AI-native security: why current guardrails are obsolete

The adoption problem

ChatGPT reached one million users in five days after launch and 100 million within two months. TikTok took nine months to reach similar numbers; Instagram took over two years. Organizations are integrating LLMs faster than they can secure them.

These models differ from earlier narrow AI tools built for isolated tasks. LLMs are generative and stochastic, meaning they produce variable outputs based on probabilistic processes. Traditional perimeter security assumes a clear boundary between trusted and untrusted data. That boundary does not exist when the model itself processes and generates content dynamically.

Security cannot be retrofitted

Legacy software security works as a wrapper: encryption for data at rest, TLS for data in transit. LLMs have hierarchical representations distributed across billions of parameters. Adding security controls after training does not address vulnerabilities encoded in the weights.

This requires building protection into every stage: data curation, training, fine-tuning, and deployment. We cannot fully explain how these models reach specific outputs, which makes post-hoc security auditing ineffective. Protection must be integrated into the MLSecOps pipeline during development.

Prompt injection differs from SQL injection

OWASP designates prompt injection as LLM01 in their threat taxonomy. The comparison to SQL injection is structurally misleading. SQL injection exploits the boundary between code and data. In an LLM, instructions and data occupy the same input space.

A “DAN” (Do Anything Now) exploit uses natural language to override the model’s instruction set. The mechanism that enables the model to follow complex context is the same mechanism that allows adversarial inputs to bypass safety protocols. A single sentence can cause the model to ignore its training constraints.

Training data poisoning at 0.1% threshold

OWASP LLM03 covers training data poisoning. Studies have demonstrated that injecting 0.1% poisoned samples into a training set can produce targeted biased outputs in the final model.

“Clean label” attacks use correctly labeled data that appears valid to human reviewers. The samples contain mathematically optimized perturbations that alter model behavior during training. Standard data-cleaning procedures do not detect these samples because they are statistically indistinguishable from legitimate data. Attackers can use this method to install persistent backdoors in model weights.

Trust boundary failures

In 2023, Samsung employees uploaded proprietary source code to ChatGPT for debugging assistance. The code left Samsung’s internal environment and entered OpenAI’s systems. This incident exposed the gap between organizational data policies and technical enforcement.

Three approaches address this gap:

Data minimization: Strip proprietary code and personally identifiable information before data enters the prompt window.

k-anonymity in RAG systems: Ensure any retrieved data point is indistinguishable from at least k-1 other records. This prevents the model from memorizing and later exposing specific identifiable records.

Secure enclaves: Process sensitive data in trusted execution environments where the provider cannot access or store inputs for training.

Bias as a security failure

Model opacity makes bias a technical problem. Deep learning systems inherit statistical patterns from training data, including historical discrimination.

A healthcare chatbot trained on biased medical records might recommend different interventions for identical symptoms based on patient demographics. If a model recommends emergency care for chest pain in one demographic group while minimizing identical symptoms in another, that output variance represents a reliability failure. The model’s internal representations encode historical inequities, making outputs unpredictable for underrepresented groups.

Agentic systems and cascading failures

Models that take autonomous actions like booking appointments, sending emails or executing code, introduce new failure modes. A successful prompt injection in an agentic system could propagate across connected services. One compromised instruction could trigger actions across email, financial accounts, and other integrated systems.

Surface-level input filtering does not address vulnerabilities embedded in model architecture. Security requires treatment as a design constraint throughout the system lifecycle.