LLM Security and Data Privacy for Australian Enterprise
Large language models introduce a novel class of security risks that traditional security frameworks were not designed to address. Understanding these risks, and the deployment architecture that mitigates them, is essential for any Australian organisation deploying AI with access to sensitive data. This guide covers both the threat landscape and the technical controls that constitute a genuinely secure private AI deployment.
Why LLM Security Is Different From Traditional Application Security
Traditional application security assumes that the attack surface is defined by code you wrote and inputs you defined. LLMs are different: they process natural language instructions, which means attackers can attempt to manipulate model behaviour through the same channel your legitimate users communicate through. This creates novel attack vectors that require specific mitigations.
The Prompt Injection Threat
Prompt injection is the LLM equivalent of SQL injection: an attacker inserts instructions into the input that override the model's intended behaviour. Unlike SQL injection, there is no reliable syntactic filter that catches all variants. The primary defence against prompt injection is deployment architecture: if the model has no access to systems it should not modify, and if its outputs are reviewed before taking consequential actions, the attack surface is dramatically reduced.
Training Data Extraction
Research has demonstrated that LLMs can be induced to reproduce verbatim content from their training data through carefully crafted prompts. For public models trained on broad internet data, this creates copyright and privacy risks. For enterprise models fine-tuned on your own data, it creates a different risk: an attacker who can interact with your model may be able to extract sensitive documents that were used in training. This risk is mitigated by deployment controls, not model controls.
RAG Retrieval Manipulation
Retrieval Augmented Generation systems retrieve documents from a private knowledge base before generating responses. An attacker who can influence what gets into the knowledge base, or who can craft queries that retrieve documents they should not access, can use the RAG system as a data exfiltration channel. Access controls on the RAG index and retrieval audit logging are the primary mitigations.
The LLM Security Architecture for Enterprise Deployment
A secure private LLM deployment addresses the novel risks of AI systems alongside the standard enterprise security controls that any production system requires.
Input Validation and Prompt Hardening
Reducing the attack surface for prompt injection requires both technical controls and architectural decisions about what the model is permitted to do.
- System prompt hardening to resist role-playing and override attempts
- Input length limits and character class filtering for structured input fields
- Separation of user input from system instructions in model context
- Instruction hierarchy enforcement preventing user override of system policies
Access Control and Authentication
Enterprise LLM deployments require the same access control discipline as any system accessing sensitive data: least privilege, role-based access, and authenticated sessions.
- Role-based access control determining which documents each user can query
- Document-level access controls enforced in the RAG retrieval layer
- Session management and authenticated API access
- Multi-factor authentication for administrative interfaces
Network Isolation and Egress Controls
The model should not be able to initiate outbound connections unless that capability is explicitly designed and controlled. Network isolation reduces the blast radius of any compromise.
- Egress filtering preventing unauthorised outbound data transmission
- API gateway with allowlisted outbound endpoints if external calls are needed
- Network segmentation isolating the LLM inference stack from production systems
- Proxy controls for any tool-use capabilities requiring external access
Output Monitoring and Filtering
Monitoring model outputs for sensitive data patterns detects both successful attacks and accidental data leakage before outputs reach end users or external systems.
- Regex and ML-based sensitive pattern detection in model outputs
- PII detection and redaction before output delivery
- Output length and content type monitoring for anomaly detection
- Automatic flagging of outputs containing apparent training data reproduction
Comprehensive Audit Logging
A complete audit trail of all interactions is essential for security incident investigation, regulatory compliance, and detecting patterns that indicate abuse or attack.
- Immutable audit log of all prompts and responses with user identity
- RAG retrieval logging showing which documents were retrieved for each query
- Anomaly detection on usage patterns identifying potential reconnaissance
- Log retention aligned to your security incident response and compliance requirements
Model Isolation and Sandboxing
When the model has tool-use capabilities that allow it to take actions, those actions must be sandboxed to prevent unintended consequences from prompt injection attacks.
- Read-only tool access where write capability is not required
- Human-in-the-loop approval for consequential model-initiated actions
- Tool capability allowlisting preventing access to unintended system resources
- Sandbox environment for code execution if the model has code-running capability
How We Build a Secure Private LLM Deployment
Security is designed in from the architecture stage, not added as an overlay after deployment.
Threat Modelling
We conduct a threat model for your specific deployment, identifying the data assets at risk, the likely adversary profiles, and the attack vectors most relevant to your use case and industry.
Security Architecture Design
Based on the threat model, we design the deployment architecture with security controls integrated at every layer: network, application, data, and model levels.
Red Team Testing
Before production deployment, the system is subjected to red team testing targeting the LLM-specific attack categories: prompt injection, jailbreaking, data extraction, and RAG manipulation.
Production Monitoring and Incident Response
Ongoing security monitoring detects anomalous behaviour, with documented incident response procedures for the specific failure modes relevant to LLM deployments.
The OWASP Top 10 for LLMs: How Private Deployment Mitigates Each
The Open Web Application Security Project's Top 10 for LLM applications identifies the most significant risks. Private deployment addresses most of them through architecture, not compensating controls.
Architecture-Level Mitigations (OWASP LLM01-05)
The most critical OWASP LLM risks are substantially mitigated by private deployment architecture.
- LLM01 Prompt Injection: system prompt hardening plus tool capability restriction
- LLM02 Insecure Output Handling: output filtering and human review for consequential outputs
- LLM03 Training Data Poisoning: controlled ingestion pipeline with integrity verification
- LLM04 Model Denial of Service: rate limiting and resource quotas per user/role
- LLM05 Supply Chain Vulnerabilities: model provenance verification and dependency management
Data-Level Mitigations (OWASP LLM06-10)
The remaining OWASP LLM risks are addressed through data governance, access control, and operational security.
- LLM06 Sensitive Information Disclosure: RAG access controls and output monitoring
- LLM07 Insecure Plugin Design: tool capability allowlisting and sandboxing
- LLM08 Excessive Agency: human-in-the-loop and minimal permission tool design
- LLM09 Overreliance: user training and output citation requirements
- LLM10 Model Theft: model weight access controls and IP protection
Related AI Solutions
ISO 27001 AI Compliance
How the security architecture described here maps to ISO 27001:2022 Annex A controls for AI deployments.
Understand ISO 27001 AI compliance →Sovereign AI Australia
How security architecture and data sovereignty work together in a genuinely sovereign Australian AI deployment.
Learn about sovereign AI →On-Premises LLM Deployment
The highest-security deployment option: a fully on-premises LLM with no network connectivity for the most sensitive use cases.
View on-premises deployment →Frequently Asked Questions
Prompt injection is an attack where an adversary inserts instructions into data the LLM processes in order to override the model's intended behaviour. In an enterprise context, the most serious variants involve an attacker injecting instructions into documents that end up in the model's context, or into user inputs, that cause the model to perform actions it should not or reveal information it should not. The severity depends on what capabilities the model has: a model that can only answer questions has limited blast radius from prompt injection; a model that can take actions like sending emails or querying databases has much higher exposure. Architectural controls, specifically limiting the model's capabilities and implementing human review for consequential actions, are the most effective mitigations.
Training data extraction is a real but probabilistic risk. Research has shown that LLMs can reproduce verbatim training content through carefully crafted prompts, but typically only content that appeared many times in training. For fine-tuned models trained on your proprietary documents, the risk depends on: how many times each document appeared in training, how much the fine-tuning process has memorised vs generalised, and what access controls limit who can interact with the model. For most enterprise fine-tuning use cases involving moderate document volumes, verbatim extraction risk is low. However, the higher-risk approach is RAG: if your knowledge base is poorly access-controlled, an attacker can retrieve specific documents directly. Access controls on the RAG index are more important than fine-tuning memorisation risk.
The security profiles are different. A RAG system's primary risk is retrieval manipulation: an attacker who can influence retrieval to return documents they should not access, or who can inject content into the knowledge base to influence future retrievals, can exfiltrate data or manipulate model behaviour. Access controls on both the document index and the retrieval pipeline are essential. A fine-tuned model's primary risk is training data extraction and the fact that model behaviour can be influenced by training data characteristics. Both systems share the prompt injection risk. In practice, most enterprise deployments combine both, so both attack surfaces must be addressed.
Pre-deployment security testing for enterprise LLMs should cover at minimum: prompt injection testing using the OWASP LLM Top 10 as a framework, jailbreak testing to verify system prompt hardening, access control testing confirming document access restrictions are enforced, RAG manipulation testing including indirect injection via document content, output monitoring testing confirming sensitive data detection works as intended, and authentication and session management testing. For higher-security deployments involving sensitive data categories, red team testing by a specialist AI security team is worthwhile. We include red team testing as a standard part of our enterprise deployment process.
An LLM security incident response plan differs from a standard application incident response plan in that the primary evidence source is the audit log of prompts and responses. If an incident is suspected, the first step is to preserve and review audit logs to understand what queries were made, what documents were retrieved, and what outputs were generated. The second step is to determine whether the incident was an internal misuse, an external attack, or an accidental data leakage. Depending on the nature and data involved, you may have notification obligations under the Notifiable Data Breaches scheme. We include incident response procedures and audit log forensics guidance as part of our managed service.
On-premises deployment provides a fundamentally different security posture for the most sensitive data: the attack surface accessible from the internet is reduced to whatever management interface exists, model weights and training data cannot be accessed without physical access, and the entire inference pipeline is within your physical security perimeter. For government, defence, and highly regulated deployments, this is the appropriate architecture. Cloud-hosted sovereign deployment on Australian infrastructure provides strong data sovereignty and eliminates offshore access risk, but retains the network attack surface inherent in any cloud-connected system. For most commercial deployments, cloud-hosted with strong network controls is adequate; for the highest-sensitivity applications, on-premises is the appropriate choice.
Deploy AI That Is Secure by Architecture, Not Just by Policy
Talk to us about a security-first LLM deployment designed to address the real threat landscape for your data assets and use cases.