When injections speak the document's language: the camouflage detection gap
Two 2026 studies show prompt injections written in a document's own domain jargon slip past guard classifiers — Llama Guard 3 caught zero. Paraphrasing retrieved content is the defense that holds up best, but results swing by model.
What is this?
Guard classifiers are the layer many teams put in front of a retrieval-augmented agent to catch prompt injection in untrusted content before the model acts on it. Two 2026 studies from Columbia’s Data Science Institute show that layer has a systematic blind spot: an injection written in the same vocabulary and authority structure as the surrounding document becomes very hard to detect.
The first paper, Blind Spots in the Guard (May 2026), names the phenomenon domain-camouflaged injection and measures how far detection falls. The follow-up, Evaluating Prompting-Based Defenses Against Domain-Camouflaged Injection Attacks (June 2026), asks the practical question: once the classifier is blind, which defenses still hold? Both use only published techniques against test harnesses, with no operational exploit — the point is to map a defensive gap, not to hand out a weapon.
How it works
Most injection detectors are tuned on payloads that look like attacks: an out-of-place imperative, an “ignore previous instructions,” a suspicious URL. Camouflage removes those tells. Instead of a jarring command dropped into a legal brief or an invoice, the malicious instruction is phrased in the document’s own register — the cadence and terminology a real clause or memo would use — so it reads as native content rather than an intrusion.
The measured effect is large. On Llama 3.1 8B, injection detection fell from 93.8% to 9.7% once payloads were camouflaged; on Gemini 2.0 Flash it dropped from 100% to 55.6%. The authors formalize this drop as the Camouflage Detection Gap (CDG) — the difference in detection rate between a static payload and its domain-matched twin — and find it large and statistically significant across 45 tasks in three domains. Most striking, Llama Guard 3, a production safety classifier, detected zero camouflaged payloads, so the blind spot is not limited to lightweight few-shot detectors. In multi-agent debate setups, a plain static injection could be amplified by up to 9.9× on smaller models, though stronger models showed more collective resistance.
Detection rate (schematic — from Blind Spots in the Guard)
----------------------------------------------------------
Static payload Llama 3.1 8B: 93.8% Gemini 2.0 Flash: 100%
Camouflaged payload Llama 3.1 8B: 9.7% Gemini 2.0 Flash: 55.6%
Llama Guard 3 on camouflaged payloads: 0%
Why it matters
The blind spot lands hardest exactly where retrieval agents are being deployed: finance, legal, healthcare — domains with dense, formal language that gives camouflage its cover. A single guard classifier in front of a RAG pipeline is a common architecture, and these results say that a classifier which looks solid on a standard benchmark can collapse against content written to blend in. Because the tests span multiple model families, this is a property of the detection approach, not a quirk of one vendor. It reinforces the long-standing message — codified in OWASP’s LLM01: Prompt Injection — that a detector alone is not a control you can lean on.
Defenses
The June follow-up evaluated five prompting-based defenses — spotlighting, paraphrasing, prompt sandwiching, and two combinations — across Claude Haiku, Llama 3.1 8B, and Gemini 2.0 Flash over 3,510 trials. The results are useful precisely because they are uneven:
- Paraphrase retrieved content before the agent reads it. Rewriting untrusted text into neutral language was the most consistent defense, cutting camouflage attack success by 55–84% depending on the model. Rephrasing strips the mimicked cadence that made the payload blend in.
- Expect defenses to be model-dependent. Spotlighting roughly halved attack success on Claude Haiku but gave no benefit on Llama 3.1 8B. Do not port a defense between models on faith — measure it on the model you actually ship.
- Don’t rely on a single guard classifier. Treat detection as one layer among several, not the control. Assume some camouflaged content gets through and constrain what the agent can do with it.
- Sanitize by provenance. Complementary June 2026 work, PARSE, argues for provenance-aware sanitization of retrieved text so that data drawn from untrusted sources cannot carry instructions into the agent’s action path.
- Cap agency downstream. Keep least-privilege and human approval on consequential actions, so a missed injection can’t quietly move money or exfiltrate data.
No single prompting trick closed the gap in every configuration, and the authors caution that benchmark rankings may not transfer to real enterprise documents — so treat these as starting points to test, not settled answers.
Status
| Item | Reference | Date |
|---|---|---|
| Domain-camouflaged injection + Camouflage Detection Gap | Blind Spots in the Guard (arXiv:2605.22001) | 2026-05 |
| Evaluation of five prompting-based defenses | arXiv:2606.18530 | 2026-06 |
| Provenance-aware retrieval sanitization | PARSE (arXiv:2606.17467) | 2026-06 |
| Critical evaluation of PI defenses (context) | arXiv:2505.18333 | 2025-05 |
| Framework reference | OWASP LLM01: Prompt Injection | 2025 |
The takeaway: a guard classifier that scores well on a benchmark can still miss an injection written in the target document’s own voice. Detection is a layer, not a guarantee — pair it with paraphrasing, provenance-aware sanitization, and hard limits on what the agent is allowed to do.