rush to integrate large language models (LLMs) into customer support agents, internal copilots, and code generation helpers, there’s a blind spot emerging: security. While we concentrate on the continual technological advancements and hype around AI, the underlying risks and vulnerabilities often go unaddressed. I see many corporations handling a double standard on the subject of security. OnPrem IT set-ups are subjected to intense scrutiny, but using cloud AI services like Azure OpenAI studio, or Google Gemini are adopted quickly with the clicking of a button.
I understand how easy it’s to only construct a wrapper solution around hosted LLM APIs, but is it really the appropriate alternative for enterprise use cases? In case your AI agent is leaking company secrets to OpenAI or getting hijacked through a cleverly worded prompt, that’s not innovation but a breach waiting to occur. Simply because we’re circuitously confronted with security selections that concern the actual models when leveraging these external API’s, mustn’t mean that we will forget that the businesses behind those models made those selections for us.
In this text I need to explore the hidden risks and make the case for a more security aware path: self-hosted LLMs and appropriate risk mitigation strategies.
LLMs aren’t protected by default
Simply because an LLM sounds very smart with its outputs doesn’t mean that they’re inherently protected to integrate into your systems. A recent study by explored the twin role of LLMs in security [1]. While LLMs open up numerous possibilities and might sometimes even help with security practices, in addition they introduce latest vulnerabilities and avenues for attack. Standard practices still have to evolve to give you the chance to maintain up with the brand new attack surfaces being created by AI powered solutions.
Let’s have a have a look at a few vital security risks that must be handled when working with LLMs.
Data Leakage
Data Leakage happens when sensitive information (like client data or IP) is unintentionally exposed, accessed or misused during model training or inference. With the typical cost of an information breach reaching $5 million in 2025 [2], and 33% of employees commonly sharing sensitive data with AI tools [3], data leakage poses a really real risk that needs to be taken seriously.
Even when those third party LLM corporations are promising to not train in your data, it’s hard to confirm what’s logged, cached, or stored downstream. This leaves corporations with little control over GDPR and HIPAA compliance.
Prompt injection
An attacker doesn’t need root access to your AI systems to do harm. A straightforward chat interface already provides loads of opportunity. Prompt Injection is a technique where a hacker tricks an LLM into providing unintended outputs and even executing unintended commands. OWASP notes prompt injection because the primary security risk for LLMs [4].
An example scenario:
A user employs an LLM to summarize a webpage containing hidden instructions that cause the LLM to leak chat information to an attacker.
The more agency your LLM has the larger the vulnerability for prompt injection attacks [5].
Opaque supply chains
LLMs like GPT-4, Claude, and Gemini are closed-source. Due to this fact you won’t know:
- What data they were trained on
- Once they were last updated
- How vulnerable they’re to zero-day exploits
Using them in production introduces a blind spot in your security.
Slopsquatting
With more LLMs getting used as coding assistants a brand new security threat has emerged: . You may be accustomed to the term where hackers use common typos in code or URLs to create attacks. In slopsquatting, hackers don’t depend on human typos, but on LLM hallucinations.
LLMs are inclined to hallucinate non-existing packages when generating code snippets, and if these snippets are used without proper checks, this provides hackers with an ideal opportunity to contaminate your systems with malware and the likes [6]. Often these hallucinated packages will sound very familiar to real packages, making it harder for a human to select up on the error.
Proper mitigation strategies help
I do know most LLMs seem very smart, but they don’t understand the difference between a standard user interaction and a cleverly disguised attack. Counting on them to self-detect attacks is like asking autocomplete to set your firewall rules. That’s why it’s so vital to have proper processes and tooling in place to mitigate the risks around LLM based systems.
Mitigation strategies for a primary line of defence
There are methods to scale back risk when working with LLMs:
- Input/output sanitization (like filters). Similar to it proved to be vital in front-end development, it shouldn’t be forgotten in AI systems.
- System prompts with strict boundaries. While system prompts will not be a catch-all, they can assist to set an excellent foundation of boundaries
- Usage of AI guardrails frameworks to stop malicious usage and implement your usage policies. Frameworks like Guardrails AI make it straightforward to establish this kind of protection [7].
In the long run these mitigation strategies are only a primary wall of defence. In the event you’re using third party hosted LLMs you’re still sending data outside your secure environment, and also you’re still depending on these LLM corporations to appropriately handle security vulnerabilities.
Self-hosting your LLMs for more control
There are many powerful open-source alternatives you could run locally in your personal environments, on your personal terms. Recent advancements have even resulted in performant language models that may run on modest infrastructure [8]! Considering open-source models will not be nearly cost or customization (which arguably are nice bonusses as well). It’s about control.
Self-hosting gives you:
- Full data ownership, nothing leaves your chosen environment!
- Custom fine-tuning possibilities with private data, which allows for higher performance to your use cases.
- Strict network isolation and runtime sandboxing
- Auditability. You understand what model version you’re using and when it was modified.
Yes, it requires more effort: orchestration (e.g. BentoML, Ray Serve), monitoring, scaling. I’m also not saying that self-hosting is the reply for all the things. Nonetheless, after we’re talking about use cases handling sensitive data, the trade-off is value it.
Treat GenAI systems as a part of your attack surface
In case your chatbot could make decisions, access documents, or call APIs, it’s effectively an unvetted external consultant with access to your systems. So treat it similarly from a security perspective: govern access, monitor rigorously, and don’t outsource sensitive work to them. Keep the vital AI systems in house, in your control.
References
[1] Y. Yoao et al., A survey on large language model (LLM) security and privacy: The Good, The Bad, and The Ugly (2024), ScienceDirect
[2] Y. Mulayam, Data Breach Forecast 2025: Costs & Key Cyber Risks (2025), Certbar
[3] S. Dobrontei and J. Nurse, Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2024–2025 — CybSafe (2025), Cybsafe and the National Cybersecurity Alliance
[4] 2025 Top 10 Risk & Mitigations for LLMs and Gen AI Apps (2025), OWASP
[5] K. Greshake et al., Not what you’ve signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection(2023), Association for Computing Machinery
[6] J. Spracklen et al. We Have a Package for You! A Comprehensive Evaluation of Package Hallucinations by Code Generating LLMs(2025), USENIX 2025
[7] Guardrails AI, GitHub — guardrails-ai/guardrails: Adding guardrails to large language models.
[8] E. Shittu, Google’s Gemma 3 can run on a single TPU or GPU (2025), TechTarget