As AI agents gain the ability to browse the web, retrieve information, and perform actions on behalf of users, they face evolving security threats. The primary concern is prompt injection, where attackers embed malicious instructions in external content to manipulate the model. Early attacks relied on simple overrides, such as editing a Wikipedia page to include direct commands. However, as models have become more robust, attackers have shifted toward social engineering tactics that mimic human deception rather than relying on obvious command overrides. Traditional defense mechanisms, often referred to as AI firewalling, attempt to classify inputs as either safe or malicious before processing. In complex, real-world scenarios, these systems struggle to distinguish between a lie and a truthful statement without sufficient context. Consequently, defense strategies have evolved to focus less on perfect detection and more on limiting the potential damage if an attack succeeds. This approach mirrors security protocols used for human customer service agents who operate in adversarial environments. In human customer support, agents are given strict rules and automated limits to prevent financial loss even when deceived by customers. For instance, a human might be unable to issue a refund or gift card without supervisor approval or specific verification steps. AI agents should operate under similar constraints. The goal is to design systems where the agent's capabilities are bounded, ensuring that even if the agent is misled, the scope of the harm is contained. ChatGPT employs a combination of this social engineering model and traditional security engineering techniques like source-sink analysis. This framework posits that an attack requires both a source of influence and a sink, which is a dangerous capability, such as transmitting sensitive data or executing a tool. The objective is to ensure that potentially risky actions do not occur silently. The most common attacks against ChatGPT involve attempts to trick the assistant into sending private information from the conversation to a malicious third party. While safety training often prevents these attempts, the system includes additional safeguards for cases where the agent is successfully convinced. A mitigation strategy known as Safe Url detects when the agent plans to send learned information to an external party. In such instances, the system either prompts the user to confirm the transmission or blocks the action entirely and suggests an alternative path forward. For developers integrating AI models into applications, the recommendation is to identify what controls a human would require in a similar situation and implement equivalent protections. While highly intelligent AI models may eventually resist social engineering better than humans, this is not always feasible or cost-effective for every application. Security must be built into the system architecture and training data to ensure that autonomous agents can safely interact with an unpredictable external world. Ongoing research into social engineering against AI continues to refine these defensive architectures and training methodologies.