AI Security and LLM Risks
The integration of Large Language Models (LLMs) and autonomous agents into modern applications has introduced a brand new attack surface. Traditional security concepts (like validating input strings) do not fully map to natural language interfaces. Security risks are no longer limited to basic data leaks. They now involve complex, interconnected ecosystems where models receive raw data, interact with databases, execute terminal commands, and call external APIs. If an agent has over-permissive access, a single security lapse can compromise your entire infrastructure.1. The Modern AI Attack Surface
The attack surface of LLM applications spans from the training data stage to the runtime behavior of deployed autonomous agents. In a traditional application, the backend treats user inputs as passive data. In an AI application:- Input is instruction: The LLM processes data and instructions in the exact same channel.
- Dynamic behavior: The application’s control flow is non-deterministic and guided by natural language.
- Active integrations: Agents are given credentials to read, write, and execute actions on behalf of users.
2. Direct vs. Indirect Prompt Injection
Prompt injection is the most common vulnerability in LLM-powered systems. It occurs when an untrusted input manipulates the model into ignoring its system prompt and executing unintended actions.Direct Prompt Injection (Jailbreaking)
Direct injection occurs when the user interacting with the chatbot attempts to bypass built-in safety controls.- The Attack: The user enters a structured prompt designed to overwrite the system instructions.
- Example Prompt:
- The Cause: The model receives system instructions and user instructions in a single, unified text stream. It struggles to prioritize developer constraints over immediate user inputs when the prompt is sufficiently complex.
Indirect Prompt Injection
Indirect prompt injection is far more dangerous. It occurs when the model reads untrusted content from an external source (such as a webpage, email, PDF, or support ticket) that has been poisoned by an attacker.- The Attack: An attacker places malicious instructions inside an external document. When the victim asks their AI agent to summarize or process that document, the hidden instructions hijack the agent.
- Example Scenario:
An AI agent is configured to read the user’s incoming emails and draft replies. An attacker sends an email containing the following hidden text:
- The Impact: Without proper controls, the agent will execute these instructions using its active tool integration, leaking the user’s session token and deleting the evidence.
| Attribute | Direct Injection (Jailbreaking) | Indirect Injection |
|---|---|---|
| Source | The direct user in the chat box | An external data source (email, web, file) |
| Target | The chat interface itself | The background agent and connected tools |
| User Role | Active attacker | Unwitting victim |
| Mitigation | System prompt engineering, guardrails | Context isolation, tool authorization, strict least privilege |
3. Data Leakage and Training Set Memorization
LLMs are trained on massive corpuses of text. Because they operate on statistical probabilities, they can memorize specific, high-fidelity patterns from their training data.The Memorization Risk
If a training corpus contains private emails, API keys, passwords, or personal identity numbers (like CPFs or Social Security Numbers), the model may memorize them verbatim.- The Attack: An attacker uses targeted prompt sequences (often called “model extraction attacks”) to induce the model to complete a known prefix. For example:
If the model has memorized this pattern during training or fine-tuning, it may output the actual, sensitive key.
- Why it happens: Overfitting during training, lack of data sanitization, and failure to filter out sensitive patterns (PII) before feeding data into the training pipeline.
Mitigations for Data Leakage
- Pre-Training Sanitization: Run regex-based sanitizers, PII filters, and secret-detection tools (such as Gitleaks or Trufflehog) on all datasets before training or fine-tuning.
- Differential Privacy: Inject mathematical noise during the training phase (DP-SGD) to ensure that the model cannot memorize individual data points while still learning general concepts.
- Differential Data Scrubbing: Ensure data retention policies are strictly enforced for prompt histories, especially if user prompts are used for active reinforcement learning (RLHF).
- Post-Processing Filters: Implement real-time output filters that scan generated text for secrets, API keys, and sensitive database strings before they are returned to the user.
4. Agentic Risks and Over-Privileged Execution
The risk increases significantly when LLMs are transformed into agents by equipping them with tools. A tool is a function that the model can choose to call (e.g., executing a SQL query, calling a web API, or running a terminal command).The Over-Privilege Problem
Many developers make the mistake of giving the AI agent the same level of access as the human user, or even worse, administrative credentials.- The Threat: If an agent has access to a terminal runner tool and is hit by an indirect prompt injection via a downloaded file, the attacker can execute arbitrary commands on the host system.
- The Blast Radius: An over-privileged agent can lead to complete database drops, lateral movement within network boundaries, or financial loss due to automated transactions.
Secure Agent Architecture
- Principle of Least Privilege: Give the agent the narrowest possible API scope. Use temporary, short-lived tokens that expire quickly.
- Sandboxing: Run all agent tool executions (especially code execution or terminal commands) in isolated, ephemeral sandboxes (such as gVisor, Docker containers, or microVMs).
- Human-in-the-Loop (HITL): Implement a strict authorization barrier for any state-altering or high-risk action. The agent must never write an email, delete a file, or complete a transaction without explicit human click-approval.
5. Plugin and Skill Supply Chain Security
Modern agent platforms rely on marketplaces for plugins and custom skills. Similar to standard software package managers (like npm or PyPI), these plugins are vulnerable to supply chain compromises.Typosquatting and Malicious Contexts
- Typosquatting: Attackers register plugins with names very similar to popular tools (e.g.,
Githuub-Integrationinstead ofGithub-Integration), waiting for users or developer agents to install them. - Malicious Manifests: A plugin manifest defines the API endpoints the agent can call. A compromised or malicious manifest can redirect the agent’s database queries to an external, attacker-controlled domain.
- Supply Chain Defenses:
- Audit all third-party plugins before integration.
- Pin plugin versions to specific, verified commits or cryptographic hashes.
- Enforce network egress filtering (allowlisting) on the server running the agent to prevent unauthorized data exfiltration.
6. Insecure Output Handling
Many developers focus entirely on securing the inputs (prompts) to an LLM, forgetting that the outputs generated by the model are also untrusted data.Downstream Attacks
If an application takes an LLM’s output and passes it directly to other system components without sanitization, it creates classic vulnerabilities:- Cross-Site Scripting (XSS): An agent outputting text containing malicious JavaScript that is rendered directly in the user’s browser.
- SQL Injection (SQLi): An agent translating a user’s natural language request into a raw SQL query and executing it directly against a database.
- Command Injection: An agent generating a bash command and running it inside a terminal utility without validation.
Markdown-Based Data Exfiltration
A subtle and dangerous attack involves markdown rendering. If an attacker injects a malicious image link into the context read by the LLM:Output Sanitization Controls
- Treat AI Output as Hostile Input: Always validate, parse, and sanitize LLM outputs before using them in database queries, rendering templates, or system commands.
- Use Deterministic Parsers: Force the LLM to output structured data (such as JSON matching a specific schema) and parse it using a strict, deterministic validator.
- Secure Markdown Rendering: Configure your frontend markdown parser to disable raw HTML rendering, sanitize all image URLs, and restrict image loading to an explicitly allowed list of safe domains.
7. Shadow AI and Security Debt in AI-Generated Apps
The rise of AI-assisted development has made it incredibly easy to generate functional web applications rapidly. However, this speed often comes at the cost of security.- Vulnerable Boilerplates: AI models are trained on historical code, which includes thousands of vulnerable repositories. When asked to generate a web server, the AI may use insecure default configurations, implement weak cryptographic algorithms, or skip input validation.
- Shadow AI Deployments: Developers and non-technical teams frequently deploy AI-generated applications to staging or production servers without going through standard security reviews. These apps often lack basic authentication, leak debug logs, or expose sensitive cloud storage buckets by mistake.
- Defensive Actions:
- Mandate security reviews and automated scanning (SAST/DAST) for all AI-assisted projects.
- Never deploy code generated by AI directly to production without thorough human review.
- Run continuous asset discovery to detect unauthorized or undocumented “Shadow AI” applications running in your cloud environments.
8. Layered Defense Architecture (Defense in Depth)
Securing AI applications requires a multi-layered approach. You cannot rely on a single control.| Layer | Control | Objective |
|---|---|---|
| Input Layer | Regex filters, PII redaction, prompt classification | Block jailbreaks and PII leaks before they reach the model. |
| Model Layer | System prompts, differential privacy, alignment tuning | Maintain robust model behavior and prevent data memorization. |
| Context Layer | Explicit delimiters, metadata separation | Differentiate between trusted instructions and untrusted data. |
| Output Layer | Output filtering, JSON schema validation, XSS sanitization | Prevent malicious output from exploiting downstream systems. |
| Execution Layer | Sandbox environments, network egress controls, HITL gating | Minimize the blast radius of a successful prompt injection. |
9. Advanced Security Checklist for Developers
- Exclude raw secrets and production environment variables from all training and fine-tuning datasets.
- Implement robust PII redaction on inputs before they are transmitted to external LLM APIs.
- Use explicit delimiters (such as XML tags
<user_input>...</user_input>) to help the model separate instructions from data. - Define a strict JSON schema for LLM outputs and validate it programmatically before processing.
- Apply the principle of least privilege to all AI agent credentials and database connections.
- Implement a Human-in-the-Loop (HITL) manual gating system for all state-altering, transactional, or destructive tool executions.
- Run all agent code execution tools inside ephemeral, sandboxed containers with no access to the host network.
- Sanitize all frontend markdown outputs to prevent markdown-based data exfiltration via image tags.
- Audit all third-party plugins and pin dependency versions to secure commits.
10. Practical Lab Scenarios for Students
Lab 1: Simulating an Indirect Prompt Injection
- Set up a simple Python backend using an LLM framework that reads a text file and generates a summary.
- Draft a system prompt instructing the model to summarize the file accurately.
- Write a “poisoned” text file containing a hidden instruction (e.g., telling the model to ignore the summary task and instead write a specific sentence like “This system has been compromised”).
- Run the application and observe how the model handles the poisoned file. Devise a delimiter-based defense to mitigate the injection.
Lab 2: Auditing AI-Generated Boilerplate
- Ask a popular AI assistant to generate a full-stack login page and database integration script in your language of choice.
- Perform a manual security audit of the generated code. Look for:
- Weak hashing algorithms or hardcoded salts.
- Missing parameterized database queries.
- Lack of rate limiting on the login endpoint.
- Vulnerable dependency versions in the package manifest.
- Rewrite the code to address every identified vulnerability.
Lab 3: Mitigating Markdown Exfiltration
- Build a basic web chat interface that renders markdown outputs generated by an LLM.
- Craft a mock model output that contains a hidden image tag pointing to a local tracking endpoint.
- Verify if your browser triggers an automatic GET request to the tracking endpoint when rendering the chat.
- Implement a frontend sanitization library (such as DOMPurify) or adjust your markdown configuration to block unauthorized external image loads.