LLM01:2025 — Prompt Injection

Slide 18 · The Honest Starting Point

There is no fool-proof prevention. That's the starting point.

OWASP says it explicitly. Understand this before reading the mitigations.

📄 OWASP LLM Top 10:2025 · LLM01 Prevention and Mitigation

"Prompt injection vulnerabilities are possible due to the nature of generative AI. Given the stochastic influence at the heart of the way models work, it is unclear if there are fool-proof methods of prevention for prompt injection. However, the following measures can mitigate the impact of prompt injections."

What "Mitigate the Impact" Means in Practice

The 7 mitigations don't prevent injection from being attempted. They do three things:

→ Reduce blast radius — limit what the AI can do if injection succeeds
→ Increase detection — catch injections before or after they cause damage
→ Raise the bar — make successful injection harder and less reliable

EchoLeak was rated CVSS 9.3 partly because Copilot had broad access to the victim's entire M365 environment. M4 (least privilege) applied before deployment would have dramatically reduced what the attacker could exfiltrate — even if the injection itself couldn't be stopped.

The 7 Mitigations

1. Constrain model behavior · 2. Define and validate expected output formats · 3. Implement input and output filtering · 4. Enforce privilege control and least privilege access · 5. Require human approval for high-risk actions · 6. Segregate and identify external content · 7. Conduct adversarial testing and attack simulations

← Back Next → M1: Constrain model behavior