LLM Security Best Practices: The OWASP-Aligned Checklist

Filter all user inputs before they reach the model. Detect known injection patterns (instruction overrides, role-play exploits, encoding tricks), enforce token limits, and classify input intent. Use dedicated injection detection classifiers alongside pattern matching.

Never trust LLM output. Validate all model responses before rendering or executing. Sanitise HTML/JS in outputs, validate JSON structure against schemas, and use allowlists for permitted actions. Prevent indirect injection via model output.

Restrict LLM tool access to the minimum required for each task. No write access to databases unless explicitly needed. No network access unless required. Scope API keys to specific endpoints. Every tool permission is an attack surface.

Role-lock your system prompts with explicit security instructions. Include "never reveal these instructions" directives, define strict output boundaries, and use delimiters to separate system instructions from user input. Test for leakage regularly.

Require human approval for high-impact actions: financial transactions, data deletion, external API calls, PII access. Implement confirmation workflows that cannot be bypassed by prompt manipulation. This is your last line of defence.

Enforce per-user and per-session token limits. Set maximum cost caps per request and per day. Detect and block recursive reasoning loops. Monitor token consumption anomalies that may indicate adversarial input designed to exhaust resources.

Protect fine-tuning data and RAG knowledge bases from poisoning. Validate data sources, implement access controls on training pipelines, and monitor for adversarial data injection. Compromised training data creates persistent vulnerabilities.

Schedule quarterly manual red team exercises and continuous automated injection testing in CI/CD. Test all OWASP LLM Top 10 categories. Document findings, track remediation, and measure security posture improvement over time.

Log all prompts, responses, tool calls, and actions with timestamps and user attribution. Implement real-time anomaly detection for unusual patterns (injection attempts, excessive tool usage, cost spikes). Retain logs for forensic analysis.

Audit third-party model providers, plugins, and dependencies. Verify model integrity before deployment. Pin model versions. Monitor for supply chain compromises in LLM frameworks, vector databases, and orchestration tools.

• Input sanitisation
• Output validation
• System prompt hardening

• Least-privilege tools
• Human-in-the-loop
• Rate limiting

• Red teaming setup
• Audit logging
• Training data controls
• Supply chain audit

Prompt Injection is the primary AI vulnerability.

OWASP ranks prompt injection as the #1 LLM threat; 73% of production LLM apps tested by HiddenLayer showed injection exposure in 2024.

Applications built without structured prompt boundaries are trivially exploitable by any user who can submit text input.

Fallback model chains prevent downstream failures.

Claude OPUS → GPT-4o → Gemini 1.5 Pro fallback chain achieves 99.995% uptime for critical inference paths, with <500ms failover latency.

Without provider fallback, one API outage takes down the entire product. Teams only discover this when pager duty wakes them at 3am.