AI security isn’t about making the model trustworthy. It’s about designing systems that remain safe even when the model behaves unpredictably.
We Are Solving the Wrong Problem
Most discussions about AI security revolve around the model.
- How do we stop hallucinations?
- How do we prevent prompt injection?
- How do we jailbreak-proof an LLM?
- How do we make the model “safe”?
These are important questions, but they assume the model is the primary security boundary.
It isn’t.
Modern AI applications are no longer a single model responding to prompts. They are distributed systems composed of identity providers, retrieval pipelines, memory stores, planners, policy engines, tool routers, business APIs, and external services.
The observable behavior of an AI application doesn’t emerge from the model alone. It emerges from the interaction between every component in the inference pipeline.
In other words: Behavior is an architectural property.
The Myth of the Intelligent Model
Consider a customer support AI assistant.
User
│
▼
API Gateway
│
▼
Prompt Builder
│
▼
Retriever
│
▼
Vector Database
│
▼
LLM
│
▼
Tool Router
│
▼
Refund API
When the assistant issues an incorrect refund, where did the mistake originate?
Was it:
- the prompt?
- the retrieved documents?
- conversation memory?
- the planner?
- the model?
- the tool router?
- the Refund API?
Often, the answer is all of them.
The model is only one participant in a much larger system.
Traditional Software Behaves Differently
In traditional software, components are expected to behave deterministically.
if token.is_valid():
allow_request()
or
SELECT * FROM orders WHERE user_id = ?
Given the same input, these components produce predictable outputs. Security controls are therefore attached directly to those components. AI systems are fundamentally different.
The model’s output depends on:
- prompt construction
- retrieved context
- conversation history
- memory
- available tools
- external tool responses
- decoding parameters
- model version
Even if your application code never changes, system behavior can.
The Wrong Security Question
Many teams ask:
Can I trust the model?
That question has no useful answer.
Instead, ask:
What happens if I can’t?
This is the same mindset used in distributed systems engineering. We don’t assume servers never fail. We assume failures will happen and design architectures that remain resilient. AI systems deserve the same treatment.
Assume:
- prompt injection succeeds
- retrieved documents contain misleading content
- the model hallucinates
- the planner chooses the wrong tool
Now ask: Can the architecture still prevent catastrophic outcomes?
Behavior Emerges from the Entire Inference Pipeline
A modern inference request is far more than a model invocation.
User
│
Identity
│
Prompt Construction
│
Retrieval
│
Context Assembly
│
LLM
│
Planning
│
Policy Engine
│
Tool Execution
│
Response Validation
Every stage influences behavior. Removing or redesigning any one of these components changes how the system behaves.
This is why securing only the model leaves significant gaps elsewhere in the pipeline.
Design Behavioral Guarantees, Not Perfect Models
Traditional AI discussions often focus on improving model quality.
Architecture focuses on something different:
behavioral guarantees.
Examples include:
- An agent can never access another customer’s data.
- Refunds cannot exceed the original payment.
- Production databases cannot be modified directly by an LLM.
- High-risk actions require explicit approval.
- Secrets never appear in model responses.
- Every tool invocation is authenticated and authorized.
Notice that none of these guarantees depend on whether the model is “correct.”
They depend on architectural constraints.
Separate Reasoning from Authority
One of the most common mistakes in AI system design is allowing the model to directly control execution.
Instead of:
User
│
LLM
│
Tool
Prefer:
User
│
LLM
│
Policy Engine
│
Authorization
│
Tool
The model proposes. The architecture decides.
This separation ensures that even if the model produces an unsafe action, execution remains subject to independent policy enforcement.
Identity Should Flow Through the System
Another common anti-pattern is treating the LLM as the acting identity. Instead, preserve the original user’s identity throughout the pipeline.
Alice
│
Gateway
│
LLM
│
Refund Service
The Refund Service shouldn’t receive:
“The AI requested a refund.”
It should receive:
User = Alice
Action = Refund
Resource = Alice's Order
The AI should never gain authority that the user does not already possess.
Secure the Architecture, Not the Thoughts
Architects cannot control every thought the model generates. Nor should they try. Instead, constrain what those thoughts are allowed to influence.
The model may suggest:
- refunding an order
- calling an external API
- reading a document
- deleting a file
The architecture determines whether any of those actions are actually permitted. This distinction is subtle but fundamental.
You are not securing reasoning. You are securing execution.
The Shift from Component Security to Behavioral Security
For decades, software security has focused on protecting individual components.
AI systems require us to think one level higher.
Instead of asking:
- Is the model secure?
- Is the prompt safe?
- Can I eliminate hallucinations?
Ask:
- What behaviors must never occur?
- Which trust boundaries influence those behaviors?
- Which architectural controls enforce those guarantees?
- How does the system remain safe when the model is wrong?
These are architectural questions. And architectural questions lead to architectural solutions.
Conclusion
Large language models are not security boundaries. They are probabilistic reasoning engines operating within much larger systems.
The security of an AI application is therefore not determined solely by the model, but by the architecture that surrounds it.
The most resilient AI systems are not those that assume perfect models. They are those designed to remain safe when the model behaves unpredictably.
Because in modern AI systems:
Behavior is not a model property. It is an architectural property.
Leave a Reply