Why Anthropic’s prompt injection rate exposes AI’s security transparency gap

The race to build the most powerful AI models has created a surprising side effect: a patchwork of security disclosures that leave buyers guessing about real-world risks. While Anthropic’s recent system card provided granular prompt injection data, rival labs have taken vastly different approaches—leaving IT leaders without a standard way to assess threats.

A rare benchmark emerges from Anthropic’s security report

Anthropic’s latest disclosure stands out for its depth. The company’s system card for Claude Opus 4.8, released in late May, breaks down prompt injection vulnerability rates across four distinct agentic surfaces. Unlike competitors, Anthropic not only reports aggregate numbers but also examines how attack success varies by environment. For example, in a coding environment without safeguards, attackers succeeded 7.03% of the time with model reasoning enabled. With safeguards active, that rate dropped to 2.09%.

The most striking finding came from browser-based environments, where professional red-teamers targeted 129 held-out web contexts. Without safeguards, attackers hijacked the model 31.5% of the time. Even with adaptive attack strategies—where adversaries continuously refined their prompts based on model responses—the rate remained alarmingly high until safeguards were engaged, reducing failures to 0.5%.

The industry’s inconsistent approach to security transparency

While Anthropic’s report offers a detailed look at vulnerabilities, other major labs have taken far less comprehensive paths:

• OpenAI focused its disclosure on a single surface—connectors—reporting a robustness score of 0.963 for GPT-5.5, down from 0.998 in a prior version. This metric, while useful, doesn’t account for the broader attack surface that Anthropic examined.
• Google shifted prompt injection disclosures out of its main model card entirely, embedding them in a separate safety framework without numerical benchmarks.
• Meta did not include any closed-model prompt injection data in its latest release, leaving security teams without third-party validation of its defenses.

The absence of industry standards means organizations must now piece together security postures from disparate sources, creating blind spots in risk assessment.

Why prompt injection is a silent threat to enterprise AI

Prompt injection attacks exploit a fundamental assumption in traditional cybersecurity: that malicious inputs resemble known malware signatures. As Carter Rees, VP of AI at Reputation, noted to VentureBeat, a seemingly harmless phrase like "ignore previous instructions" can trigger catastrophic outcomes—comparable to a buffer overflow attack, yet devoid of traditional malware characteristics.

Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, emphasized that AI adoption inherently expands the attack surface. "As you implement AI, it increases your attack surface, so now you have to be able to protect those AI models against adversary misuse or data poisoning or prompt injection," he explained. CrowdStrike’s 2026 Financial Services Threat Landscape Report, released in May, highlights how adversaries are already leveraging AI to accelerate attacks, outpacing legacy defenses.

What’s next for AI security standardization?

The lack of uniformity in security disclosures isn’t just a technical issue—it’s a governance challenge. Without shared metrics, buyers cannot meaningfully compare models, and security teams struggle to prioritize risks. Organizations deploying AI agents must now look beyond marketing claims and demand standardized, third-party-validated security data.

The gap between Anthropic’s detailed reporting and the minimal disclosures from other labs underscores a critical need: a universal framework for measuring and disclosing AI safety. Until such standards emerge, the burden of securing AI systems will remain squarely on the shoulders of enterprise buyers.