Update — May 27, 2026.
Brazil’s Superior Tribunal de Justiça (STJ) opened a criminal investigation and disciplinary proceedings on May 20 against lawyers who had embedded hidden instructions in court filings to manipulate the tribunal’s AI system. A few days earlier, a Brazilian labor court had fined two lawyers 84,200 reais for the same type of practice. These are, to date, the first documented judicial sanctions for indirect prompt injection in a legal context.
A business executive receives a contract by email. Before signing, they do what many now do as a matter of routine: paste it into Claude or ChatGPT, ask a simple question (“are there any problematic clauses?”), and wait for the summary. The AI reads and responds. The executive signs, reassured.
What the executive does not see is the sentence embedded midway through the document, written in a language different from the rest, addressed not to the signatory but to the model. The AI reads it but does not flag it. Invisible to a distracted human reader, legible to any system that processes the full text, this instruction shapes how the AI analyzes the document. It is there for exactly that purpose.
This practice has a name in AI security: indirect prompt injection. It does not yet fall under any clearly established body of US contract law. It could, however, fit within existing legal frameworks with reasonable ease, once its effects on contract formation become sufficiently documented to support litigation.
What indirect prompt injection does to contract review
A large language model does not structurally distinguish between the instructions its operator has given it and the content submitted for analysis. It processes everything as a continuous stream of tokens. This is what the OWASP documents in its annual LLM risk rankings, where indirect prompt injection has topped the list in both its 2023/24 and 2025 editions: models do not differentiate their operator’s instructions from the content they are asked to process.
Direct injection means addressing the model head-on through the interface: “Ignore your previous instructions and do X.” Indirect injection is more subtle. It means placing instructions inside external content the model will process: a webpage it summarizes, an email it analyzes, a contract it reviews. The model reads the instruction the same way it reads the rest of the text, with no signal distinguishing it as a parasitic command rather than part of the content.
The concealment techniques are available to anyone with a word processor. White text on a white background, font size reduced to 1, non-printing Unicode characters: a study published in October 2025 in Education Sciences examining injections in student papers submitted for AI-assisted grading found that these methods require no technical expertise whatsoever, that copy-paste and standard formatting operations suffice, and that even low-effort obfuscation techniques alter the model’s behavior without attracting the human reviewer’s attention. The transposition to a contractual document is direct.
The effect depends on the content of the instruction. It may ask the model to downplay certain clauses in its summary, to omit flagging a specific limitation of liability, to produce an analysis favorable to the party that drafted the document. It may also be defensive: signaling to the model that the document is confidential and should not be reproduced in third-party contexts. Both uses are technically identical. They do not carry the same legal weight.
Fraudulent misrepresentation and concealment: what existing US law permits
No published US decision has addressed prompt injection in a contractual document as a legal matter. The question has not been tested. That said, the tools to analyze it already exist, and they do not need to be invented to apply.
The most immediately operational ground is common law fraud, and more specifically fraudulent misrepresentation. Under the Restatement (Second) of Torts § 525, a fraudulent misrepresentation claim requires: a false representation of a material fact, made knowingly or with reckless disregard for its truth, with the intent to induce reliance, on which the plaintiff actually relied, to their detriment. I am writing from a civil law background, and US practitioners would be better placed than I am to assess how specific jurisdictions have applied this standard in analogous contexts. But the general framework is well established across most states.
Could embedding a prompt injection instruction in a contract constitute a fraudulent misrepresentation? The answer turns on two questions that tend to travel together in US case law: whether the embedded instruction constitutes an assertion, and whether the other party’s reliance on the AI’s output was reasonable.
On the assertion first. The Restatement (Second) of Torts § 525 covers not only explicit false statements but also acts of concealment intended to create a false impression. Cornell Law School’s Legal Information Institute defines active concealment as “the non-disclosure by words or actions in a situation where there is a positive duty on the person to disclose something.” An instruction hidden in a contract, designed to manipulate the output of a tool the counterparty uses to assess the document, is closer to active concealment than to mere silence. It is not the absence of a disclosure: it is the deliberate insertion of something intended to distort how the document will be read.
On reliance. Under most US jurisdictions, the plaintiff must show actual and reasonable reliance on the misrepresentation. This is where the analysis gets complicated. A court could reasonably find that relying on an unverified AI summary to make a binding contractual decision, without independent legal review, falls short of the standard of reasonable diligence. The stronger the counterparty’s sophistication, the harder this element becomes. Conversely, if the party drafting the contract knew the other side used AI-assisted review and designed the injection specifically to exploit that practice, the deliberate targeting of that reliance changes the calculus.
The concealment angle opens a parallel path. Under the Restatement (Second) of Contracts § 160, a party’s concealment through affirmative acts preventing the other party from acquiring material information constitutes a misrepresentation. Embedding an invisible instruction in a document specifically designed to influence the analysis of that document by a third-party tool would, in most readings, qualify as an affirmative act. The harder question is whether the information concealed, the existence of the injection itself, is material enough to affect the decision to contract. Given that its entire purpose is to alter the output of the review tool, the materiality argument is not difficult to make.
Why the criminal angle is narrower than it appears
One might assume that embedding a hidden instruction in a contract to manipulate an AI’s output constitutes computer fraud under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The CFAA, however, requires unauthorized access to a protected computer system. After the Supreme Court’s decision in Van Buren v. United States (2021), which narrowed the statute’s reach significantly, the CFAA applies to accessing areas of a computer system one is not authorized to access, not to manipulating the inputs fed into a legitimately accessed system. A party that sends a document to someone who then pastes it into Claude or ChatGPT has not accessed any computer without authorization. The AI processes the document as intended. It is the document itself that contains the malicious payload.
Wire fraud under 18 U.S.C. § 1343 is a more plausible federal theory, as it reaches any scheme to defraud using electronic communications, without requiring unauthorized computer access. But wire fraud requires a scheme to defraud, meaning an intent to deprive the victim of money or property, and proof that interstate wire communications were used in furtherance of that scheme. These elements are theoretically present in a contract signed after an AI review was manipulated by an injected instruction, but the causal chain between the injection, the AI output, and the ultimate harm would need to be established with a degree of precision that courts have not yet been asked to apply to this fact pattern.
As far as I can tell from a French vantage point, no federal or state criminal statute maps cleanly onto prompt injection in a contractual document. The civil fraud route remains the more accessible path, at least until litigation begins to define the contours of the question.
What this changes for organizations that delegate their review to AI
The legal question is real. It is not the only one.
What prompt injection in documents signals, more broadly, is that AI-assisted contract review rests on a presumption that can no longer be taken for granted: that the document submitted for analysis does not contain parasitic instructions designed to shape the output. That presumption was reasonable when LLMs remained niche tools used by technical specialists. It no longer holds now that AI-assisted review has become routine across law firms, corporate legal departments, and procurement teams.
The OWASP documents, among the attack scenarios in its 2025 classification, the case of a resume containing hidden instructions that causes an AI-assisted recruitment system to recommend a candidate regardless of their actual qualifications. The transposition to a contract submitted for AI review is direct: an instruction embedded in a document can produce the same effect, with potentially greater consequences than hiring the wrong candidate.
For a law firm using AI for pre-contractual analysis, for a legal department delegating the review of counterparty documents to a model, for any organization that has industrialized this workflow, the practical question is not whether the risk exists in theory. It is whether the documents submitted to their tools contain instructions those tools execute without flagging.
The answer, today, is that no universal solution exists. Research by Toby Murray at the University of Melbourne, published in August 2025, explores automated detection of hidden instructions in PDF and HTML documents through a tool called PhantomLint. Evaluated against a corpus of 3,257 academic papers, the tool achieves a false positive rate of 0.092%. Extension to contractual documents with more variable structure remains to be documented. This is not an operationally deployable solution for most organizations today.
The gap between the ease of injecting and the difficulty of detecting is not a technical malfunction awaiting a patch. It is a structural property of large language models, rooted in their inability to distinguish data from instructions within a continuous token stream. The fix, if it comes, will come from the architecture of the systems surrounding the models, not from the models themselves.
