88 posts on problem-aware.
LangChain, LangGraph, AutoGen, CrewAI, and the OpenAI Assistants API each ship a different agent loop. The security properties of each framework determine what an enforcement layer can see and what it cannot. The architectural divergence matters at the AI request boundary.
Six agentic AI architecture patterns dominate production deployments today: ReAct, plan-and-execute, multi-agent crews, retrieval-augmented agents, code-executing agents, and tool-using single agents. The security architecture differs across each. The enforcement layer always sits at the HTTP AI request boundary.
CI pipelines now run coding agents on every pull request. The agent reads the repo, pulls down third-party packages, asks an LLM to write code, executes the suggestion, and pushes a commit. Each step is an attack surface a 2024-era CI threat model did not contemplate. This piece walks through the supply-chain attacks that already shipped in production CI in 2026, where the control point sits at the AI request boundary, and the per-decision audit record a forensic investigator needs to reconstruct the incident.
Most organizations that decide to address shadow AI start by buying a tool. The tool fires alerts on day one and produces a report nobody can act on. A working discovery program is a sequenced six-week path that begins with what the organization already has and adds inspection only after the surface is mapped. This 12-question quiz scores your organization against each step of the framework and tells you where the next two weeks of work belongs.
AI audit records that look complete in a Kibana dashboard often fail an Article 19 field check. The validator takes a sample of your AI audit records and reports which fields are present, which are absent, and which are present in a form that will not survive a regulator's read. The check runs against EU AI Act Article 19, NIST AI RMF MANAGE 1.3, and Fannie Mae LL-2026-04 evidence requirements.
Prompt injection is the class of attacks where adversarial content in a prompt overrides the application instructions or extracts data the model was not authorized to reveal. The attack surface includes direct user prompts, indirect injection through retrieved documents and tool results, and chained injection through agent loops. OWASP has consistently ranked prompt injection as the top LLM vulnerability. This piece walks through the attack mechanisms in production, the failure modes of model-side defenses, the request-boundary controls that produce a defensible posture, and the audit record format that holds up after an attempt is detected.
OWASP LLM01 captures both direct and indirect prompt injection in a single category in the 2025 update. The architectural reason is that the control point is the same: the request boundary. Application-side defenses fail by construction because the application cannot tell which spans of the prompt the model treats as instructions. Model-side defenses fail because refusal training is probabilistic. This piece walks through the LLM01 attack surface, the inspection-layer controls that produce a defensible posture, the audit record that survives review under EU AI Act Article 12 and DORA Article 19, and the deployment pattern that fits a production AI stack.
The OWASP LLM Top 10 enumerates the application-security risks that show up when an LLM is wired into a production application. The 2025 update reorganized the list to reflect what production teams actually see: prompt injection at the top, sensitive information disclosure and supply chain risk close behind, and a new category for unbounded resource consumption. This piece walks each risk to the inspection layer control that produces a defensible posture, the gap each risk exposes in standard application-side defenses, and where the audit record series intersects EU AI Act Article 12 and DORA Article 19 evidence obligations.
LLM audit logging implementations split along three architectural patterns: in-application logs, sidecar collectors, and inline inspection layers. The inline pattern is the only one that produces records the EU AI Act Article 12, DORA Article 19, and Fannie Mae LL-2026-04 reviewers accept because it is the only one that satisfies the write-path independence test. This piece walks through the three patterns, the architectural reason the first two fall short, the integration points the inline pattern requires, the field set the records have to carry, and the latency budget that fits a production deployment.
Jailbreaking is the class of attacks where adversarial prompts cause the model to disregard the safety training and produce content the provider intended to suppress. The attack catalog spans role-play framing, multi-step persuasion, encoded payloads, and the fine-tuning bypass that targets the refusal patterns directly. Stanford Trustworthy AI and the AIUC-1 Consortium research found that refusal behaviors degrade significantly under adversarial pressure. This piece walks through the attack patterns in production, why the model alone cannot defend, and the request-boundary controls and audit record format that produce a defensible posture.
Indirect prompt injection is the attack pattern where adversarial content reaches the model through a retrieved document, a tool result, or any other source the model treats as part of its context. The attacker never interacts with the application directly. The injection succeeds when the model executes the embedded instructions on the next retrieval or the next agent loop iteration. RAG pipelines and tool-using agents are exposed by construction. This piece walks through the attack mechanics, the surface area in production deployments, why the model alone cannot defend, and the request-boundary controls that produce a defensible posture.
Retrieval-augmented generation systems read documents from a vector store or a search backend into the model context window before the model reasons. The retrieval step is the point where the system pulls content of varying provenance, authorization, and trustworthiness into the prompt. The security boundary sits at the HTTP path between the retrieval output and the model call. This piece walks through the threat model RAG opens, the identity and authorization decisions the inspection layer commits, the audit record for retrieval-derived content, and the indirect prompt injection surface the retrieved documents expose.