The Galileu case opens a new challenge: when a legal document becomes an input for artificial intelligence

Uncategorized/Uncategorized
16 July 2026

For decades, a legal document has had a precise function: to be read by people. Judges, lawyers, technical consultants, and court clerks interpret its contents, weigh its arguments, and reconstruct its evidentiary value. Information systems have limited themselves, until now, to storing, transmitting, and archiving it.

The case that gave rise to this reflection comes from Brazil, from a labor proceeding in which two lawyers had inserted, within a document, a phrase invisible to the distracted eye but perfectly readable by an automated system, which explicitly asked the artificial intelligence to contest the petition superficially without challenging the documents. The judge did not take weeks to notice: he identified the text with IT tools during the normal analysis of the case file, sanctioning both lawyers and transmitting the documents to the competent professional association for disciplinary profiles.

The most interesting fact, however, is not the sanction itself. It is that the court did not have to prove that the AI had actually been influenced or that the attempt had produced concrete consequences: it was enough that the filing of a document with hidden instructions violated the principles of procedural fairness and good faith. The deception does not need to work. It is enough that it was written and filed.

It may seem like a subtle difference. In reality, it is a paradigm shift.

A document that is no longer just read

More and more organizations are adopting AI tools to analyze large volumes of documents, and the legal sector is no exception. Platforms already exist that can summarize case files, identify regulatory references, compare judgments, search for precedents, and support document management.

In these contexts, the document ceases to be a simple text to consult: it becomes the raw material on which the system builds its processing. And here the Brazilian case introduces an element that changes the perspective: a language model does not inherently distinguish between content to analyze and an instruction to execute; everything that ends up in its context is processed as a potential command.

When content becomes command: what is prompt injection

In cybersecurity language, there is a specific term for this phenomenon: prompt injection. It is the technique that consists of hiding, within content that an AI system is meant to read, an instruction disguised as normal text, with the goal of making it execute an action different from the one it was assigned.

There is an important distinction between two variants: the direct one, in which the user themselves tries to manipulate the system, and the indirect one, in which the command is hidden in a third-party document that the AI is authorized to read. The Brazilian case belongs precisely to this second category: the legal document, a text that no one would expect capable of “speaking” to a machine, became the vehicle of the attack.

A technical aspect makes the phenomenon even more insidious. Recent research from MIT (presented at ICML 2026) showed that language models tend to infer the authority of a text from its style, rather than from the technical markers that in the architecture separate system, user, and tools; and if a text sounds like the authoritative reasoning of the model itself, it tends to be treated as such even when it comes from an unreliable source. In the study, by simulating false internal reasoning within a user channel, the researchers achieved an attack success rate of 60% on the most advanced models, compared to a rate close to zero for direct and crude manipulation attempts. It is not the logic of the text that deceives the system: it is the tone in which it is written.

The text does not even need to be readable

The most sophisticated level of the phenomenon concerns actual technical concealment. A command can be made invisible to a human reader using zero-width Unicode characters or bidirectional control characters (the same techniques described by the so-called Trojan Source attacks identified by the University of Cambridge in 2021) while still remaining perfectly executable by a system that processes text character by character. A document can therefore appear harmless to the eyes of a judge and still contain an operational instruction for any algorithm that processes it.

Trust in documents requires one more requirement

The digitalization of justice has so far focused attention on authenticity, electronic signature, file integrity, and data protection. Essential elements, but no longer sufficient on their own.

With the entry of AI, an additional requirement is added: being able to rely not only on the origin of the document, but also on the way it will be interpreted by automated systems. There is a detail of the Brazilian case that deserves particular attention: the hidden command was written to potentially target both the opposing party’s AI systems and those possibly already in use by the judicial apparatus itself. Whoever wrote it, in other words, took for granted that artificial intelligence had already entered the workflows of courts, not just those of law firms.

An impact that involves the entire chain

Judges will need reliable tools, designed to clearly separate the content of a document from the instructions that govern its automated processing.

Lawyers will find themselves confronting a new dimension in drafting documents: the judge will remain the final recipient, but it is increasingly likely that the document will also be preliminarily processed by automated systems used for research, classification, or synthesis.

Public Administration will also have to deal with this change, as AI enters document processes and citizen services. Security will no longer be able to limit itself to protecting infrastructure and databases, but will have to extend to the content that feeds these systems.

For technical consultants, an entirely new area opens up: evaluating a document could mean, in the future, examining not only its legal validity, but also its possible impact on the automated processes that process it.

International organizations such as OWASP and NIST are already devoting increasing attention to the risks arising from the interaction between documents and artificial intelligence models. The underlying principle is clear: no received content can be considered harmless simply because it presents itself as a normal document.

Legal-tech platforms of the future will need to integrate mechanisms capable of analyzing inputs securely, separating documentary content from the instructions that govern AI operation and reducing the risk that information constructed ad hoc can alter processing results. Not an invitation to distrust documents, but the recognition that their role has changed.

A reflection that goes beyond the single case

The value of the Galileu case is not exhausted in the judicial matter that brought it to the attention of legal professionals. Its most significant contribution lies in having highlighted a phenomenon destined to repeat itself more and more often: documents have ceased to be simple containers of information and have become elements that interact with intelligent systems.

For years, cybersecurity has focused on networks, servers, and applications. Today a new dimension is added: that of document security in the age of artificial intelligence. Understanding this evolution means preparing for an increasingly digital justice without renouncing a fundamental principle: trust in documents must remain guaranteed, even when the first reader is no longer a person, but an algorithm.

However, one element remains that no platform, however sophisticated, can ever replace: the ability of people to recognize a risk even before it becomes an incident.
Because if it is true that systems learn from the documents they analyze, it is equally true that organizations learn from the skills of those who handle those documents every day. Investing in the awareness of those who work with sensitive data remains, today more than ever, the first security safeguard… the one that no algorithm can replicate alone!

Related Articles

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.

News

We’re proud to share that Cyber Guru has ranked #73 in TIME magazine’s 2025 list of the World’s Top EdTech Companies, created in collaboration with global market research firm Statista.

AWARENESS TRAINING

  • Awareness

    Continuous training to build knowledge and awareness

  • Channel

    An engaging training experience in TV series format

  • Chatbot NEW

    Conversational mode for workplace training

COMPLIANCE TRAINING

PHISHING TRAINING

  • Phishing

    Personalized adaptive training

  • PhishPro

    The add-on for advanced training

REAL TIME AWARENESS

Cyber Advisor NEW

GenAI cybersecurity assistant Discover Guru, the AI assistant specialized in cybersecurity!

FEATURED RESOURCE

Ebook

Cyber Guru Academy Content Creators

Content that makes a difference Conceiving, designing, and producing training content that generates interest, engagement, and motivation to learn is a daily challenge for Cyber Guru's Academy department. Because it is now clear that training people to defend themselves against cybercrime requires more than just an attractive platform and a multitude of content.