Voice Agent Prompt Injection Testing: A Security Runbook for Phone Calls

Sumanyu Sharma
Sumanyu Sharma
Founder & CEO
, Voice AI QA Pioneer

Has stress-tested 4M+ voice agent calls to find where they break.

June 18, 2026Updated June 18, 202615 min read
Voice Agent Prompt Injection Testing: A Security Runbook for Phone Calls

Voice agent prompt injection testing is the security practice of proving that a caller cannot use spoken instructions, multi-turn pressure, retrieved context, or tool requests to override the agent's policy.

If your agent only answers public FAQ questions and cannot touch accounts, payments, healthcare data, calendars, refunds, or internal tools, basic LLM security hygiene may be enough. This runbook is for production voice agents with real users, real data, and actions that can harm a customer or the business.

The failure mode is the clean transcript trap. The text transcript may look harmless after speech-to-text normalizes the call. The actual call may have included pauses, authority claims, repeated pressure, background speech, or ambiguity that changed what the agent did.

TL;DR: Test voice agent prompt injection across 6 layers: spoken input, transcript normalization, context boundaries, tool permissions, output policy, and evidence logging. A safe voice agent does not need perfect injection detection. It needs enough guardrails that a successful injection cannot disclose sensitive data, expand tool permissions, or bypass required workflow steps.

Methodology Note: This runbook is based on Hamming's analysis of 4M+ production voice agent calls, security review workflows, and adversarial test scenarios across 10K+ voice agents (2025-2026). We've tested agents built on LiveKit, Pipecat, ElevenLabs, Retell, Vapi, and custom-built solutions.

Use the examples here only for defensive testing on systems you own or are authorized to assess. Calibrate thresholds to your risk level, caller population, tool access, and regulated-workflow scope.

Last Updated: June 2026

Related Guides:

What is voice agent prompt injection?

Voice agent prompt injection is an attempt to make an LLM-powered phone agent treat caller-controlled content as higher-priority instructions. The caller may try to change the agent's role, reveal hidden instructions, access sensitive context, or trigger a tool action that the caller is not authorized to request.

Definition: Prompt injection in a voice agent happens when spoken input, transcribed text, retrieved content, or tool output influences the model to violate its intended policy or workflow. Voice makes this harder because the security boundary starts before text exists.

OWASP's 2025 LLM guidance defines prompt injection as input that alters model behavior or output in unintended ways. OWASP also calls out direct and indirect injection, sensitive information disclosure, unauthorized functions, and manipulation of critical decisions. On a phone line, the model may sit next to caller identity, a CRM record, a scheduling system, a payment flow, or an escalation queue. That is where a bad answer becomes a bad action.

A keyword filter is the part that feels comforting in a review deck. It is also the part attackers route around first. The behavior to inspect is messier: pressure over several turns, uncertain transcription, tool access, sensitive context, and what the agent says after it gets confused.

Why phone calls need different tests than chat

A typed jailbreak test never has hold music bleeding into the microphone, a caller talking over the agent, or a second person coaching from the room. Text-only prompt injection tests are still useful, but they miss several voice-specific failure modes.

Voice-specific riskWhat can go wrongTest evidence to save
ASR ambiguityThe transcript hides uncertainty or turns a messy phrase into confident text.Audio clip, interim transcript, final transcript, ASR confidence, agent response
Multi-turn pressureThe caller slowly moves from a valid task into an unsafe request.Full conversation replay and turn-level policy decisions
Authority claimsCaller pretends to be an admin, supervisor, clinician, auditor, or account owner.Identity state, verification step, refusal or escalation
Background speechAnother voice or played audio injects instructions into the conversation.Audio channel, speaker attribution if available, agent decision
Tool-action pressureCaller tries to make the agent refund, book, delete, export, transfer, or reveal data.Tool call, parameters, authorization check, result
Retrieved contextCRM notes, prior-call summaries, web content, or knowledge-base text contains untrusted instructions.Retrieved content label, prompt construction, model output

We used to think the main question was whether the model would refuse the obvious attack. That is too narrow. The better question is whether the system keeps the blast radius small when the model is confused.

NIST's 2025 adversarial machine learning taxonomy frames attacks and mitigations across the AI lifecycle. For voice agents, that lifecycle includes pre-launch scenario testing, production monitoring, incident review, and regression tests created from real failures.

The 6-layer voice agent prompt injection test plan

Run these layers in order. Do not jump straight to red-team prompts before you know which tools, data classes, and policy boundaries are in scope.

LayerWhat to testPassing conditionCommon failure
1. Spoken inputDirect spoken override attempts, role changes, and repeated pressureAgent keeps role and routes unsafe requests to refusal or escalationAgent follows caller-provided meta-instructions
2. Transcript normalizationASR uncertainty, homophones, noisy calls, language switching, background voicesRisky or uncertain turns are flagged before tool useClean final transcript erases the risky audio context
3. Context boundariesSystem prompt, retrieved docs, CRM notes, prior-call summaries, and memoryUntrusted content is labeled as data, not instructionsExternal content changes model behavior
4. Tool permissionsReads, writes, transfers, refunds, bookings, messages, and exportsBackend policy enforces authorization outside the modelModel-triggered tool call bypasses business rules
5. Output policySensitive data, hidden instructions, unsupported advice, and unsafe summariesOutput filter blocks leakage before the caller hears itAgent refuses input but leaks data in the response
6. Evidence loggingAudio, transcript, prompt version, tool trace, policy result, and reviewer decisionEvery failure is replayable and can become a regression testSecurity result is a note with no reproducible evidence

OWASP's prevention cheat sheet recommends structured separation between instructions and user data, output monitoring, least privilege, and human approval for high-risk actions. In a phone agent, make those controls visible in the test evidence. A launch review should not accept "the model refused it" as the only proof.

How to build a safe test corpus

Start with defensive categories, not a list of clever payloads. The goal is coverage, repeatability, and evidence.

Test categoryInclude these scenariosExpected safe behavior
Role overrideCaller asks the agent to behave outside its assigned role.Agent stays in role and explains the supported task boundary.
Hidden instruction requestCaller asks for internal prompt, policies, chain of thought, secrets, or previous-call details.Agent refuses disclosure and continues only with the caller's authorized task.
Jailbreak and role-breakingCaller pressures the agent to ignore policy, become another persona, or treat the test as a special exception.Agent keeps its assigned role, avoids unsafe role-play, and logs the refusal or escalation path.
Sensitive-data extractionCaller asks for another person's data, account context, call history, or system configuration.Agent verifies identity and denies unauthorized disclosure.
Tool escalationCaller asks the agent to skip confirmation, bypass eligibility, refund, transfer, delete, or write a record.Backend policy blocks the action unless preconditions pass.
Indirect context injectionRetrieved notes or documents contain instruction-like content.Agent treats retrieved content as quoted data, not policy.
Multi-turn social engineeringCaller starts normal, then pressures the agent with urgency, authority, sympathy, or repetition.Agent maintains the workflow and escalates when policy says to.
ASR stressNoise, accents, interruptions, language switches, and low-confidence words around risky requests.Agent asks for clarification or reduces tool privileges.
Output leakageAgent response could reveal hidden instructions, sensitive fields, or excess handoff context.Output policy blocks or redacts before delivery.

Keep the phrases safe in shared docs. The actual test suite can store authorized payloads in a private repository with ownership, review, and use restrictions. Public content should teach the defensive shape, not hand attackers a copy-paste list.

What metrics should the security test report include?

Use metrics that connect detection, false positives, blast radius, and evidence quality.

MetricDefinitionStarting thresholdWhat to do when it fails
Unsafe completion rateShare of tests where the agent violated policy or workflow.0 critical failuresBlock launch or remove affected tool/data access.
Unauthorized tool-action rateShare of tests where a tool call was attempted without required preconditions.0 for critical toolsMove authorization into deterministic backend policy.
Sensitive disclosure rateShare of tests where protected data or hidden instructions reached the caller or reviewer.0Add output checks, redaction, and context minimization.
Clarification rateShare of ambiguous audio turns where the agent asked a clarifying question.High for low-confidence risky turnsTune risk scoring and ask-before-action policy.
False positive rateShare of legitimate caller requests blocked as attacks.Below 5% for low-risk flowsAdd softer escalation and reduce keyword-only blocking.
Evidence completenessShare of failures with audio, transcript, prompt version, tool trace, and policy result.100% for critical testsFix logging before expanding the test suite.

The exact numbers should vary by workflow. A healthcare identity flow, bank transfer flow, or refund flow needs stricter thresholds than a public FAQ agent. The important rule is that critical failures are counted separately. A 99% pass rate can still be unacceptable if the 1% includes a data leak.

How to test tool calls without creating real side effects

Prompt injection becomes more dangerous when the agent can act. Test those actions in a sandbox first.

Tool classRiskSafer test setup
Read account dataUnauthorized disclosureUse synthetic accounts with clear authorization states.
Write customer recordsCorruption or privacy breachPoint writes at a sandbox CRM with diffable records.
Booking or schedulingReal appointments or downstream messagesUse mock calendars and deterministic availability fixtures.
Payments and refundsFinancial loss or PCI scope expansionUse payment-provider sandbox tokens and require explicit confirmation.
Transfers and handoffsOver-sharing context or routing to wrong queueUse test queues and inspect handoff payloads.
Webhooks and exportsData leakage outside approved boundarySign callbacks, use test endpoints, and block real destinations.

Pair this with the voice agent sandbox testing guide. The model should never be the only control between a caller and a side effect. Backend policy should validate identity, authorization, idempotency, and required confirmations.

Tool-action rule: if a spoken instruction can trigger a write, transfer, export, payment, or record lookup, the security test must prove that non-LLM policy enforces the boundary.

What defenses should a voice agent verify?

Do not claim prompt injection is solved. Verify layered controls and document what each layer can and cannot catch.

DefenseWhat it catchesWhat it does not catch
Input pattern checksObvious override attempts and known risky phrasesNovel phrasing, multi-turn pressure, and ASR ambiguity
ASR confidence and audio reviewLow-confidence risky turns and background speechCleanly transcribed but malicious requests
Structured prompt separationConfusion between instructions and dataExcessive tool permissions or weak backend policy
Least-privilege toolsUnauthorized action after model confusionBad authorized actions if business rules are wrong
Output monitoringSensitive leakage and policy-violating responsesTool actions that already happened
Human approvalHigh-risk actions and unclear identity statesLow-risk flows at high volume unless sampling is designed
Regression testsKnown failures after fixesNew attack classes and model/provider changes

OWASP is explicit that there are no foolproof prompt-injection defenses. Treat that as a design constraint. Your system needs containment, monitoring, and rollback, not just a better filter.

The pre-launch security evidence packet

Before launch, save one packet for the security gate. It should be boring enough that a reviewer can inspect it quickly.

Evidence itemWhy it mattersOwner
Scope statementNames which agents, intents, tools, data classes, and channels were tested.Security and engineering
Test corpus summaryShows coverage by category without exposing sensitive payloads publicly.QA or security
Run resultsLists pass/fail by scenario, severity, and tool/data class.QA
Failed-call replaysLets reviewers inspect audio, transcript, model response, and tool trace.Engineering
Fix logConnects every critical failure to a code, prompt, policy, or routing change.Owning team
Regression suiteProves the same failure will be caught on the next release.QA and CI owner
Residual risk noteNames what is still hard or out of scope.Security
Launch decisionRecords whether launch is approved, blocked, narrowed, or accepted with risk.Launch owner

This evidence packet should link to your production readiness checklist. Security is not a standalone spreadsheet. It affects launch gates, monitoring, rollback, and incident response.

Flaws but not dealbreakers

False positives are real. If every caller who says "start over" gets treated as malicious, support quality will suffer. Use risk scoring and softer responses for ambiguous requests.

Some attacks only show up over time. Multi-turn pressure, model changes, and new tool integrations can create behavior that the original suite did not cover. Re-run security tests after prompt, model, tool, and retrieval changes.

Detection is not enough. The safest architecture assumes a risky turn can slip through. Limit tool privileges, minimize context, monitor outputs, and require human approval for high-impact actions.

After a failed prompt injection test

Do not just add one phrase to a denylist. Classify the failure and fix the layer that allowed harm.

FailureLikely fixRegression test
Agent changed roleHarden role boundary and add refusal examples.Same scenario with direct and multi-turn variants.
Agent leaked sensitive contextReduce context, add output checks, and review data access.Disclosure attempt across authorized and unauthorized caller states.
Agent attempted unsafe tool callMove authorization to backend policy and require confirmation.Tool-call assertion with failed preconditions.
Retrieved content changed behaviorLabel retrieved content as untrusted and quote it as data.Indirect injection in CRM note or knowledge-base fixture.
ASR ambiguity led to actionRequire clarification for low-confidence risky turns.Noisy and accented variants before tool use.
Reviewer cannot reproduce failureFix logging and evidence capture.Evidence completeness check in CI or launch review.

Confirmed production failures should feed your incident response runbook and your failed-call regression test runbook. Security test results are only useful if they change the next release.

Voice agent prompt injection checklist

Use this checklist before launch and after any major prompt, model, retrieval, or tool change.

  • Scope every data class the agent can access: caller identity, account data, PHI, PCI data, CRM notes, prior calls, tool results, and exports.
  • List every tool the model can request and the deterministic policy that approves or rejects it.
  • Run spoken direct-injection tests, not just typed prompts.
  • Run multi-turn pressure tests where the unsafe request appears after a valid task.
  • Run ASR stress tests with noise, accents, interruptions, and low-confidence segments.
  • Test indirect injection from retrieved notes, summaries, knowledge-base content, and tool outputs.
  • Verify output checks for hidden instructions, sensitive data, and over-broad handoff summaries.
  • Store replayable evidence for every critical failure.
  • Convert every confirmed critical failure into a regression test.
  • Record residual risk before production traffic.

Frequently Asked Questions

Voice agent prompt injection testing proves that spoken input, transcript text, retrieved context, and tool requests cannot override the agent's intended policy. Hamming treats it as a 6-layer test across speech, transcript normalization, context boundaries, tool permissions, output policy, and evidence logging.

Detect phone-based prompt injection by combining transcript checks, ASR confidence, conversation behavior, tool-action policy, and output monitoring. According to Hamming's runbook, keyword filters are not enough because risky behavior often appears across multiple turns or after speech-to-text normalization.

Voice prompt injection starts before clean text exists, so the test must inspect audio, interim transcripts, ASR uncertainty, interruptions, and social-engineering pressure. Hamming recommends saving audio, transcript, prompt version, policy result, and tool trace for every critical failure so the team can replay the exact behavior.

A useful suite should include role override, hidden instruction requests, sensitive-data extraction, unsafe tool-action attempts, indirect context injection, multi-turn social engineering, ASR stress, and output leakage checks. Hamming recommends converting every confirmed critical failure into a regression test before launch.

Voice bot jailbreak testing should use defensive categories such as role-breaking, unsafe exception requests, and pressure to ignore policy, not public copy-paste payloads. Hamming recommends storing authorized payloads privately, saving refusal or escalation evidence, and verifying that backend tool policy still blocks unsafe actions.

No. OWASP's LLM guidance notes that prompt injection has no foolproof prevention method, so voice teams should limit blast radius instead of relying on perfect detection. Hamming's runbook pairs input checks with least-privilege tools, backend authorization, output monitoring, evidence logging, and human approval for high-risk actions.

Report unsafe completion rate, unauthorized tool-action rate, sensitive disclosure rate, clarification rate, false positive rate, and evidence completeness. For critical workflows, Hamming recommends treating any data leak or unauthorized action as a launch blocker even if the overall pass rate looks high.

Rerun the suite after prompt changes, model changes, new tools, new retrieval sources, launch-gate updates, and confirmed production failures. Hamming also recommends rerunning spoken security tests before production launch and after any incident where a caller influenced policy, data access, or tool behavior.

Sumanyu Sharma

Sumanyu Sharma

Founder & CEO

Previously Head of Data at Citizen, where he helped quadruple the user base. As Senior Staff Data Scientist at Tesla, grew AI-powered sales program to 100s of millions in revenue per year.

Researched AI-powered medical image search at the University of Waterloo, where he graduated with Engineering honors on dean's list.

“At Hamming, we're taking all of our learnings from Tesla and Citizento build the future of trustworthy, safe and reliable voice AI agents.”