AI applications expand the attack surface: models follow instructions, fetch data, and call tools. In 2025, the biggest failures still come from prompt injection, unsafe tool execution, and leaky data flows—not from exotic model hacks.
Threats to plan for
Prompt injection and indirect prompt injection attempt to override instructions via user input or external content. Data exfiltration happens when the model is coaxed into revealing secrets. Supply‑chain risks arise from third‑party models, plugins, and datasets. And tool misuse can turn a helpful agent into a dangerous one.
Defensive foundations
Layer controls: sanitize inputs, strip or neutralize markup, and validate URLs against allowlists. Constrain tools with least privilege, explicit capability prompts, and sandboxing. Add output filters for secrets, PII, and unsafe actions, and require human approval for high‑impact steps.
Secure retrieval and plugins
When fetching external content, render to text with a safe parser and block scripts. For RAG, store only necessary metadata and redact sensitive fields at ingestion. For plugins, pin versions, sign requests, and log every call with arguments and results.
Observe, test, and drill
Centralize logs with correlation IDs across prompts, tools, and users. Run red‑team scenarios for injections and jailbreaks. Practice incident response: rotate keys, revoke tokens, invalidate caches, and redeploy policies quickly.
Security isn’t a one‑time checklist. Treat it as a continuous practice embedded in your delivery process.