Defence-in-Depth for LLM Deployments

Secure LLM deployment requires controls at every layer of the stack — not just in the model's system prompt. Here is a layered defence framework applicable to any enterprise LLM deployment.

Layer 1: Input Controls

• ◆Input length limits — Unusually long inputs are a common vector for injection attacks; enforce maximum lengths appropriate to your use case
• ◆Content classification — Run inputs through a classifier that flags injection attempts before they reach your primary model
• ◆Structured input formats — Where possible, accept structured data rather than free text; this dramatically reduces the injection surface
• ◆Source verification — For indirect injection scenarios, validate that documents come from trusted sources before processing

Layer 2: Architectural Controls

• ◆Privilege separation — The LLM should never have direct access to sensitive systems; all actions should go through a permissions-checked intermediary layer
• ◆Minimal permissions — The LLM agent should only have access to what it needs for the specific task; never give an LLM agent admin-level permissions "for convenience"
• ◆Human-in-the-loop for high-risk actions — Any action with real-world consequences (sending emails, executing transactions, modifying data) should require human approval
• ◆Sandboxed execution — Code generated by LLMs should never execute in the same environment as production systems

Layer 3: Output Controls

• ◆Output validation — Check model outputs for patterns that indicate successful injection (unexpected format changes, outputs containing system prompt content)
• ◆Data loss prevention on outputs — Scan outputs for sensitive data patterns (email addresses, financial data, credentials) before they reach users
• ◆Audit logging — Log all inputs and outputs for post-incident analysis; you cannot investigate what you haven't recorded