Skip to main content
Responsible AI & Security

Threat-Model an LLM Application

Trace trust boundaries, untrusted content, tool permissions, sensitive data, and abuse cases before testing mitigations.

Advanced50 minBy ToolDix Editorial

Learning objectives

  • Draw data flows and trust boundaries for an LLM workflow
  • Create abuse cases for prompt injection and excessive agency
  • Verify layered controls with adversarial tests

ToolDix original visual

Responsible AI practice loop
1

Frame

Name the outcome and constraints.

2

Build

Try one bounded workflow.

3

Review

Keep evidence, revise, and share.

Draw the real system

Include users, application server, model provider, system instructions, retrieval stores, uploaded files, external pages, tools, credentials, logs, administrators, and downstream systems. Mark where data changes trust level and which component enforces each policy.

Treat user input, retrieved content, tool output, model output, and third-party metadata as untrusted. A model cannot reliably separate instructions from data by intention alone.

Write abuse cases

Test direct and indirect prompt injection, sensitive-data requests, cross-user data exposure, insecure output rendering, excessive tool permissions, confused-deputy behavior, poisoned retrieval, denial-of-wallet, dependency compromise, and misleading citations.

For an agent, ask what happens if the model selects the wrong tool, repeats an action, invents arguments, follows instructions embedded in a document, or continues after partial failure.

Layer controls

Use least-privilege credentials, schema validation, allowlists, deterministic authorization outside the model, data minimization, output encoding, sandboxing, rate and cost limits, confirmation for high-impact actions, audit logs, and revocation. Model instructions are useful but are not an authorization boundary.

Practice: adversarial test matrix

Choose three relevant OWASP risk areas. For each, define precondition, attack input, expected safe behavior, observable evidence, control owner, and regression test. Run the tests against both normal and adversarial documents. Record residual risk.

Incident readiness

Prepare kill switches, credential rotation, affected-user notification, evidence retention, and rollback. A mitigation that cannot be monitored or operated during an incident is incomplete.

Sources and license context

These references informed the lesson. ToolDix adds its own explanation, workflow, and practice rather than reproducing source material.

Take it further

Use a primary source to deepen this lesson.

Each recommendation is a direct link to the publisher or author. The study prompt is ToolDix editorial guidance, not copied course content.

Introduction to Responsible AI by Google for Developers

Course

Introduction to Responsible AI

Choose one feature and identify an affected person, potential benefit, potential harm, and accountable owner.

Open original source
AI Risk Management Framework by NIST

Classic reading

AI Risk Management Framework

Map one system's purpose, affected people, dependencies, and accountable owner before selecting metrics or controls.

Open original source
Generative AI Profile by NIST

Classic reading

Generative AI Profile

Compare the profile's risk categories with your current release checklist and assign an owner to each uncovered area.

Open original source