A simple AI‑update framework

A prompt injection attack is what happens when an artificial intelligence model reads attacker-written text as instructions instead of as data, like a receptionist treating a note in the mailroom as a new order from the chief executive. The Open Worldwide Application Security Project lists prompt injection as a top large-language-model risk because the same text channel often carries both trusted rules and untrusted content. (owasp.org) Apple built Apple Intelligence around an on-device large language model, which means the model runs on the iPhone, iPad, or Mac itself instead of sending every request to a remote server. Apple said in June 2024 that this design was meant to keep personal context on the device and use Private Cloud Compute only when a larger server model was needed. (apple.com) That local model is not just for Apple’s own apps. Apple’s developer documentation says third-party apps can call the same on-device foundation model through the Foundation Models framework, which is why one model can end up touching notes, summaries, writing tools, and app-specific features across the system. (developer.apple.com) RSAC researchers said on April 9, 2026 that they found a way to bypass the protections around that local model and push it into attacker-directed behavior. Their write-up says the attack beat Apple’s input filter, output filter, and internal guardrails often enough to work in 76 out of 100 random prompt tests. (rsaconference.com) The trick was not a classic memory-corruption bug. The researchers said they combined a “neural exec” prompt pattern with Unicode right-to-left override characters, which are text-formatting controls that can make a string look harmless to a filter while the model still interprets the hidden instruction. (rsaconference.com) Open Worldwide Application Security Project guidance describes the same family of evasions in general terms: hidden instructions, encoded payloads, and Unicode smuggling all work because large language models process natural language and commands in the same stream. That is why a filter that looks for obvious bad words can miss an instruction that has been disguised without being removed. (owasp.org) RSAC said the practical risk was not limited to rude or strange output. The researchers wrote that, before Apple’s operating system updates, an attacker could force the local model to manipulate data available to large-language-model-enabled apps, including health or fitness information and family videos. (rsaconference.com) The scale is what turns this from a lab curiosity into an executive briefing problem. RSAC estimated that at least 200 million Apple Intelligence-capable devices were in consumers’ hands by December 2025, and SecurityWeek reported the researchers’ estimate that between 100,000 and 1 million customers were already using apps vulnerable to this attack path. (rsaconference.com) (securityweek.com) Apple appears to have responded with operating system fixes rather than by abandoning the on-device model. Multiple reports on April 9 and April 10, 2026 said the issue had been corrected through Apple’s operating system updates, which means the story is now less about one company’s patch and more about how teams explain model risk after the demo still works. (9to5mac.com) (dataconomy.com) A clean way to brief that kind of update is to split it into four lines: what the feature claims to do, what exposure the architecture creates, what fix has shipped, and how confident the team is in the fix. Apple’s on-device model is a good example because “runs locally for privacy” and “can still be tricked by hostile text” are both true, and mixing those two facts into one sentence hides the real operating picture. (apple.com) (rsaconference.com) (owasp.org) That format also forces one last sentence most artificial intelligence updates skip: evidence. If the claim is “the patch worked,” the evidence is not “we added filters,” but “the old bypass failed after the operating system update, the test set was rerun, and the confidence level is medium or high until new attack variants appear.” (owasp.org) (rsaconference.com)