Snowflake Cortex AI · Data cloud security
Prompt injection in Snowflake Cortex AI — multimodal data cloud security
Snowflake Cortex AI brings LLM capabilities directly into the Snowflake data cloud through SQL-callable functions — SNOWFLAKE.CORTEX.COMPLETE(), SNOWFLAKE.CORTEX.EXTRACT_ANSWER(), SNOWFLAKE.CORTEX.SUMMARIZE(), and SNOWFLAKE.CORTEX.TRANSLATE() — along with the Cortex Document AI feature that extracts structured data from uploaded PDF and image files. When organisations use Cortex to analyse semi-structured data that originated from images — expense receipts scanned to structured tables, supplier invoice images processed through Document AI, product label images OCR'd to text columns — an adversarially crafted image that embeds prompt injection instructions in its visible text or hidden pixel structure can inject those instructions into the Cortex LLM function's processing context. Snowflake's data governance capabilities — column-level security, row access policies, Dynamic Data Masking, object tagging — are data-access controls: they govern who can query which columns and rows. They do not inspect the content of the data for adversarial LLM payloads. Snowflake's trust centre and compliance certifications (SOC 2 Type II, ISO 27001, HIPAA BAA) address data handling and infrastructure security — not adversarial content embedded in image-derived text records. The correct insertion point for adversarial image detection is before images are loaded into Snowflake — at the ingestion pipeline that extracts text from images before those records enter the data lake, or at the Cortex Document AI upload step.
TL;DR
Snowflake Cortex LLM functions are called on table columns — if those columns contain text extracted from adversarially crafted images, the injection payload rides in the column value directly into the LLM context. Snowflake governance controls and Document AI do not scan image content for adversarial payloads. Scan images with POST https://glyphward.com/v1/scan at the ingestion step before they enter Snowflake. Reject images with score >= 65. Free tier — 10 scans/day, no card required.
Four multimodal injection surfaces in Snowflake Cortex AI
1. Cortex Document AI processing supplier-submitted invoice and document images. Snowflake's Cortex Document AI feature allows organisations to upload document images (PDFs, scanned invoices, receipts, forms) directly into a Snowflake stage and use a Cortex-powered extraction model to pull structured fields from the documents into table rows. Procurement teams use this to process supplier invoices at scale: upload the invoice image, Cortex Document AI extracts vendor name, invoice number, line items, and total — the extracted fields populate a procurement database table. When suppliers submit invoice images, the content of those images is entirely outside the submitting organisation's control. An adversarially crafted invoice image — visually identical to a legitimate invoice but with typographic prompt injection text printed at low opacity, in colours that match the background, or in a font size below visible threshold — causes Cortex Document AI to extract the injected instructions alongside the genuine invoice fields. If those extracted text fields are subsequently passed to SNOWFLAKE.CORTEX.COMPLETE() for downstream processing (summarisation, anomaly flagging, compliance checking), the injection payload executes in the LLM context with whatever permissions the Cortex function invocation carries. The Glyphward scan applied to each document image at upload time — before it reaches the Snowflake stage — blocks the adversarial image before extraction begins.
2. Cortex LLM functions applied to image-extracted text columns from OCR pipelines. Many Snowflake data pipelines use external OCR tools (AWS Textract, Google Document AI, Azure Form Recognizer, Tesseract) to convert image archives to text, then load the extracted text into Snowflake tables. Analysts then run Cortex LLM functions against these text columns: SNOWFLAKE.CORTEX.SUMMARIZE(extracted_text) across a corpus of scanned contracts, SNOWFLAKE.CORTEX.EXTRACT_ANSWER() on scanned form responses, or SNOWFLAKE.CORTEX.COMPLETE(prompt, extracted_text) for custom analysis tasks. The adversarial injection surface is in the original image, not in the extracted text file — an adversarially crafted image that contains visible or near-invisible injection text will have that text faithfully extracted by the OCR pipeline and stored in the Snowflake text column. When a Cortex LLM function processes that column, the injection payload is present in the function's input. Snowflake has no mechanism to distinguish between genuine document text extracted from an image and injection text extracted from the same image — it sees only a VARCHAR column value. Inserting the Glyphward scan at the point where images enter the OCR pipeline prevents adversarial payloads from reaching the text extraction step and, consequently, the Cortex function.
3. Cortex Search on image-derived document embeddings in Snowflake. Cortex Search enables semantic search over Snowflake table columns by maintaining a search index backed by LLM embeddings. When organisations build Cortex Search over image-derived content — scanned contract repositories, image-based knowledge base articles, product documentation pages distributed as image PDFs — the search corpus includes embeddings of text extracted from those images. A Cortex Search query against this corpus returns chunks from the most semantically similar documents; if those chunks include adversarially injected text extracted from a manipulated image, the injected content appears in the search result that a Cortex-powered application surfaces to the end user or passes to a downstream COMPLETE() call. In RAG architectures built on Cortex Search (retrieve relevant chunks, pass to COMPLETE for answer generation), adversarial payloads injected via document images propagate through retrieval into generation — the canonical indirect prompt injection pipeline. Cortex Search has no content safety filter on indexed chunks. The Glyphward scan at image ingestion time prevents adversarially crafted document images from contributing payloads to the search index.
4. Snowflake Marketplace data products containing image-derived text records. Snowflake Data Marketplace enables organisations to purchase or subscribe to shared data products from third-party data providers. Some data marketplace products include image-derived text records — scraped e-commerce product descriptions extracted from product image labels, publicly available regulatory document databases extracted from PDF scans, financial data products that include text from annual report images. When an organisation subscribes to such a data product and runs Cortex LLM functions against the shared data, they have no visibility into whether the source images used to produce the text records were adversarially manipulated. A malicious data provider — or a data provider whose source images were compromised before extraction — can include injection payloads in text records that activate when a subscriber's Cortex pipeline processes them. This supply-chain injection vector is unique to data cloud architectures: the adversarial content is in the data product, not in the subscriber's own ingestion pipeline. Scanning shared data records against known injection patterns before running Cortex functions against them, and auditing Cortex function outputs for anomalous instruction-following behaviour, are the correct downstream defences when the image source is not in the subscribing organisation's control.
Integration: pre-Snowflake ingestion scan with Glyphward
import base64
import snowflake.connector
import requests
from pathlib import Path
GLYPHWARD_KEY = "<your-glyphward-api-key>"
GLYPHWARD_THRESHOLD = 65
def scan_and_stage_document(image_path: str, stage_name: str, conn) -> dict:
"""
Scan document image before staging into Snowflake.
Returns scan metadata for audit logging; raises on adversarial detection.
"""
image_bytes = Path(image_path).read_bytes()
encoded = base64.b64encode(image_bytes).decode()
scan_resp = requests.post(
"https://glyphward.com/v1/scan",
headers={"Authorization": f"Bearer {GLYPHWARD_KEY}"},
json={"image": encoded},
timeout=5,
)
scan_resp.raise_for_status()
scan = scan_resp.json()
if scan["score"] >= GLYPHWARD_THRESHOLD:
# Log the rejection to Snowflake audit table before raising
cursor = conn.cursor()
cursor.execute(
"INSERT INTO adversarial_image_log (file_path, score, scan_id, blocked_at) "
"VALUES (%s, %s, %s, CURRENT_TIMESTAMP())",
(image_path, scan["score"], scan["scan_id"])
)
raise ValueError(
f"Adversarial image blocked: {image_path} "
f"score={scan['score']} scan_id={scan['scan_id']}"
)
# Image is clean — PUT to Snowflake stage for Cortex Document AI
cursor = conn.cursor()
cursor.execute(f"PUT file://{image_path} @{stage_name} AUTO_COMPRESS=FALSE")
return {"status": "staged", "file": image_path, "scan_id": scan["scan_id"]}
# Usage: scan each invoice before staging for Cortex Document AI extraction
conn = snowflake.connector.connect(
account="<your-account>",
user="<your-user>",
password="<your-password>",
warehouse="COMPUTE_WH",
database="PROCUREMENT_DB",
schema="INVOICES",
)
for invoice_path in Path("./incoming_invoices").glob("*.jpg"):
try:
result = scan_and_stage_document(str(invoice_path), "@invoice_stage", conn)
print(f"Staged: {result['file']} scan_id={result['scan_id']}")
except ValueError as e:
print(f"BLOCKED: {e}")
For Cortex LLM functions applied to existing text columns derived from images (OCR pipelines that ran before the Glyphward gate was added), run a retroactive injection pattern scan: extract all text column values from the relevant tables, check them against known injection signatures using SNOWFLAKE.CORTEX.CLASSIFY_TEXT() with a custom adversarial-instructions category, and flag rows for manual review. The pre-ingestion Glyphward image scan is the structural fix; the retroactive text scan is remediation for data already in the lake. Get early access
Coverage matrix
| Mitigation layer | Document AI (invoice / form images) | COMPLETE() on OCR-extracted text columns | Cortex Search (image-derived document index) | Marketplace data products (image-derived text) |
|---|---|---|---|---|
| Snowflake column-level security / Dynamic Data Masking | No — access control; does not inspect column values for injection content | No — governs who reads columns; not what the LLM does with them | No — search access policy; not content inspection | No — marketplace access control; does not scan shared data content |
| Snowflake row access policies | No — filters row visibility; does not inspect image content | No | No | No |
| Cortex Document AI built-in extraction | No — extracts text faithfully including injected text; no adversarial content filter | N/A | N/A | N/A |
| Glyphward pre-ingestion image scan (multimodal PI detection) | Yes — blocks adversarial document images before Snowflake stage PUT | Yes — blocks adversarial images in OCR pipeline before text extraction and load | Yes — prevents adversarial payloads from entering Cortex Search index | Partial — scan images before OCR if source images are accessible; text-only marketplace products require output monitoring instead |
Related questions
Can Cortex LLM functions be hijacked by injection text in a VARCHAR column?
Yes. SNOWFLAKE.CORTEX.COMPLETE(prompt, context) concatenates the context parameter into the LLM's input. If the context column value contains injection text — for example, extracted from an adversarial invoice image — the LLM receives that text as part of its input and may follow the injected instructions. The function caller has no visibility into this: the SQL query looks identical whether the context column contains genuine document text or injection-augmented text. The correct defence is blocking at the image source — before OCR and extraction — so adversarial instructions never enter the context column in the first place.
Does Snowflake have a built-in PI detection feature for Cortex functions?
As of mid-2026, Snowflake Cortex does not have a built-in prompt injection detection function. The Cortex function suite includes SUMMARIZE, TRANSLATE, SENTIMENT, EXTRACT_ANSWER, CLASSIFY_TEXT, and COMPLETE — none of these inspect their input for adversarial instruction patterns. Snowflake's trust and compliance documentation addresses infrastructure security, not LLM input sanitisation. For text-level injection detection on existing columns, you can use CLASSIFY_TEXT with a custom label for prompt injection patterns as a post-hoc filter, but this does not address image-layer payloads and requires accurate labelling of injection examples. The structural solution is Glyphward at the image ingestion point.
How does Cortex Document AI handle documents with mixed legitimate and injected content?
Cortex Document AI extracts all text present in the document, legitimate and injected. It does not distinguish between text that belongs to the document's intended content and text that was added adversarially. For a visually clean invoice where the injection text was printed at low contrast (light grey on white), the extraction model may miss low-contrast text, but this is OCR noise tolerance rather than adversarial detection — a differently crafted payload at marginally higher contrast will be extracted faithfully. Documents with steganographic payloads (injection instructions encoded in pixel patterns rather than visible text) will not be extracted by Document AI's text extraction, but they can still affect VLM processing if the document image is used in a multimodal context. The Glyphward scan checks for both typographic and steganographic adversarial patterns before the image reaches Snowflake.
What is the compliance angle for financial organisations using Cortex AI on document images?
Financial organisations using Snowflake Cortex AI for document intelligence — bank statement analysis, invoice processing, contract review — operate under regulatory frameworks (SOX, PCI-DSS, GDPR, DORA in the EU) that require demonstrable controls over AI system inputs. An adversarially crafted financial document that successfully injects instructions into a Cortex LLM function processing workflow could manipulate automated approval decisions, alter extracted financial figures, or trigger unintended API calls — outcomes with direct financial and regulatory consequences. Audit trails for AI processing workflows under SOX require evidence that inputs were validated before processing. The Glyphward scan log (scan ID, score, timestamp per image) provides a structured audit trail proving each document was adversarial-content-checked before Cortex ingestion. See also: Multimodal prompt injection in financial document AI.
Further reading
- Multimodal prompt injection in financial document AI — bank statement analysis, invoice OCR, and payment instruction injection vectors
- OWASP LLM01 Prompt Injection — multimodal dimension — the base attack class behind all Cortex AI document injection risks
- SOC 2 AI security controls — mapping Glyphward scan gates to SOC 2 Trust Services Criteria
- Multimodal AI security checklist — structured review for Snowflake Cortex AI deployments
- Glyphward API free tier — test against your Cortex ingestion pipeline today