
Key facts.
- AgentDojo finds prompt-injection attacks succeed against the best agents in under 25% of cases, dropping to about 8% with defenses, so hijack risk is real and reducible but never zero.source
- HR data, salaries, health, performance, complaints, is among the most sensitive a company holds, raising the stakes of any leak.source
- An agent that can access employee records can be steered to disclose them through instructions hidden in the data it reads.source
Why is HR a particularly dangerous place for this?
The data is uniquely sensitive and the harm of a leak is uniquely personal. An HR agent needs to read employee records to do its job: schedule reviews, answer benefits questions, process onboarding. That access spans salary, health, disciplinary and performance data that employees expect to be confidential. AgentDojo shows that a data-reading agent can be hijacked at a non-trivial rate through injected instructions. HR is exactly the kind of high-value target an attacker would aim that technique at. A leaked salary list, a disclosed health accommodation, an exposed complaint: each is a personal harm to an employee, a breach of trust and often a legal violation under privacy and employment law. The access the agent was granted to help is the same access an attacker borrows to expose people. HR is where that exposure hurts most.
The internal dimension makes it worse. HR confidentiality is not only about external attackers. It is about ensuring the agent does not disclose one employee's data to another or surface a complaint to the person it was about. An agent with broad read access and weak output controls can violate confidentiality without any attack at all, just by answering a question with data it should not have shared.

What protects employee confidentiality?
Least-privilege access and output validation. Scope the agent's read access to exactly the data each task needs. A hijack or a mistake reaches less. Validate every output against confidentiality rules before it is shown, so sensitive data does not go to the wrong recipient. Treat the data the agent reads as potentially carrying injected instructions, per the AgentDojo and indirect-injection findings, and enforce who may see what at the output boundary. The goal is an HR agent that can only access and disclose what its task and the viewer's authorization permit. The company's most sensitive data stays confidential whether the threat is an attacker or an honest mistake.
| Access and output handling | Confidentiality outcome |
|---|---|
| Broad access, unvalidated output | Sensitive employee data can leak |
| Least privilege, validated output | Disclosure bounded to what is authorized |
Scoping access and validating disclosure is part of what VibeModel does as the Pattern Intelligence Layer. We model the patterns of an HR task's legitimate data access and authorized disclosure. The agent protects the company's most sensitive data instead of becoming the path that exposes it.
Frequently asked questions
Does a more capable HR model remove the leak exposure?
HR holds salaries and complaints, and AgentDojo shows injection near 8% even defended; a newer model inherits the path, leak and rework follow. (arXiv:2406.13352)
Is the risk only external attackers?
No. An agent can violate confidentiality without any attack by disclosing data to the wrong internal recipient. Output validation handles both.
Can defenses make the agent safe from injection?
They cut attack success substantially, to roughly 8% in AgentDojo, but not to zero. Pair them with least-privilege access.
Why is HR a special case?
It holds the most sensitive data, salaries, health, complaints, so a leak is a serious personal harm and legal violation.

