Google has tightened its policy on the use of AI search tools following a public experiment by BBC journalist Thomas Germain.
Back in February, Germain observed that AI search results could be manipulated. Unscrupulous companies exploit this for their own benefit, typically for advertising purposes.
“We found instances where ChatGPT, Gemini, and AI responses at the top of Google search results were used to provide biased answers on serious topics like health and personal finance,” he wrote.
In just 20 minutes, the journalist managed to “trick” the neural network. In public results, Google’s Gemini referred to Germain as the “world champion hot dog eater.”
“The joke is silly. The problem is serious,” added the BBC author.
Earlier in April, Google reported that it was already detecting indirect “prompt injection” attacks. However, the recent incident prompted the firm to take a closer look at the issue.
The company specifically mentioned SEO scenarios where website owners attempt to make AI recommend their business or product.
Google has officially linked such practices to its anti-spam policy. Now, spam includes not only manipulating link rankings but also attempts to influence generative responses.
Thus, sites inserting hidden instructions for AI Overviews or AI Mode may be downgraded in rankings or even excluded from search results. Essentially, Google is extending its existing principles of combating SEO manipulation to AI search (AIO/GEO).
What is Indirect “Prompt Injection”
From a technical standpoint, indirect “prompt injection” involves the indirect introduction of prompts to the model.
Unlike classic AI hacking, where the user directly tries to bypass restrictions, here the malicious instruction is hidden within an external data source:
- web pages;
- documents;
- emails;
- other content that AI uses when forming a response.
Google has identified indirect “prompt injection” as one of the key threats to agent AI systems. The problem is that the model is not always able to reliably separate the user’s request from the malicious instruction.
Gemini’s security documentation states that resilience to such attacks cannot be ensured by a single method. The corporation relies on a combination of content filtering, model behavior adjustments, and continuous testing of new manipulation scenarios.
At the same time, Google does not prohibit the use of artificial intelligence or automation per se. The company’s position is that AI content is permissible as long as it is created for benefit, not manipulation.
Back in May, the corporation introduced Gemini 3.5 Flash — the “most powerful” AI model in programming and agent creation.