Sensitive data in LLM systems
LLMs touch sensitive data at several points — prompts, retrieved context, logs, training/fine-tuning data, and outputs. The risks (OWASP LLM02): the model memorizes and regurgitates training data, leaks PII across users, or exposes secrets embedded in prompts.
Controls:
- Minimize — don't send PII to the model unless needed; redact it at the input guardrail.
- Isolate tenants — in multi-tenant RAG, filter the vector store by tenant/user so one customer's data can never surface for another (LLM08). A missing metadata filter here is a classic breach.
- Watch your logs — prompts/outputs logged for debugging often contain PII; treat logs as sensitive, restrict access, set retention.
- Provider data terms — know whether your LLM provider trains on your data (enterprise/API tiers usually don't; confirm) and whether data leaves your region.
Access control & least privilege
Authorize the user, not the model, for every data access and action (the theme of this course). Field-level and row-level access, RBAC, and tenant isolation apply to what the model can retrieve and what its tools can do. Secrets stay in a manager, never in the prompt or client.
Adversarial ML & the supply chain
Beyond prompts, models themselves are attackable: data/model poisoning (malicious training/fine-tuning data — LLM04), model extraction/inversion, and compromised third-party models/plugins (LLM03). Mitigate by vetting data and model sources, pinning/auditing dependencies and MCP servers, and monitoring for anomalous behavior.
Governance & compliance
Regulation is arriving — the EU AI Act (risk-tiered obligations, transparency, documentation), GDPR/privacy law for personal data, and sector rules (finance, health). Practical governance: keep an inventory of AI use, document data flows and controls, maintain audit logs, keep humans in the loop for high-risk decisions, and be able to show your controls. Security + privacy + governance together are what "responsible AI in production" means — not a checkbox, an ongoing practice.