Manipulation of the LLM's behavior via crafted inputs (Direct or Indirect).

Impact

• Unauthorized data access
• Malicious code execution in agents

Blindly trusting LLM outputs for downstream processing (e.g., in a browser).

Impact

• Cross-Site Scripting (XSS)
• Remote Code Execution (RCE)

Compromising the integrity of the model's knowledge during training.

Impact

• Reduced model reliability
• Persistent security backdoors

Resource-intensive queries designed to exhaust compute or financial budget.

Impact

• Service outages
• Massive financial billing spikes

Exploiting third-party libraries, model registries, or data vendors.

Impact

• Full infrastructure compromise
• Deployment of backdoored models

Verbatim leakage of PII or proprietary secrets from training data.

Impact

• Exposure of confidential data
• Privacy law violations (GDPR/HIPAA)

Lack of strict validation or authorization for LLM-callable tools.

Impact

• Unauthorized system actions
• Data exfiltration from internal APIs

Granting too much authority to an AI agent without human oversight.

Impact

• Destructive system actions
• Unauthorized privilege escalation

Systems failing due to unverified trust in incorrect LLM outputs.

Impact

• Introduction of logic bugs
• Safety and liability incidents

Unauthorized replication or exfiltration of proprietary model assets.

Impact

• Total loss of Intellectual Property
• Competitive disadvantage

Treat LLM outputs as untrusted user input and apply strict encoding.

Grant tools only the exact permissions needed; avoid 'Admin' tokens.

Use secondary models (e.g., Llama Guard) to filter incoming prompts.

Require manual approval for irreversible actions (payments, deletions).

• Garak (Vulnerability Scanner)
• PyRIT (Red Teaming Toolkit)
• Promptfoo (Testing & Eval)
• OWASP AMASS (Discovery)
• Burp Suite (API testing)