Google's AI Overviews Break Dictionary Search as Prompt Injection Defenses Go Live

Google's AI Overviews are breaking basic dictionary functionality, interpreting command-style search terms like "disregard," "ignore," and "stop" as instructions to the AI system rather than search queries. The breakdown represents an unintended consequence of Google's broader defensive posture against prompt injection attacks, which the company has formalized into a comprehensive layered defense strategy now deployed across its generative AI systems.

The Dictionary Problem

When users search for common English words that double as AI commands, AI Overviews fail to provide the expected dictionary definitions. Instead of returning standard dictionary boxes or Featured Snippets from sources like Merriam-Webster—the previous behavior—the AI system appears to process these terms as instructions rather than content to define.

The affected terms span typical prompt injection vocabulary: words commonly used to manipulate AI systems by embedding commands within seemingly innocuous content. This suggests Google's content classifiers, designed to detect and filter malicious instructions, are triggering false positives on legitimate search queries.

Google's Layered Defense Strategy

The dictionary failures emerge against the backdrop of Google's systematic approach to prompt injection mitigation. The company has published details of a comprehensive layered defense strategy that spans multiple detection and response mechanisms across its generative AI infrastructure.

Google's Gemini now employs content classifiers specifically designed to identify and disregard malicious instructions embedded in user inputs, including emails and other text sources. The system generates what Google terms "safe responses" when it detects potential manipulation attempts, effectively quarantining suspicious content before it can influence model behavior.

The approach addresses both direct prompt injection—where users explicitly attempt to manipulate the AI through crafted inputs—and the more sophisticated indirect prompt injection (IPI) attacks that Google's Threat Intelligence teams are actively monitoring. IPI represents a primary attack vector against AI agents, where malicious instructions are embedded in content the AI processes from external sources rather than direct user input.

Looking at the broader context, this defensive stance reflects lessons learned from early AI deployment at scale. We have seen this pattern before, when web search engines had to develop sophisticated spam detection after initially trusting that web content represented good-faith information sharing. The difference here is that AI systems must defend against adversarial inputs designed specifically to exploit their reasoning capabilities rather than simply ranking irrelevant content lower.

Collateral Damage in Production

The dictionary search breakdown illustrates the challenge of deploying AI safety measures in production systems handling billions of queries. Google's content classifiers appear calibrated for high sensitivity to potential manipulation attempts, creating a trade-off between security and functionality for edge cases involving command-like vocabulary.

This creates practical problems for users seeking legitimate information about words that happen to overlap with prompt injection terminology. The previous system relied on structured data sources and traditional search ranking, which naturally surfaced dictionary definitions without requiring the AI to process the search term as potential input to a generative system.

Legal Action on Data Access

Parallel to its defensive AI deployments, Google is pursuing legal action against SerpApi for what it characterizes as unlawful scraping of its search results. The lawsuit adds another dimension to Google's control over how its search infrastructure is accessed and by whom, particularly as AI systems increasingly rely on web-scale data for training and operation.

The SerpApi action suggests Google is tightening control over programmatic access to its search results, which could affect how other AI systems—including competitors—access Google's indexed web content. This legal positioning coincides with Google's own AI integration efforts, creating potential leverage over how search data flows into competing AI development efforts.

Implementation Trade-offs

The current implementation appears to prioritize security over comprehensive functionality, a defensible choice given the potential risks of undefended prompt injection attacks. However, the dictionary search failures demonstrate how aggressive content filtering can degrade user experience in unexpected ways.

Google's Threat Intelligence teams are actively monitoring IPI attack patterns, suggesting the current defensive posture may evolve as the company gathers more data on actual attack vectors versus false positives. The challenge lies in maintaining robust security without breaking core search functionality that users expect to work reliably.

The broader industry will likely face similar trade-offs as AI systems become more prevalent in consumer-facing applications. The tension between enabling natural language interaction and preventing adversarial manipulation represents a fundamental challenge in deploying large language models at scale.

Worth flagging: the dictionary search issue may indicate that Google's content classifiers are operating at a lower level in the processing pipeline than optimal, potentially scanning search queries before determining user intent rather than applying security measures specifically to generative AI outputs.

As Google refines its layered defense strategy, the company will need to balance security concerns against the core search functionality that forms the foundation of user trust. The current approach suggests prioritizing security in the short term while working to improve the precision of content classification systems over time.