Risk Factor of the Week: Microsoft's 2025 Prompt-Signing Grant and the Injection Threat

The risk factor they hope you skip now includes a new word: prompt injection. Microsoft's grant US12399991B2 (“Signing large language model prompts to prevent unintended response,” issued 2025-08-26) is the engineering answer to it. Assigned to Microsoft and classified CPC G06F 21/56 (the malicious-code class), with inventors including Neelakantan Sundaresan, it covers signing prompts so a model trusts only authentic instructions.

Why a disclosure reporter cares: as LLMs gained the ability to act — calling tools, reading untrusted content — prompt injection became a concrete security threat, where malicious text hijacks the model's behavior. That threat has started appearing in AI security discussions and risk language. Cryptographically signing prompts is a defense: if an instruction isn't signed, the model shouldn't obey it.

“A technique to prevent a prompt injection attack utilizes a security agent to sign a large language model prompt with a secret that is isolated from the user application or device that generates a user prompt. The secret is tailored for a specific user identifier and session identifier.”— U.S. Patent No. 12,399,991 source

The classification is itself the tell. This grant sits in the malicious-code/security CPC class, not a generic AI class — Microsoft is treating prompt manipulation as a security problem with a security solution. That framing tracks how AI risk is migrating from “outputs might be wrong” toward “outputs can be adversarially controlled.”

What this isn't: proof the technique is deployed, or that it fully solves injection. It's a grant, so ownership is settled but efficacy is not something we assert. The signal is that the injection threat had dated, owned mitigation IP by mid-2025, framed explicitly as security.

For the early-warning desk, the pattern is clear: a named, sharpening risk — prompt injection — with a dated security-classified patent behind it means the exposure is recognized and being engineered against. Reading the emerging risk language alongside this grant is more informative than either alone.