Execution & Tools

Model (LLM)

The language model: the inference engine, whether hosted, API-based or self-hosted.

Plane

Execution & Tools

Flow steps

Frameworks

OWASP LLM03/04 · NIST 800-53 · NIST AI 600-1

Technology

Why use it

Provide generation/reasoning capability while controlling the model’s provenance and integrity.

Why it matters to security

The model and its weights are assets: poisoning, backdoors, or a dubious-origin model compromise everything downstream.

Implementations Anthropic ClaudeAzure OpenAIself-hosted models (vLLM)Bedrock

A model is a supply-chain component: verify its origin and integrity.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline

Verified model provenance (trusted source).
NIST 800-53 SR-4OWASP LLM03:2025

An unknown-origin model can contain a backdoor.
Weights and artifacts encrypted at rest.
NIST 800-53 SC-28

Weights are a critical asset to protect.
Model access authenticated and logged.
NIST 800-53 AC-3 · AU-2

No anonymous calls to the inference engine.

Enterprise

Enterprise standard

Weight-integrity verification (signatures).
NIST 800-53 SI-7OWASP LLM04:2025

A signature detects an altered or poisoned weight.
Per-tenant inference isolation.
NIST 800-53 SC-4

No context leakage between tenants sharing the engine.
Security evaluation before go-live.
NIST AI 600-1 MS-2.6-001

Probe the model (jailbreak, leakage) before production.

Advanced

High-assurance / regulated

Continuous model red-teaming.
NIST AI 600-1 MS-2.7-007

Continuously hunt for safety bypasses.
Drift and degradation monitoring.
NIST 800-53 SI-4

Changing behavior is detected and investigated.
Re-evaluation after any fine-tuning.
NIST AI 600-1 MS-2.7-008

Fine-tuning can break safeguards: re-verify.

Architecture notes

Treat weights as a critical secret.details ▸

Exposing them is handing the engine to the attacker.

Encryption at rest, restricted access, and integrity verification on every load.

References

OWASP LLM03 / LLM04:2025

Supply Chain and Data & Model Poisoning.

NIST SP 800-53 Rev5

SR-4 (Provenance), SI-7 (Integrity), SC-28 (At Rest), SC-4, AC-3.

NIST AI 600-1

MS-2.6 / MS-2.7 — security evaluation and red-teaming.

Abbreviations

PDP

Policy Decision Point

PEP

Policy Enforcement Point

PIP

Policy Information Point

PAP

Policy Administration Point

IdP

Identity Provider

TSS

Token Service

NHI

Non-Human Identity

RBAC

Role-Based Access Control

ABAC

Attribute-Based Access Control

MFA

Multi-Factor Authentication

HITL

Human-in-the-loop

JIT

Just-In-Time

CAE

Continuous Access Evaluation

CAEP

Continuous Access Evaluation Profile

DPoP

Demonstrating Proof-of-Possession

mTLS

mutual TLS

PII

Personally Identifiable Information

KMS

Key Management Service

CI/CD

Continuous Integration / Continuous Delivery

SIEM

Security Information and Event Management

SOAR

Security Orchestration, Automation and Response

SCIM

System for Cross-domain Identity Management

XACML

eXtensible Access Control Markup Language

OPA

Open Policy Agent

OWASP

Open Worldwide Application Security Project

NIST

National Institute of Standards and Technology

ATLAS

Adversarial Threat Landscape for Artificial-Intelligence Systems

LLM

Large Language Model

WAF

Web Application Firewall

CDN

Content Delivery Network

DDoS

Distributed Denial of Service

DLP

Data Loss Prevention

JWT

JSON Web Token

API

Application Programming Interface

CRS

Core Rule Set (OWASP)

RAG

Retrieval-Augmented Generation

MCP

Model Context Protocol

PBAC

Permission-Based Access Control

HSM

Hardware Security Module

UEBA

User and Entity Behavior Analytics

SBOM

Software Bill of Materials

SLSA

Supply-chain Levels for Software Artifacts

WORM

Write Once, Read Many

SPIFFE

Secure Production Identity Framework For Everyone