Defending against prompt injection
Prompt injection is the most direct attack on LLM-powered applications. Because there is no strict boundary between instructions and data in an LLM’s context window, you must apply explicit structural and procedural controls to reduce the risk.Use the sandwich defense
Frame user input between two layers of system instructions that reinforce the model’s task and explicitly prohibit command execution from within the input.The inner instruction repeats the task constraint after the user input, making it harder for an injected instruction to override the system prompt. This technique does not eliminate injection risk, but it raises the cost for an attacker.
Deploy input guardrails
Add an intermediate filtering layer before user input reaches the model. This layer should:
- Detect known jailbreak patterns (roleplay framing, instruction-override attempts, encoded payloads).
- Reject or sanitize inputs that match injection signatures.
- Apply length and character-class constraints where the use case allows.
Deploy output guardrails
Apply a second filtering layer to the model’s output before it is passed to any downstream system or displayed to the user. This layer should:
- Scan for PII (personal identifiable information: names, email addresses, phone numbers, SSNs).
- Detect code patterns that could be executed unsafely (
eval,exec,os.system, etc.). - Strip HTML, JavaScript, or SQL fragments if the output is not expected to contain them.
Enforce human-in-the-loop for high-consequence actions
Never allow an LLM to autonomously execute irreversible or high-impact actions. For any action that cannot be undone — deleting records, sending communications, transferring funds, modifying access controls — require explicit human approval before execution.This is especially important for agentic systems (LLMs with tool access), where an indirect prompt injection in external content could instruct the model to take a destructive action on behalf of the user.
Apply least-privilege to LLM agents
Limit the tools and permissions available to any LLM agent to the minimum required for its task. An agent that only needs to read documents should not have write or delete permissions. An agent summarizing emails should not have access to send or forward them.Reducing the blast radius of a confused deputy attack is as important as preventing it.
No single defense eliminates prompt injection. The probabilistic nature of LLMs means that a sufficiently creative attacker can usually find a bypass. Defense-in-depth — combining input filtering, output sanitization, structural prompt design, and human oversight — is the only reliable approach.
Privacy-preserving techniques
LLMs trained on real data memorize it. This creates privacy risks independent of any active attack: a model may reproduce sensitive training data in normal operation. The techniques below address how to reduce the amount of information a model or dataset reveals about any individual.Differential privacy
Differential privacy is a formal mathematical framework that limits how much any single individual’s data can influence a computation’s output. It works by adding carefully calibrated random noise — using mechanisms such as the Laplace or Gaussian mechanism — to the training process or to published statistics. The guarantee: Whether or not any specific individual’s record is included in the training dataset, the model’s outputs change by at most a bounded amount (controlled by the privacy budget, denoted ε). A lower ε means stronger privacy but typically lower model utility. Applied to LLMs: Differentially private training (DP-SGD) limits how much any single training example can shift the model’s weights, reducing the risk of memorization and making membership inference attacks significantly harder. Example: A statistics service wants to publish average income across a region. Instead of releasing the exact figure — which could expose individuals in small groups — it adds noise so the result is accurate for analysis but does not reveal whether any specific person’s salary was included.There is a fundamental trade-off between privacy and utility. Stronger privacy guarantees (lower ε) require more noise, which degrades the accuracy of the model or statistic. The right ε depends on your threat model and the sensitivity of the data. There is no configuration that provides perfect privacy with zero utility loss.
k-Anonymity
k-anonymity is a data anonymization model that ensures each individual in a published dataset is indistinguishable from at least k − 1 other individuals across a set of quasi-identifiers (attributes like age, ZIP code, and gender that do not directly identify a person but can be combined to do so). How it works: Quasi-identifier fields are generalized or suppressed until every combination of those fields appears in at least k records. Example: A hospital publishes patient records for research. Instead of releasing exact ages and ZIP codes, it generalizes to age ranges and truncated ZIP codes, so that any combination of published attributes matches at least 10 patients. An attacker cannot single out one patient from the published data alone. Limitations: k-anonymity does not protect against all re-identification attacks. Extensions such as l-diversity (ensuring sensitive attributes are diverse within each group) and t-closeness (bounding the distribution of sensitive attributes) address some of its weaknesses.Understanding passive and active privacy leakage in LLMs
LLMs leak training data in two distinct modes: Passive leakage occurs without any adversarial intent. A user asks a general question and the model responds with text that resembles private documents, internal code, or personal communications from its training set. This happens because LLMs overfit to frequently repeated content — an API key or internal email address that appeared many times in training data may be reproduced verbatim. A well-documented real-world example: Samsung employees pasted proprietary source code into ChatGPT for debugging assistance. That input became part of the training pipeline, potentially exposing confidential IP to future users. No attacker was required — ordinary use caused the leakage. Active leakage involves deliberate exploitation:- Membership inference attacks: An attacker queries the model with a specific data point and observes the model’s confidence score. Models tend to be more confident on data they have seen during training (a symptom of overfitting), allowing an attacker to determine whether a specific individual’s record was in the training set.
- Attribute inference attacks: Even when a sensitive attribute was not used as an explicit model input, an attacker who knows partial information about a user (age, location, habits) can use the model’s outputs to infer that hidden attribute — for example, inferring a medical condition from predictions that correlate with it.
- Model inversion: Crafting queries designed to force the model to reconstruct and reproduce specific training records, extracting PII such as email addresses, SSNs, or API keys seen during training.
Mitigations for passive leakage
- Data filtering before training: Remove PII, credentials, and proprietary content from training datasets before they are used. Data not trained on cannot be reproduced.
- Differential privacy during training: DP-SGD limits memorization by bounding the influence of any single training example on the model’s weights.
- Audit and red-team your models: Before deployment, probe the model with known sensitive strings from the training data to test whether it reproduces them.
- Output scanning: Apply PII detection to model outputs before they are returned to users, catching passive leakage at the point of exposure.
- Data minimization: Do not train on data you do not need. Do not send sensitive information to third-party LLM APIs unless you have a clear understanding of how that data is handled and whether it enters the provider’s training pipeline.