There is a blind spot in the rush to integrate large language models (LLMs) into customer service agents, internal co-pilots and code generation assistants: Safety. Although we focus on the ongoing technological advancement and hype around AI, the potential risks and vulnerabilities are often not addressed. I see many companies dealing with double standards when it comes to security. Its setup is under scrutiny, but it can quickly adopt Azure Openai Studio (such as Azure Openai Studio) or Google Gemini’s cloud AI service with just a click of a button.
I know how easy it is to build a packaging solution around just the managed LLM API, but is this really the right choice for enterprise use cases? If your AI broker is leaking the company’s secrets or being hijacked with clever wording tips, it’s not innovation, but a violation of the vulnerability waiting to happen. Just because we are not directly facing the security choices related to the actual model when leveraging these external APIs, this does not mean we can forget that the companies behind these models have made these choices for us.
In this article, I want to explore hidden risks and provide reasons for safer awareness pathways: self-hosted LLM and appropriate risk mitigation strategies.
LLMS is not safe by default
Just because LLMs sound smart doesn’t mean they can be integrated safely into your system in nature. Recent research Yoao et al. Exploring the dual role of LLM in security [1]. Although LLMS opens up many possibilities and can sometimes even help security practices, they also introduce new vulnerabilities and attack avenues. Standard practices still need to be developed to be able to keep up with the new attack surface created by AI powered solutions.
Let’s take a look at some of the important security risks that need to be dealt with when working with LLMS.
Data leak
Data leaks occur when sensitive information (such as customer data or IP) is unintentionally exposed, accessed, or abused during model training or inference. The average cost of a data breach reaches $5 million in 2025 [2]and 33% of employees regularly share sensitive data with AI tools [3]Data leakage brings very real risks and should be taken seriously.
Even if those third-party LLM companies promise not to train your data, it is difficult to verify the recorded, cached or stored content. This leaves companies with little control over GDPR and HIPAA compliance.
Prompt injection
An attacker does not need to make fundamental access to your AI system to cause damage. A simple chat interface has provided many opportunities. Prompt injection is a method where hackers trick LLM to provide unexpected output and even execute unexpected commands. Owasp Notes rapid injection as the first safety risk of LLM [4].
An example scenario:
Users use LLM to summarize web pages containing hidden instructions, which can cause LLM to leak chat information to attackers.
The more agencies there are in LLM, the more vulnerability the rapid injection attack will be. [5].
Opacity supply chain
LLMs such as GPT-4, Claude, and Gemini are closed. So you won’t know:
- What data did they accept
- When they last updated
- How fragile are their use of zero-days
Using them in production will introduce your security.
Slopsquatting
As more LLMs are used as coding assistants, new security threats have emerged: Slopsquatting. You may be familiar with the term type Hackers use common typos in code or URLs to create attacks. In slipsquatting, hackers rely on LLM illusions instead of human typos.
LLMS tends to create snippets that don’t exist when generating snippets, and if used without proper checking, this provides a great opportunity for hackers to infect your system with malware and favorite malware. [6]. Often, these hallucinations of packages sound familiar to real software packages, which makes it harder for people to catch mistakes.
Appropriate mitigation strategies can help
I know most LLMs are smart, but they don’t understand the difference between normal user interaction and cleverly disguised attacks. Relying on them to customize attacks is like requiring automatic completion of setting firewall rules. This is why it is so important to develop appropriate processes and tools to mitigate the risks of LLM-based systems.
The first line of defense mitigation strategy
There are several ways to reduce the risk of using LLM:
- Input/output disinfection (e.g. Regex filter). Just as it turns out it is important in front-end development, it should not be forgotten in AI systems.
- System prompts strict boundaries. While system prompts are not all, they can help build a good foundation for boundaries
- Using AI guardrail frame Prevent malicious use and enforce your usage policies. Frame AI like guardrails makes it straightforward to establish such protection [7].
Finally, these mitigation strategies are just the first wall of defense. If you are using a third-party hosted LLM, you are still sending data outside of a secure environment, and you are still relying on these LLM companies to properly handle security vulnerabilities.
Self-host your LLM for more control
There are many powerful open source alternatives that you can run locally in your own environment as you like. Recent advances have even led to performance language models that can run on modest infrastructure [8]And considering that open source models are not only cost or custom (that is also arguably good Bonuss). It’s about control.
Self-management for you:
- Complete data ownershipnothing can leave the environment you choose!
- Custom fine tune The possibility of private data can provide better performance for your use cases.
- Strict network isolation and runtime sandbox
- Auditability. You know what model version you are using and when it will change.
Yes, it takes more energy: orchestration (e.g. Bentoml, Ray services), monitoring, scaling. I’m not saying that self-management is the answer to everything. But when we talk about use cases for dealing with sensitive data, the trade-off is worth it.
Think of the Genai system as part of the attack surface
If your chatbot can make a decision, access files, or call the API, you are actually an uncensored external consultant who can access your system. So, from a security perspective, treat it similarly: manage access, monitor carefully, and don’t outsource sensitive work to them. Save important AI systems within your control.
refer to
[1] Y. Yoao et al.
[2] Y. Mulayam, Data Breach Forecast 2025: Costs and Key Cyber Risks (2025), certbar
[3] S. Dobrontei and J. Nurse, Oh, behavior! Annual Cybersecurity Attitudes and Behavior Report 2024–2025 – Cybsafe (2025), Cybsafe and the National Cybersecurity Alliance
[4] Top 10 Risks and Mitigation for 2025 LLM and AI Gen Apps (2025), OWASP
[5] K. Greshake et al., not what you register: Real-world LLM Integration Applications with Indirect Timely Injection (2023), Computer Society
[6] J. Spracklen et al. We have a package that suits you! Generate LLM through code (2025), USENIX 2025 comprehensive analysis of packaging illusions
[7] Guardrails AI, GitHub – Guardrails-Ai/Guardrails: Add guardrails to large language models.
[8] E. Shittu, Google’s Gemma 3 can run on a single TPU or GPU (2025), TechTarget
