← All insights
AI

AI Security Checklist 2025

Stat panel: 100% ASR on gemini-2.5-pro via poetry, $4.88M average breach cost, 62% jailbreak rate, 5x ASR increase

LLM Security Threats

Risk summary bar rating prompt injection Critical, CVSS 9.1, common without input validation

Prompt injection involves manipulating LLM behavior through crafted inputs that override system instructions. This includes direct injection (user input) and indirect injection (external data like emails, documents, web pages).

Real-World Attacks

The document illustrates documented attack cases including SpAIware attacks, Slack data exfiltration, and EchoLeak vulnerabilities.

ChatGPT memory SpAIware attack chain writing hidden instructions to memory for persistent exfiltration

Slack AI private channel exfiltration attack chain leaking API keys via indirect injection

Microsoft Copilot EchoLeak (CVE-2025-32711) zero-click card: hidden-text prompts enabling silent exfiltration from enterprise docs

Advanced Attack Techniques

Modern prompt injection has moved well beyond basic instruction overrides. Current research documents evasion techniques that bypass production safeguards, including adversarial poetry methods achieving “62% jailbreak rates across frontier models.”

Adversarial poetry jailbreak card: reformulating harmful requests as verse, 62% average and 100% ASR on some models

Callout explaining why poetry attacks matter: stylistic variation alone circumvents safety, up to 18x higher ASR than prose

FlipAttack jailbreak card: reversing character order to bypass filters, 98% success on GPT-4o

Other Documented Techniques

Additional emerging attack vectors are documented alongside critical insights about the evolving threat landscape.

Checklist of emerging attack vectors: multimodal injection, ObscurePrompt, MathPrompt, delayed tool invocation, character encoding, hypnotism

Critical insight callout: OWASP and NCSC say prompt injection may be inherent to LLMs with no foolproof fix

Insecure Output Handling

LLM outputs processed downstream without validation enable injection attacks (XSS, SQL, command injection, SSRF) through model outputs. Real examples include LangChain and Vanni vulnerabilities.

LangChain GraphCypherQAChain (CVE-2024-8309) card: unvalidated prompt-to-SQL leading to full database compromise

Vanna.AI RCE (CVE-2024-5565) card: prompt-to-RCE via natural language queries, pre-prompting not sufficient defense

Security Checklist

Recommendations include output sanitation and sandbox execution for generated code.

Output sanitization checklist: HTML-encode outputs, parameterized SQL, escape shell metacharacters, validate URLs

Sandbox execution checklist: run generated code in isolated containers, limited IAM roles, network egress whitelist

Mitigation Strategies

  1. Defense in Depth: Layer input validation + output filtering + privilege limits
  2. Regular Testing: Quarterly red team exercises with adversarial prompts
  3. Monitoring: Alert on unusual patterns and system keywords

Monitoring & Response

Comprehensive approaches to input monitoring, output monitoring, and incident response procedures are essential.

Input monitoring checklist: log inputs with timestamps, signature plus ML injection detection, alert on anomalies, behavioral analysis

Output monitoring checklist: scan outputs for PII, detect malicious code generation, monitor confidence anomalies, log for forensics

Incident response checklist: document AI-specific procedures, define severity and escalation, injection/extraction/PII playbooks, quarterly tabletop exercises

Quick Reference

Critical Actions

WEEK 1 - Immediate

  1. Scan repos for exposed API keys
  2. Rate limit all AI APIs
  3. Add PII detection on outputs
  4. Enable input/output logging
  5. Restrict model permissions

MONTH 1 - Foundation

  1. AI security risk assessment
  2. Prompt injection detection
  3. Output validation
  4. Monitoring and alerting
  5. Incident response plan

QUARTER 1 - Maturity

  1. Comprehensive monitoring
  2. LLM-specific pen testing
  3. Adversarial robustness testing
  4. Model governance
  5. Staff training

Risk-scoring tiers: Critical (9.0-10) items, High (7.0-8.9), and Medium (4.0-6.9) with remediation timelines

Conclusion

The document emphasizes that “we’re currently in the infancy of AI, and AI security.” Unknown risks will require “a combination of technology and humans” to identify effectively, as AI tools trained on known data may miss emerging vulnerabilities.

More in AI
What Claude Security gets right — and what it missesMay 5, 2026 · 3 minHollywood Has Always Run on Fragmentation. AI Is Making That Everyone's Problem.Apr 14, 2026 · 4 minThe Validation Layer for AI: Why Verifying Vulnerabilities Matters as Much as Finding ThemMar 18, 2026 · 4 min
Talk to an expert