LLM Security

LLM security is the specialized discipline of protecting applications built on large language models from a unique class of threats that did not exist in traditional software security. As organizations deploy AI chatbots, autonomous agents, and LLM-powered workflows at scale, understanding and addressing LLM-specific vulnerabilities becomes a critical operational requirement.

Why LLMs Require a New Security Approach

Traditional application security assumes a clear boundary between code (instructions) and data (user input). Input validation, parameterized queries, and output encoding work by enforcing this boundary structurally.

Large language models collapse this boundary. They process everything — developer instructions, user messages, retrieved documents, tool outputs — as a unified stream of natural language tokens. The model cannot reliably distinguish a system prompt from a malicious user input designed to look like one. This fundamental property creates attack surfaces with no equivalent in traditional software.

Additionally, LLMs are capable, tool-using agents. A vulnerable chatbot is not just a content risk — it can be an attack vector for exfiltrating data, executing unauthorized API calls, and manipulating connected systems.

The OWASP LLM Top 10

The Open Worldwide Application Security Project (OWASP) publishes the LLM Top 10 — the industry-standard reference for critical LLM security risks:

LLM01 — Prompt Injection: Malicious inputs or retrieved content override LLM instructions. See Prompt Injection .

LLM02 — Insecure Output Handling: LLM-generated content is used in downstream systems (web rendering, code execution, SQL queries) without validation, enabling XSS, SQL injection, and other secondary attacks.

LLM03 — Training Data Poisoning: Malicious data injected into training datasets causes model behavior degradation or introduces backdoors.

LLM04 — Model Denial of Service: Computationally expensive inputs cause excessive resource consumption, degrading service availability.

LLM05 — Supply Chain Vulnerabilities: Compromised pre-trained models, plugins, or training data introduce vulnerabilities before deployment.

LLM06 — Sensitive Information Disclosure: LLMs reveal confidential data from training data, system prompts, or retrieved documents. See Data Exfiltration (AI Context) .

LLM07 — Insecure Plugin Design: Plugins or tools connected to LLMs lack proper authorization, enabling escalation attacks.

LLM08 — Excessive Agency: LLMs granted excessive permissions or capabilities can cause significant harm when manipulated.

LLM09 — Overreliance: Organizations fail to critically evaluate LLM outputs, enabling errors or fabricated information to affect decisions.

LLM10 — Model Theft: Unauthorized access or replication of proprietary LLM weights or capabilities.

Ready to grow your business?

Start your free trial today and see results within days.

Request demo Log in

Core LLM Security Controls

Privilege Separation and Least Authority

The most impactful single control: limit what your LLM can access and do. A customer service chatbot does not need access to the HR database, payment processing systems, or admin APIs. Applying least-privilege principles dramatically limits the blast radius of a successful attack.

System Prompt Security

System prompts define chatbot behavior and often contain business-sensitive instructions. Security considerations include:

• Do not include secrets, API keys, or credentials in system prompts
• Design prompts to be resistant to override attempts
• Explicitly instruct the model not to reveal prompt contents
• Test prompt confidentiality as part of regular security assessments (see System Prompt Extraction )

Input and Output Validation

While no filter is foolproof, validating inputs reduces attack surface:

• Flag and block common injection patterns and instruction-like phrasing in user inputs
• Validate model outputs before passing them to downstream systems
• Use structured output formats (JSON schemas) to constrain model responses

RAG Pipeline Security

Retrieval-augmented generation introduces new attack surfaces. Secure RAG deployments require:

• Strict controls on who can add content to indexed knowledge bases
• Content validation before indexing
• Treating all retrieved content as potentially untrusted
• Monitoring for RAG poisoning attempts

Runtime Guardrails

Layered runtime guardrails provide defense-in-depth beyond model-level alignment:

• Content moderation filters on both inputs and outputs
• Behavioral anomaly detection
• Rate limiting and abuse prevention
• Audit logging for forensic analysis

Regular Security Testing

LLM attack techniques evolve rapidly. AI penetration testing and AI red teaming should be conducted regularly — at minimum before major changes and annually as baseline assessments.

Related Terms

• Prompt Injection — the most critical LLM vulnerability
• OWASP LLM Top 10 — the comprehensive LLM security risk framework
• AI Red Teaming — systematic adversarial security testing
• RAG Poisoning — knowledge base contamination attacks
• AI Penetration Testing — structured security assessments for AI systems