Prompt Injection Is a Supply Chain Problem

Large language models have introduced a new class of vulnerability that most security teams aren't equipped to handle. Prompt injection — where untrusted input manipulates an LLM's behavior — isn't just a novel attack vector. It's a supply chain problem in disguise.

The Parallel to Dependency Management

When your application calls an LLM, you're delegating decision-making to a system whose behavior you don't fully control. This is conceptually identical to importing an untrusted dependency: you're extending your trust boundary to include code (or in this case, reasoning) that you didn't write and can't fully audit.

Just as a compromised npm package can exfiltrate secrets, a prompt injection can cause an LLM-powered agent to execute unintended actions, leak context windows, or bypass authorization logic.

What Most Teams Are Missing

1. Input isolation — User-supplied content should never be concatenated directly into system prompts without sanitization and structural separation.
2. Output validation — LLM responses should be treated as untrusted input. Validate and constrain outputs before acting on them.
3. Least privilege — LLM agents should have the minimum permissions necessary. An agent that can read your database shouldn't also be able to write to it unless explicitly required.
4. Monitoring and logging — Every LLM interaction should be logged with enough context to detect anomalous behavior patterns.

Building the Playbook

The good news is that the frameworks for managing this risk already exist — they just need to be adapted. Treat your LLM integration like a third-party service: define clear trust boundaries, validate at every interface, and assume the worst about untrusted inputs.