Securing LLMs, Agents, and RAG Pipelines: The Practical Guide to AI Application Security

Traditional application security assumes deterministic behavior: given the same input, the application produces the same output. LLM-powered applications are fundamentally non-deterministic — the same prompt can produce different outputs, and small changes in input can produce dramatically different behavior. This breaks every assumption that traditional security testing is built on.

The attack surface of an LLM application includes: the system prompt (which defines application behavior and often contains sensitive instructions), the user input (which can override system instructions via prompt injection), the retrieval system (which introduces external content into the model's context), tool/function calls (which give the model real-world action capability), and the output handling pipeline (which processes model output for downstream systems).

Traditional WAFs do not detect prompt injection because it is semantic, not syntactic. SAST tools cannot analyze system prompt security. Penetration testing methodologies do not include adversarial LLM interaction. The security tooling gap means that AI applications are being deployed with the same confidence as tested applications but without the same testing.

An AI agent is an LLM with tool access — the ability to send emails, query databases, execute code, call APIs, modify files, or interact with other systems. Agents are the highest-risk AI deployment pattern because they combine the non-deterministic behavior of LLMs with real-world action capability.

The core security question for agents is authorization: what is the agent allowed to do, and how is that enforced? In most agent deployments, the answer is 'whatever tools the developer connected to it.' There is no formal authorization model, no least-privilege scoping, and no audit trail of what the agent did, with which tool, in response to which instruction.

Multi-agent systems add trust boundary complexity. When Agent A can instruct Agent B, and Agent B has access to tools that Agent A does not, the system creates a privilege escalation path. If an attacker can influence Agent A's behavior (through prompt injection), they can potentially cause Agent B to take actions that Agent A is not authorized to perform directly.

The essential security controls for agentic AI are: tool-level authorization (each agent has access only to the tools it needs for its defined tasks), inter-agent authentication (agents verify the source and authority of instructions from other agents), human-in-the-loop gates (high-impact actions require human approval before execution), and comprehensive audit logging (every tool call, every parameter, every instruction, attributed to the originating user and agent).

The most common AI security mistake is reaching for technical controls before establishing governance. Organizations deploy prompt injection filters and output validators before answering fundamental questions: What AI systems do we have? Who approved them? What data do they access? What decisions do they influence?

AI governance provides the foundation that technical controls build on. It includes: an AI inventory (knowing what AI is deployed, where, and by whom), an acceptable use policy (defining what AI can and cannot be used for), a risk framework (classifying AI use cases by risk level), an approval workflow (requiring security review before AI systems access sensitive data or take consequential actions), and regulatory mapping (understanding which regulations apply — EU AI Act, NIST AI RMF, ISO 42001).

The practical sequencing for most organizations is: governance first (policies, inventory, risk framework), then architecture review (threat modeling, reference architecture validation), then security testing (LLM assessment, RAG assessment, agent review), then ongoing monitoring (detection rules, anomaly alerts, periodic reassessment). Each layer builds on the previous one.