Vault Agentics
AI Security

Zero Trust for LLM Applications: Beyond the Prompt Firewall

Prompt injection is real, but it is not the threat model that will hurt you most. Here is what a defensible LLM application architecture actually looks like.

By Hani Braish9 min read

Every vendor wants to sell you a prompt firewall. Very few want to talk about identity, data lineage, or blast radius.

The real threat model

The biggest risk in most LLM apps is not jailbreaks — it is over-permissioned tool use. A model with read access to a customer database and write access to email is a confused deputy waiting to happen.

Four invariants worth enforcing

  • Identity propagation. Every tool call carries the calling user's identity, not the service account's.
  • Least-privilege tools. Tools should expose verbs scoped to a single resource, never raw SQL.
  • Output validation. Treat model output as untrusted user input on the way to any downstream system.
  • Audit by default. Every prompt, tool call, and tool result is logged with the originating user identity.

What to skip

You do not need a dedicated "AI firewall" SKU. You need the same controls you already owe your non-AI services, applied with intent.

AI SecurityZero TrustLLM

Related reading

SOC

The AI-Native SOC Blueprint: From Alert Fatigue to Autonomous Triage

How modern security operations centers are replacing tier-1 toil with LLM-driven triage, enrichment, and response playbooks — without losing the human in the loop.

SSPM

A Practical SSPM Checklist for Mid-Market Companies

Twelve concrete controls every mid-market SaaS-heavy company should verify this quarter — mapped to SOC 2, ISO 27001, and CIS v8.

SOC 2

SOC 2 in 90 Days Without Burning Out Engineering

A week-by-week plan for getting to a clean SOC 2 Type I report in a quarter, with realistic engineering hours and zero theater.