Published on

AI Security is a Workflow Problem

Authors
  • avatar
    Name
    Parminder Singh
    Twitter

From a development perspective, most AI security problems come from the workflow around the model, not the model itself. The issues usually show up in the inputs, the data paths, and the decisions that run without any guardrails.

Most AI systems have the same basic pattern: User -> Application -> Retrieval -> Model -> Output -> User.

AI Workflow

Photo by EJ Strat on Unsplash

Problems show up in a few predictable places:

  • Inputs aren't sanitized. Prompt fetches more data than the user should see, retrieval queries bring in sensitive fields because the vector search doesn't understand roles, etc.
  • No identity context travels with the prompt. Most LLM calls don't carry user role, scope, or policy metadata.
  • Outputs aren't filtered. If the workflow doesn't apply redaction or policy checks on the way out, you end up exposing more than you intended.
  • Logs are incomplete or missing. Prompts or responses are not logged. So when something goes wrong, you're blind.

Potential workflow fixes

  • Evaluate every request before it reaches the model. Look at user identity, policy rules, PII or sensitive terms, retrieval scope, etc.
  • Attach identity and policy context to the prompt. Every downstream component should know who the real user is and what they're allowed to see.
  • Enforce rules on the output before sending it back. Redaction, role-based detokenization, scope checks — all done as a separate step.
  • Log prompt + output + user + model.

Here's a simple pseudo-workflow:

request = incoming_prompt()
user = authenticate(request)
context = lookup_user_policy(user)

analysis = inspect(request, context)
if analysis.violates_policy:
    return deny_or_redact(request)

response = call_llm(request)
filtered = enforce_output_policy(response, context)

log(user, request, filtered)
return filtered

It's basic engineering here and nothing fancy: intercept -> inspect -> decide -> enforce -> log.

AI security will always drift towards workflow control because that's where the actual risk lives. Models just answer questions. The workflow decides what questions get asked and what answers get returned. If that part stays loose, you'll never get predictable or safe behavior from the system.