Until early 2026, if you were a security procurement team asking “what enterprise product defends against prompt injection?”, you had no meaningful answer. Then three months changed everything: Google Workspace mitigation shipped April 2, Unit 42 Frontier AI Defence launched April 21, and Microsoft Entra prompt injection protection followed April 27 — three enterprise platforms in a seven-week window. This article covers what each platform actually does, where each one stops, and what remains unprotected without additional controls. For broader threat context, see the 2026 production injection threat landscape these products respond to.
Why Did Enterprise Prompt Injection Defence Products Take Until 2026 to Arrive?
Before 2026, prompt injection was treated as a developer’s problem. You were expected to harden your own prompts, not buy a product for it. The OWASP LLM Top 10 had ranked prompt injection (LLM01) at number one for two consecutive editions, but vendor timelines lagged attacker timelines by years.
What changed was the agent deployment wave. When AI systems gained the ability to take irreversible actions — sending email, deleting records, executing code — injection stopped being a data leakage nuisance and became an infrastructure risk. Unit 42 documented real-world cases of attackers entering environments and immediately querying internal LLMs for reconnaissance data.
The governance context makes it worse: 80% of Fortune 500 organisations now deploy active AI agents, but only 10% have a clear strategy to govern them. Products arrived into that governance vacuum, which shapes what they can realistically enforce.
Microsoft Entra Prompt Injection Protection and Prompt Shields — What Each Actually Does
Microsoft shipped two distinct prompt injection tools that people routinely mix up.
Microsoft Entra prompt injection protection works at the network and identity layers via the Entra AI Gateway. It enforces universal network-level policies — blocking adversarial prompts and jailbreak attempts before they reach AI models, across any device or browser. It ships with built-in detection profiles for all major LLM providers.
Microsoft Prompt Shields is a separate product — Azure AI Content Safety — that scans inputs and outputs for injection payloads. It’s an API-based content safety service, closer to an inline filter than an identity control. Both products benefit from spotlighting, Microsoft’s technique for marking trusted system instructions as distinct from untrusted retrieved content before the model sees them — more on that below.
Entra Agent ID is a third distinct layer: it gives AI agents a cryptographic identity in the Entra directory, so the same authorisation policies you apply to human users apply to agents too. It’s one of four hyperscaler agent identity frameworks now on the market, alongside AAuth (Google), Google Agent Identity, and AWS AgentCore.
What Google Workspace and Unit 42 Frontier AI Defence Actually Cover
Google Workspace is best understood as a continuous mitigation effort rather than a single product launch. Google’s April 2026 publication described a layered defence for Gemini in Workspace: content classifiers that filter documents and emails containing malicious instructions; security thought reinforcement reminding the LLM to disregard adversarial content; and markdown sanitisation plus suspicious URL redaction to prevent data exfiltration. The GeminiJack attack — hidden commands in Google Docs or Calendar invites causing Gemini’s RAG pipeline to exfiltrate data via image tags — is exactly what this mitigation is designed to stop.
One editorial note: the precise coverage scope of the April 2 mitigation is not fully documented in available primary sources. If you’re relying on Google Workspace as a primary control, get direct vendor documentation before you make your procurement decision.
Unit 42 Frontier AI Defence launched April 21, converting Palo Alto’s in-the-wild IPI research directly into a commercial product. It monitors agent traffic and tool calls for injection signatures at the platform and network layer. Two partnerships provide model-level telemetry: Anthropic’s Project Glasswing and OpenAI’s Trusted Access for Cyber.
The Commercial Detection Layer — Lakera, LLM Guard, and NeMo Guardrails
The enterprise platform launches address injection at the platform, network, and identity layers. There’s a separate detection layer that operates at the application level — deployed in the code that calls the LLM rather than as a standalone enterprise product.
Lakera Guard (acquired by Check Point in 2025) is the commercial benchmark: 98%+ accuracy, sub-50ms latency, 100+ language coverage, API-based. LLM Guard (open-source, from Protect AI) provides 15 input scanners including a dedicated PromptInjection scanner — self-hosted, so the cost is infrastructure rather than licence fees.
NVIDIA NeMo Guardrails takes a different approach entirely. Rather than detecting injection payloads, it implements safety policies in Colang — a domain-specific language that specifies what the model should and should not do. That is runtime policy enforcement, not payload detection. Lakera and LLM Guard detect and block injection attempts; NeMo Guardrails constrains what the model can be instructed to do regardless of injection. They’re complementary layers, not substitutes.
Three pre-deployment testing tools also come up in procurement conversations: Garak (NVIDIA; 37+ probe modules), Promptfoo (157 plugins mapped to OWASP LLM Top 10), and PyRIT (Microsoft; crescendo attacks; Tree of Attacks with Pruning). These find vulnerabilities before deployment. They are not runtime protection.
Spotlighting and Instruction Hierarchy — The Techniques Behind the Products
Spotlighting addresses the core problem that makes prompt injection possible: LLMs process developer instructions and retrieved content in the same context window without any cryptographic separation.
The mechanism marks trusted content (system instructions) and untrusted content (retrieved documents, user input) with explicit delimiters, so the model can apply different levels of trust to different parts of its context. Instruction hierarchy extends this structurally: system instructions are positioned above retrieved content at context assembly time, reducing the weight adversarial instructions can carry.
Both are patterns you can implement without buying anything — one of the few concrete, cost-free mitigation layers available regardless of which enterprise product you choose.
The limitations are real, though. Spotlighting is not cryptographically enforced. Sophisticated payloads, multi-turn crescendo attacks, and tool output injections can all bypass it. Researchers demonstrate bypasses within weeks of new guardrails being deployed — the asymmetry favours attackers, who need only find one technique that works.
What None of These Products Covers on Its Own
No Q1–Q2 2026 enterprise product — individually or combined — provides complete prompt injection defence. The gaps between layers remain exploitable. Here’s where you’re still exposed.
Tool output injection is the leading gap. All four enterprise platforms focus primarily on document and user-input injection. When an agent calls an external API and the response contains adversarial instructions, that output is processed in a more trusted context than direct user input. Digital Applied‘s 2026 taxonomy identifies tool output injection as the fastest-growing attack class — 9 of 10 attack classes arrive through trusted channels, not direct input.
Human-in-the-loop (HITL) controls are absent from every enterprise product in this cohort. Requiring human approval before an agent takes an irreversible action is the most reliable defence against injection-driven agent misuse. It’s a process control, not a product feature, and you have to build it at the application level.
Multi-turn crescendo attacks evade per-message detection. When each individual message is benign but injection emerges from accumulated context, products evaluating messages in isolation provide limited protection.
The agent governance gap is structural. Products can only enforce policies that exist. Where no policy defines what an agent is authorised to do, there is nothing to enforce.
The upshot: map products to specific layers within a known architecture and don’t rely on any single product as a complete solution. For what happens when injection succeeds against an agent with excessive permissions, see what unblocked injection enables — from data leakage to remote code execution. For the quantified residual exposure even defended systems carry, see why even defended systems retain significant exposure. This series is part of our coverage of the 2026 production injection threat landscape these products respond to.
FAQ
Is Microsoft Prompt Shields the same as Entra prompt injection protection? No. Prompt Shields is Azure AI Content Safety — input/output scanning for injection payloads. Entra prompt injection protection is a network-level policy layer blocking prompts before they reach AI models. Entra Agent ID is a third distinct layer governing agent identity. All three operate at different layers.
What did Unit 42 Frontier AI Defence launch with in April 2026? AI-specific attack surface assessment and detection of IPI techniques from Palo Alto’s in-the-wild research, with model-level telemetry from Anthropic (Project Glasswing) and OpenAI (Trusted Access for Cyber) partnerships. It operates at the platform/network inspection layer, not inside models.
What does Google Workspace’s April 2026 mitigation actually protect? Content classifier filtering for malicious instructions in emails and documents; security thought reinforcement; markdown sanitisation; suspicious URL redaction. The precise coverage boundary is not fully documented publicly — get direct vendor documentation before making procurement decisions.
What is Lakera Guard and how does it compare to LLM Guard? Lakera Guard (Check Point, 2025 acquisition): commercial API, 98%+ accuracy, sub-50ms latency, 100+ languages. LLM Guard (Protect AI): open-source, 15 input scanners, self-hosted. Your choice depends on whether you want a commercial SLA or self-hosted cost control.
Does spotlighting actually prevent prompt injection? Spotlighting reduces injection success rates by marking trusted vs. untrusted content for the model. It is probabilistic, not cryptographically enforced — researchers demonstrate bypasses regularly. Multi-turn attacks and tool output injections can get around it.
What is the agent governance gap? 80% of Fortune 500 deploy AI agents; only 10% have a clear governance strategy. Defence products enforce policies — where no policy exists, nothing can be enforced. An agent with excessive permissions and no documented scope gives you no basis for detecting violations.
Why isn’t HITL covered by current enterprise products? Human-in-the-loop is a process control requiring human approval before irreversible agent actions. None of the Q1–Q2 2026 enterprise products includes built-in HITL gates — it requires architectural decisions at the application level.
How does Entra Agent ID fit into enterprise AI security architecture? It gives AI agents a cryptographic first-class identity in the Entra directory, subject to the same authorisation policies as human users. It’s one of four hyperscaler agent identity frameworks alongside AAuth (Google), Google Agent Identity, and AWS AgentCore.
What is NeMo Guardrails and how is it different from Lakera? NeMo Guardrails defines behavioural boundaries via Colang policy — what the model is permitted to do. Lakera detects injection attempts. They operate at different layers and can be combined.
What pre-deployment testing tools cover prompt injection? Garak (NVIDIA; 37+ probe modules), Promptfoo (157 plugins; OWASP LLM Top 10 mapped), and PyRIT (Microsoft; crescendo and Tree of Attacks with Pruning). These are testing tools — not runtime protection.
What is a defence-in-depth architecture for an LLM application? Multiple independent control layers: input sanitisation, tool restriction (least-privilege), output validation (PII detection, destination allowlisting), and human review (HITL for irreversible actions). No single enterprise product covers all four layers.
