Launch checklist
LLM Security Checklist
A practical launch checklist for LLM applications that process untrusted content, retrieve private data, call tools, or render generated output.
Updated 2026-07-06
Map the risk before scoring it
Start by listing every way language enters the model: user prompts, uploaded files, web pages, emails, tickets, comments, search snippets, retrieved records, tool results, memory, and prior conversation. Mark each source as trusted, user-controlled, third-party, or application-controlled.
Then list what the model output can influence: an answer, a citation, rendered Markdown, a database query, an email draft, a send action, a code change, a calendar update, a CRM write, a purchase, or a security decision. Prompt injection becomes a serious application-security issue when untrusted text can steer those outputs.
Controls to verify
- Retrieval authorization: only retrieve documents the current user and task are allowed to use.
- Context minimization: send the least sensitive and least privileged context needed for the current step.
- Tool allow-lists: choose from known actions with typed parameters instead of free-form execution.
- Schema validation: parse model output and reject unknown fields, destinations, or action types.
- Human approval: require meaningful confirmation for external, destructive, financial, legal, privacy, or security-impacting actions.
- Output handling: sanitize generated links, HTML, Markdown, code, file paths, queries, and outbound requests.
- Observability: log retrieved source IDs, model outputs, proposed actions, denials, approvals, and executed actions.
Launch gate
Before shipping an LLM workflow, require an owner for LLM security findings, a documented threat model, risk-ranked test cases, rollback paths for side effects, and privacy-aware logs. Run both allowed and blocked cases. A system that blocks every adversarial input but fails the legitimate workflow is not ready either.
After launch, treat prompts and tools like code. Changes need review, test coverage, and monitoring because small prompt or retrieval changes can reopen a trust-boundary failure.
Use the checklist with the tools
Use the risk checklist to score exposure, the system prompt linter to catch brittle prompt assumptions, and the threat model generator to create a markdown review artifact. The tools are intentionally client-side and defensive.
Checklist source
OWASP LLM Prompt Injection Prevention Cheat Sheet
Controls for least privilege, remote content, agent defense, monitoring, and human-in-the-loop safeguards.
Risk source
OWASP LLM01:2025 Prompt Injection
Primary OWASP risk page for direct and indirect prompt injection.
Operational source
Practical LLM security advice from the NVIDIA AI Red Team
Practical security advice from AI red-team work, including tool and RAG risks.