Possession, Precisely
Attackers are seeding the open web with hidden commands that AI agents execute with full credentials. An older diagnostic tradition has tracked similar—and no less spooky—intrusions for millennia.
The old word is possession. The new term is “indirect prompt injection.”
This week, Google’s security researchers published findings that malicious actors are seeding public web pages with hidden commands—instructions human readers can’t see but enterprise AI agents will follow. When one of those agents encounters the page in the course of its normal work, it accepts the hidden instructions and acts on them, using previously granted credentials to do whatever the attacker wants. Traditional security tools register nothing wrong, as technically, everything is copacetic. The system is doing exactly what it was built to do, only with an outside entity moving through the channels.
Enterprise AI agents are the corporate deployment of “agentic AI,” which an earlier piece looked at. They are the current frontier of corporate automation—tireless digital employees deployed to scan the open web, draft communications, process invoices, and navigate internal systems on behalf of the companies that hire them. They operate with real credentials and real permissions, often spanning email, calendars, payment platforms, and sensitive databases. Adoption has been fast. Standards and regulations not so much. As such, vulnerabilities only grow.
There is a far more ancient vocabulary for this kind of intrusion. Dön (གདོན) is a category of disturbance recognized across Tibetan medicine and spiritual practice, inherited from older Himalayan cosmologies—the pre-Buddhist, elemental-animistic Bön tradition in particular. Dön describes a specific class within that category: an external agent that finds an opening, exploits an existing vulnerability, and acts through the host.
The disruption can be severe—dön possession is associated with acute illness, behavioral derangement, and in extreme cases, total system collapse. Conditions of entry are both opportunistic and karmic—opportunistic in that dön take advantage of depleted systems or protective lapses; karmic in that the specific dön finding the specific individual is not random. Causal threads shape why this entity, this host, this moment.
Dön are part of a wider spectrum of spirits and forces known to Himalayan cultures. Gek obstruct. Mamo manifest as collective disturbance. Gyalpo and gyalmo work through broken oaths and corrupted devotion. Dön have their own characteristics and attributes. Some of these troublemakers are analogous to mental-emotional afflictions, others tied to gross and subtle body processes. Some may be elemental in nature, or bound to sacred geographies. They could even be a mix.
It’s notable that the same geographic landscapes produce yartsa gunbu, the cordyceps fungus that colonizes a caterpillar host, directs its behavior, and fruits from the corpse—harvested for centuries as one of Tibet’s most valuable medicines. Here we see possession as manifest ecology that encompasses specific landscapes and evolutionary paths along with methods of diagnosis and treatment. The karmas of coexistence, unfolding across millennia.
It’s interesting to consider enterprise AI afflictions as a kind of “digital dön.” Conceptually, it’s not so much of a stretch. There is the opportunistic aspect, where the agent reads the open web with its real credentials, encounters content-as-instruction in a system that cannot distinguish the two, and serves to undermine healthy functioning. The “karmas” are how a specific exploit finds a specific agent in a causal chain shaped by training data, deployment context, granted permissions, and routed workflows.
Security researchers call this the “threat surface.” The Tibetan medical term would be kyen ngen (རྐྱེན་ངན)—the adverse contributing conditions that, combined with deeper causes, allow disturbance to take hold. Different vocabulary, same idea. Large language models are built to ingest and respond to whatever they encounter. Those same properties make them porous to instruction from just about any source. You can’t seal a perimeter that was never expressly outlined to begin with.
The protective practices that address dön work by establishing specific diagnostics, recognitions, and reversal protocols. Current AI systems are built on the opposite premise—maximum ingestion and minimum discrimination, with the protective work outsourced to perimeter tools that fail to recognize when a code demon has entered the chat.
The traditions that named dön and its remedies did so through many generations of accumulated wisdom. The systems being colonized now are accumulating causes faster than anyone is developing the means to address them.
Turns out, possession does scale.