Llama Guard is a deployable, customizable safety filter that runs locally, adapts to new policies via prompts or light fine-tuning, and matches or beats common moderation APIs on public and internal tests.
High in-policy classification performance on internal test set.
Numbers: AUPRC prompt=0.945; response=0.953 (Table 2)
Any app that feeds external text into an LLM is attackable: attackers can hide instructions in user-provided data and change app outputs. Benchmarks show attacks work across models and tasks, and many defenses either miss attacks or break normal performance.
Prompt injection attacks are broadly effective across tasks and models.
Numbers: Combined Attack ASV=0.62 and MR=0.78 averaged over 10 LLMs and 7×7 task pairs
External content can silently hijack LLM outputs. Measure exposure with BIPIA and add simple defenses now; full model fine-tuning yields stronger protection if you control the model.
All evaluated LLMs show vulnerability to indirect prompt injection on BIPIA.
Numbers: Average overall ASR = 0.1179 (11.79%) on BIPIA (Table 2)
Tool-enabled LLM agents can be hijacked by content they retrieve, causing unauthorized transactions or data leaks; firms must test agents with realistic IPI cases before deployment.
INJECAGENT covers 1,054 test cases built from 17 user tools and 62 attacker instructions.
Numbers: 1,054 cases; 17 user tools; 62 attacker cases
Agents can be disabled or misused without obvious malicious text; prompt-injection can cause outages, wasted compute, or automated spamming and is hard to detect by LLM self-checks alone.
Prompt-injection infinite-loop attacks raise failure rate substantially.
Numbers: Baseline 15.3% → Infinite loop ASR 59.4%
SPML provides a lightweight, rule-like front door that blocks many prompt-injection attacks before they reach costly LLM calls, reducing risk and operating cost for deployed chatbots.
SPML yields lower attacker-miss error on jailbreak attacks than GPT-4 on the paper's benchmark.
Numbers: Jailbreak ER: SPML 1.29% vs GPT-4 4.31% (Table 2)
If your product uses LLMs to rank or judge content, attackers can bottle-manufacture short token suffixes that make the judge pick malicious or low-quality content. This can poison leaderboards, search results, automated labels for training, or tool selection.
JudgeDeceiver yields high attack success rates against open-source judges.
Numbers: ASR = 90.8% (Mistral-7B, MT-Bench average)
RAG pipelines used in products can be quietly manipulated by injected texts that bypass retrievers, filters, or LLMs; this risks wrong answers, hidden ads, or unwarranted refusals—test and harden the whole pipeline, not only the model.
RAG systems are vulnerable to subtle injection attacks (noise, conflict, toxicity, DoS) at multiple pipeline stages.
Numbers: evaluated 14 RAG components; attacks reduce F1(avg) and AFR across tasks
Shared or third-party prompts can hide backdoors that stealthily control outputs; this risks wrong decisions, data leaks, or brand harm if prompts are used in production.
Attack success rate (ASR) is very high for poisoned prompts.
Numbers: ASR often 95–100% across datasets and models (Table 1).
Deterministic guardrails reduce unacceptable risks in enterprise agents (data leaks, unauthorized writes) and let teams choose autonomy levels with verifiable safety.
A bounded Alloy model can prove that label-based policies eliminate unsafe flows that otherwise occur.
MI9 turns opaque agent decisions into actionable runtime controls, reducing undetected risky behaviors while keeping false alarms low, which helps prevent costly operational and compliance incidents.
MI9 detects nearly all simulated governance violations on evaluated traces.
Numbers: Detection Rate 99.81% (MI9) vs 93.98% (OT) vs 68.52% (LS)
If your product uses embedding-based retrieval and allows external or user-supplied documents, an attacker can cheaply force a poisoned document into search results and trigger downstream harms (phishing, data exfiltration, tool misuse). Protect retrieval and write access, not just the model.
A short, optimized trigger reliably surfaces a single poisoned document into top-K retrieval.
Numbers: Recall@5 ≈ 95% average across 11 BEIR datasets at n=10 tokens
Graph-structured retrieval can leak reusable entity-relation graphs with surprisingly few queries; operators should treat structured retrieval as a privacy risk and add monitoring, response filtering, or query limits.
AGEA recovers a very large fraction of nodes and edges under 1,000 queries on medium graphs.
Numbers: M-GraphRAG Medical: nodes 87.09%, edges 80.16% at T=1000
Agentic systems that chain LLMs and tools can be hijacked by hidden instructions in text or images. Adding per-message sanitization, provenance tracking, and output validation reduces attack surface without harming legitimate task accuracy—important for customer-facing automation, finance, and security-sensitive tools.
Multimodal prompt-injection detection rate improved to 94%.
Numbers: 94% detection (paper, Section V.A)
If your agent can call external services, hidden instructions in returned content can trigger harmful actions. IPIGUARD stops many such attacks by pre-planning allowed tool calls and blocking unapproved ones, trading modest extra cost for much stronger protection.
IPIGUARD reduces average targeted attack success rate (ASR)
Numbers: ASR ≈ 0.69% average on AgentDojo (Table 1)
Cross‑organization agent cooperation breaks single‑domain safety and audit assumptions, increasing legal, financial, and operational risk unless systems are instrumented with cross‑domain security metrics.
Seven distinct categories of security risk appear when LLM agents cross ownership boundaries.
Numbers: 7 challenge categories (C1–C7)
If you let LLM agents access user data, simple injected text can cause measurable leaks; test agents on task-specific injection scenarios before deployment.
Average attack success rate (ASR) across models and tasks is around 15–20%.
Numbers: ASR ≈15% (48 tasks) and ≈20% (16 tasks); Llama-4 (17B) hit 40% on 16 tasks.
Sentinel materially reduces successful prompt injections on evaluated benchmarks, enabling safer prompt-driven products and lowering the risk of harmful or leaking responses.
High internal detection accuracy and F1.
Numbers: AvgAcc 0.987, F1 0.980 on internal held-out test
Public RAG (search+LLM) services can be probed to leak exact retrieved passages. Simple prompt rules are insufficient. Companies must test extraction attacks, add model-level defenses, and monitor outputs for leaked context.
MARAGE achieves much higher exact-match extraction than manual or prior optimized attacks on diverse RAG data.
Numbers: EM up to 0.796 vs manual 0.082 on LLaMA3 (Rag-12000); 12/20 entries EM>0.8
Prompt leakage can expose business rules and secrets. Measuring leakage with an 'advantage' score helps prioritize defenses and assess whether prompt hardening or guard LLMs are needed.
Low-security models leak prompts often.
Numbers: Advantage = 0.65 (Section V)
Automated LLM judges can be manipulated by prompt injections, risking wrong evaluations; use committees and layered defenses for high-stakes scoring.
Adaptive Search-Based Attack (ASA) is the most effective attack across models.
Numbers: ASR 42.9–73.8% (Table I); avg 56.2% (Table VIII)
Adaptive, optimization-driven prompt injections can bypass some defenses and expose sensitive outputs, so firms must test deployed LLMs (especially open-source ones) with rigorous red-teaming before production.
Open-source models are substantially easier to coerce than the closed-source models tested.
Numbers: Qwen2-7B-Instruct ASR 0.93–0.99 across tasks; GPT-4o-mini ASR 0.01–0.03
If your product augments an LLM with an open or large text store, attackers who can add or edit that store can steer answers or cause refusals; naive defenses leave gaps and some robust fixes reduce product quality.
Most poisoning attacks work well on original QA datasets.
Numbers: Example: BPI ASR = 0.94 on NQ (Table 2)
CachePrune reduces indirect prompt-injection risk with minimal compute and no change to prompts or extra LLM calls, protecting production LLM apps while keeping answer quality.
CachePrune cuts attack success on LLaMA3-8B (SQuAD) from ~27.86% to ~7.44%.
Numbers: 27.86% → 7.44% (Table 1, SQuAD LLaMA3-8B)
