“Implement least-privilege access for all components that process or execute LLM output. Log all LLM outputs passed to downstream systems. Monitor for anomalous patterns that indicate exploitation attempts.” Least privilege limits what an attacker gains even if output handling fails; monitoring surfaces attacks before they complete.

In the Vanna.AI attack path, the database role had permissions beyond SELECT — which enabled the RCE escalation via database-host command execution. A SELECT-only database role would have stopped the attack at the SQL layer, even without fixing the underlying exec() vulnerability. Least privilege is the control that limits the blast radius when everything else fails.

→ Database: Grant LLM-connected services SELECT-only roles; disable xp_cmdshell (MSSQL), FILE privilege (MySQL), COPY TO/FROM PROGRAM (PostgreSQL)
→ File system: Run LLM services as a non-root user with access only to required directories
→ Cloud: IAM roles for LLM services should have the minimum permissions needed
→ Logging: Log every LLM output that flows to a DB, shell, or external URL
→ Alerting: Alert on: UNION in generated SQL, traversal patterns in file paths, internal IP ranges in generated URLs, exec() calls in generated code

Try a SELECT from a table the LLM service shouldn’t access. If it succeeds, the database role has excess permissions. Check your SIEM: are LLM outputs logged before they reach downstream systems? If not, you’re flying blind.