The prompt injection attacks documented this month by Google and Forcepoint share a quality worth noticing: they're embedded in the page itself. Text shrunk to a single pixel. Instructions tucked inside HTML comments. CSS that renders payloads invisible to humans but fully readable to any agent parsing the source. The manipulation happens before the model ever sees the input.

This is known. OpenAI has moved from calling prompt injection "unlikely to ever be fully solved" in December 2025 to assuming agents will be misled and focusing on damage containment by March 2026. Anthropic calls the web "an adversarial environment" outright. A meta-analysis of 78 studies found adaptive attacks succeed against state-of-the-art defenses more than 85% of the time.

Both companies acknowledge the model layer cannot fully contain this. Nearly all defense investment concentrates there anyway.

The reason is structural, and it follows from what produces a shippable result.

AgentDojo, the most widely used evaluation framework for prompt injection, measures attack success rate, benign utility, and utility under attack. All model-behavior metrics. These produce clean numbers that compare across papers, feed into leaderboards, and generate press-friendly figures. Anthropic's "1% attack success rate" is exactly this kind of artifact: a number that travels well. What happens when a real adversary studies the defense and routes around it is something the benchmark infrastructure was never built to capture.

Environment-layer defenses do exist in research. CaMeL, from Google DeepMind, achieves provable security on 77% of benchmark tasks by enforcing data-instruction separation architecturally, without modifying the model at all. StruQ separates prompt and data channels. Real contributions. But a model-layer improvement produces a number, fits into an existing evaluation framework, and ships as a model update. An environment-layer improvement produces an architecture. Architectures are harder to benchmark, harder to compare, harder to describe in a changelog. So they stay in papers.

Google's scan of billions of crawled pages found a 32% increase in malicious prompt injection payloads between November 2025 and February 2026. Forcepoint documented payloads targeting PayPal transactions, API key exfiltration, and destructive commands, all hidden in page elements that no model-layer defense can prevent from entering the context window.

This points somewhere beyond security. Measurable results attract investment; problems that resist productization sit unfunded. For anyone deploying agents into untrusted web environments, the implication is concrete: the defenses their systems carry were benchmarked against a version of the problem that bears little resemblance to the one they'll encounter in production. The benchmarks are real. The progress they measure is real. Whether any of it is progress toward the right problem is something the benchmarks themselves will never tell you.