Launch checklist

LLM Security Checklist

A practical launch checklist for LLM applications that process untrusted content, retrieve private data, call tools, or render generated output.

Updated 2026-07-06

Map the risk before scoring it

Start by listing every way language enters the model: user prompts, uploaded files, web pages, emails, tickets, comments, search snippets, retrieved records, tool results, memory, and prior conversation. Mark each source as trusted, user-controlled, third-party, or application-controlled.

Then list what the model output can influence: an answer, a citation, rendered Markdown, a database query, an email draft, a send action, a code change, a calendar update, a CRM write, a purchase, or a security decision. Prompt injection becomes a serious application-security issue when untrusted text can steer those outputs.

Controls to verify

  • Retrieval authorization: only retrieve documents the current user and task are allowed to use.
  • Context minimization: send the least sensitive and least privileged context needed for the current step.
  • Tool allow-lists: choose from known actions with typed parameters instead of free-form execution.
  • Schema validation: parse model output and reject unknown fields, destinations, or action types.
  • Human approval: require meaningful confirmation for external, destructive, financial, legal, privacy, or security-impacting actions.
  • Output handling: sanitize generated links, HTML, Markdown, code, file paths, queries, and outbound requests.
  • Observability: log retrieved source IDs, model outputs, proposed actions, denials, approvals, and executed actions.

Launch gate

Before shipping an LLM workflow, require an owner for LLM security findings, a documented threat model, risk-ranked test cases, rollback paths for side effects, and privacy-aware logs. Run both allowed and blocked cases. A system that blocks every adversarial input but fails the legitimate workflow is not ready either.

After launch, treat prompts and tools like code. Changes need review, test coverage, and monitoring because small prompt or retrieval changes can reopen a trust-boundary failure.

Use the checklist with the tools

Use the risk checklist to score exposure, the system prompt linter to catch brittle prompt assumptions, and the threat model generator to create a markdown review artifact. The tools are intentionally client-side and defensive.