I have submitted 193 job applications since January.

193 is a dataset. Confirmation emails arrive within seconds, denial letters on a schedule that matches no known business hours. The support chat deflection timing tells you which platform the company bought. After enough of them, you stop reading the message and start reading the system.

HR AI agents are an injection surface that most organizations are not monitoring because they were not bought as security infrastructure.

What I Observed From the Applicant Side

Before a human ever reads your resume, a screener has already scored and routed it. Confirmation emails land within seconds, denial letters on a schedule that does not match any known business hours, and support chat deflects with language that reads like a system prompt given word-for-word instructions.

These systems share a common architecture: they take unstructured text from an external party (the applicant) and feed it into a downstream process. Applicants have no visibility into what that process does or what the output looks like, and companies monitor the output without tracking what the input triggered.

That architecture is the description of a prompt injection surface.

The Attack Is Not Theoretical

Prompt injection against an HR screening agent works like any other injection attack. The external input contains instructions that the system interprets as commands rather than data.

An applicant who understands the pipeline submits a resume with embedded instructions designed to alter the agent’s categorization output. If the agent is scoring submissions on criteria like “relevant experience” or “culture fit,” a carefully constructed prompt can influence which criteria get weighted. For an agent routing applications to specific hiring managers based on keyword extraction, the routing logic is equally exposed.

The output reflection angle is observable without any technical access. Some platforms send automated emails that include excerpts from the applicant’s submission or the system’s categorization label. If you can see how the system categorized your submission, you can iterate on what you send next. That is a probe, and it works through the front door.

Why Nobody Caught It

The company that deployed the HR AI agent bought it from a vendor who sold it as a hiring efficiency tool. HR evaluated it for workflow fit, Legal for employment law compliance, Finance for budget approval.

Security was not in that conversation.

The vendor’s documentation covers data privacy and regulatory compliance. It does not address what happens when an applicant who understands injection techniques treats the input form as an attack surface. That scenario is not in the threat model because the product was not categorized as security infrastructure.

An AI agent that reads external input and routes it to internal processes is security infrastructure. The category it was purchased under does not change the exposure.

What Organizations Should Do

HR AI systems belong on the asset inventory and in the threat model the same way the customer support chatbot does. Input sanitization and output monitoring require the organization to ask for them during procurement. Vendors do not add them by default.

The questions worth asking: Does the system sanitize applicant-submitted text before passing it to the model? Is there logging on what the agent’s scoring or routing output was for each submission? If the output of the agent is reflected in any communication back to the applicant, who reviews that output before it sends?

If the answers are no, unclear, and no one, the exposure is open.

This is also why AI vulnerability scanning is a category that does not exist yet at most organizations. Web app scanners test web apps and network scanners test network surfaces, but neither covers an AI agent reading applicant text and routing it into internal workflows. That surface has no dedicated tooling yet.

If you want to know whether your AI-augmented hiring pipeline has an injection surface, KyberPoint runs AI vulnerability scans and delivers a full findings report with remediation steps. Engagements start at $800. KyberPoint AI Vulnerability Scan

Written by Mario Martinez Jr. (ku5e / Gary7) | TryHackMe Profile | ku5e.com/blog