LLM09:2025Misinformation
Slide 25 of 27
Part 4 · PreventionSlide 25
Slide 25 · The Matrix
Six controls. Four attack types. Here’s what covers what.
No single control covers all four types.
Coverage Map

Use this to identify which defenses to prioritize based on your deployment context.

Fabricated Citations
Best covered by: M1 (RAG into legal/academic databases), M2 (Citation enforcement with URL validation), M3 (Human review before any regulated filing), M4 (Model expresses uncertainty when it cannot verify a citation).
📦
Package Hallucination (Slopsquatting)
Best covered by: M5 (Developer education: verify before install), M6 (Automated package-name resolution against the registry before surfacing recommendations), M4 (Model discloses when it is uncertain whether a package exists).
🏥
Professional Domain Misinformation
Best covered by: M1 (RAG into domain-specific clinical/financial/legal databases), M3 (Expert human review for regulated outputs), M4 (Model refuses out-of-scope questions), M6 (Policy or drug database validation before response).
💻
Hallucinated Code & Commands
Best covered by: M6 (SAST on generated code before display), M5 (Educate developers: AI code requires security review), M3 (Security engineer reviews LLM-generated code for security-sensitive operations), M4 (Model hedges on security-critical patterns).
The Core Rule

RAG (M1) and human review (M3) cover the most ground. If you can only implement two controls, start there — then add citation enforcement (M2) and output validation (M6) as the next layer.

← BackNext → Test Yourself
📄 View sources for this lesson