to instruct the assistant to act on the planted content, even after warnings. They are right about that. And they are also right that this is not how most enterprise teams are thinking about AI risk today.

That gap is the story.

The assumption with a short shelf life

Almost every AI security model in the field today rests on a quiet assumption: there is a human in the loop who will catch the bad instruction before it executes. The assistant suggests, the user approves, the action runs. Guardrails are designed around that pattern. Threat models are written around that pattern. SOC playbooks are scoped around that pattern.

The pattern is dissolving. Agentic features are landing in observability platforms, ITSM tools, code editors, sales platforms, and analytics layers at a pace that is hard to overstate. Each of these integrations expands the set of inputs the model treats as trustworthy context. Logs, tickets, dashboards, documents, customer records. None of those sources were designed with the assumption that an attacker could plant an instruction inside them and have it executed by a privileged system component.

GrafanaGhost is not interesting because it was a perfect zero-click exploit. It is interesting because it is a clean illustration of a class of attack that does not need to be perfect to work. It needs to be patient.

Why the timeline collapses

Phil Venables wrote earlier this year that defenders need to retool everything for speed, because the gap between adversary capability and defender response is widening structurally, not tactically. Indirect prompt injection is the cleanest example I have seen of why he is right.

Consider the attacker’s economics. Planting a malicious instruction inside a log, a ticket comment, a shared document, or a CRM note costs almost nothing. The instruction can sit dormant for weeks. It does not trip endpoint controls. It does not generate suspicious network traffic. It does not look like an attack until the moment a model decides to act on it, and at that moment, the action is happening from inside a trusted process with the user’s privileges.

Detection-based controls were built for adversary timelines measured in days and weeks. The new timeline is measured in tokens.

What this means for the AI control plane

Three things change when you take this category seriously.

First, the data plane becomes the attack plane. The places where AI assistants ingest context, logs, tickets, documents, telemetry, are now part of your attack surface in a way they were not before. They need to be instrumented like attack surfaces, not treated like passive storage.

Second, the user-in-the-loop assumption needs an honest audit. Where is it actually true today? Where is it eroding because the model is being given more autonomy? Where will it be gone in twelve months because product teams are racing to ship agentic features? The answer to those questions changes which controls actually matter.

Third, you need signal that fires before the model acts on a bad instruction, not after. By the time exfiltration is observable in network logs, the timeline is already lost. The earliest reliable signal in this class of attack is interaction with content that should not be interacted with by anyone, ever. That is the territory deception was built for, and it is the reason we have been pushing the frame from active defense to preemptive cybersecurity.

What to do Monday morning

You do not need to wait for the next named CVE to start working on this. Three concrete steps that pay back inside a quarter:

Map the AI integration footprint across your environment. Most security teams underestimate it by half. Every assistant, every copilot, every agent, every model-driven workflow. Know what they read, what they write, and whose privileges they inherit.

Audit the trust boundary on every input source those systems consume. Logs, tickets, documents, telemetry, customer records. Ask the uncomfortable question: if an attacker planted an instruction here, what would happen?

Place high-fidelity tripwires inside the data plane the AI systems read from. The goal is not to detect the model misbehaving. The goal is to detect the moment an attacker is staging the instruction that will eventually misbehave on their behalf.

A closing thought

GrafanaGhost will be replaced by another named exploit in another platform within months. The category will not. The teams that take it seriously now, while it is still cheap to instrument, will be the ones who do not have to explain to their board next year why their AI assistant exfiltrated production data through an image render.

If your AI integrations are running ahead of your detection model, that is a conversation worth having. We are talking with security leaders every week about how to get ahead of this curve before it gets ahead of them. If you want to compare notes, find me.

Content
The assumption with a short shelf life
Why the timeline collapses
What this means for the AI control plane
What to do Monday morning
A closing thought
Definitive Guide to Identity Protection
Get the Ebook
Gartner names Acalvio Tech Innovator
Learn More
Selecting a Deception Platform
Learn More
Acalvio, the Ultimate Preemptive Cybersecurity Solution.
Schedule a Demo

Sign Up for Our Newsletter

Thank you for subscribing! We'll keep you updated with our latest insights.

Acalvio is the leader in autonomous cyber deception technologies, arming enterprises against sophisticated cyber threats including APTs, insider threats and ransomware. Its AI-powered Active Defense Platform, backed by 25 patents, enables advanced threat defense across IT, OT, and Cloud environments. Additionally, the Identity Threat Detection and Response (ITDR) solutions with Honeytokens enable Zero Trust security models. Based in Silicon Valley, Acalvio serves midsize to Fortune 500 companies and government agencies, offering flexible deployment from Cloud, on-premises, or through managed service providers.
© Acalvio Technologies, Inc. All rights reserved.