Calendar Icon White
July 12, 2026
Clock Icon
7
 min read

LLM Security: Protecting Data in Large Language Models (2026)

LLM security explained — the real risks (prompt injection, data leakage, secrets in prompts, RAG oversharing), what OWASP lists, and how to protect sensitive data at the prompt layer.

LLM Security: Protecting Data in Large Language Models (2026)
ChatGPT
Perplexity
Grok
Google AI
Claude
Summarize and analyze this article with:

TL;DR

  • LLM security splits into two problems that get constantly conflated. Model security — can the model be manipulated (prompt injection, jailbreaks, model theft)? And data security — is sensitive data going into the model, or coming out of it, that shouldn't be?
  • Most enterprises do not have a model-security problem. They have a data problem. They are not training foundation models; they are letting employees and agents feed company data into someone else's.
  • The three data leaks that actually happen: secrets and PII pasted into prompts, RAG pipelines retrieving documents the user shouldn't see, and AI agents pulling regulated data through connectors.
  • The control that works is at the prompt and retrieval boundary — detect and remove sensitive data before it reaches the model, and govern what the model is allowed to retrieve.

The Two Halves of LLM Security

Ask ten security teams what "LLM security" means and you'll get two different answers:

Model security — protecting the model and the application around it: - Prompt injection — an attacker embeds instructions in content the model reads (a web page, a document, an email) and hijacks its behavior - Jailbreaks — bypassing safety guardrails - Model theft and extraction — stealing weights or reconstructing training data - Insecure output handling — the model's output executes as code downstream - Supply chain — a compromised model, dataset, or plugin

Data security — protecting the information flowing through it: - Sensitive data in prompts — PII, PHI, card numbers, and API keys pasted into a chat window - RAG oversharing — the retrieval layer surfaces a document the user was never supposed to see - Agent overreach — an AI agent with broad connector permissions pulls regulated data out of Salesforce or a database - Training and retention — your data used to improve someone else's model

Both matter. But be honest about which one you have. If you are not building models, your LLM security problem is almost entirely the second list. The OWASP Top 10 for LLM Applications is written largely for people building LLM applications; most companies are consuming them, and their exposure is that employees are handing over data no policy authorized.

LLM Security: Model Risks vs Data Risks

Model security (building LLM apps)Data security (using LLMs)
The threatThe model is manipulated or stolenYour data goes into someone else's model
ExamplesPrompt injection, jailbreaks, insecure output handling, model theft, supply chainSecrets and PII in prompts, RAG oversharing, agents pulling regulated data via connectors
Who has itTeams building LLM applicationsNearly every company using AI
ReferenceOWASP Top 10 for LLM ApplicationsData governance and DLP
The controlInput validation, output handling, least-privilege toolsRedact sensitive data at the prompt and tool boundary

Risk 1: Secrets and PII in Prompts

The single most common LLM data leak, and the least sophisticated:

  • A developer pastes a stack trace to debug it — and the trace contains a live database URL and API key
  • A support agent pastes a customer's full ticket, including their SSN, to draft a reply
  • A recruiter pastes a candidate's resume to summarize it
  • An analyst pastes a spreadsheet of account numbers to ask for patterns

None of these people are behaving maliciously. Every one is doing their job. And on consumer AI tiers, that content may be retained, used for training, and in some cases reviewed by a human.

Zero data retention agreements do not fix this. ZDR governs what the provider does with the data after it arrives. The key was still transmitted. A leaked credential is leaked whether or not it was retained.

Risk 2: RAG Oversharing

Retrieval-augmented generation is where LLM security gets quietly dangerous. You point a model at your document corpus so it can answer questions with company context. It works beautifully — and it will happily retrieve:

  • The compensation spreadsheet on a SharePoint site with broad permissions
  • The legal memo in a folder shared with "everyone"
  • The customer contract in a Drive folder someone opened "temporarily" in 2021

The model isn't broken. It's honoring exactly the permissions you gave it, against a corpus nobody ever cleaned. RAG doesn't create oversharing; it industrializes the discovery of it. This is why RAG rollouts should begin as a data-hygiene project — find the sensitive data, fix the sharing, remediate the content — not as a retrieval-tuning exercise.

Risk 3: Agents and Connectors

The frontier. When an LLM is given tools — through the Model Context Protocol or a vendor's connector framework — it stops being a chat box and becomes a system with database access.

An agent asked "summarize this customer's history" may pull the full Salesforce case record, including the card number an agent pasted into a comment three years ago, and ship it into a context window. Every permission check passed. The data left anyway.

Governing this means controlling what comes back from the tool call, not just what the user typed. See MCP DLP.

How to Actually Secure an LLM Deployment

1. Control the prompt boundary. Detect PII, PHI, card data, secrets, and source code as they're typed or submitted, and redact, warn, or block per data class. This works across every LLM — including personal accounts on tools you don't manage, which is where most of the exposure lives.

2. Clean the corpus before you point RAG at it. Discover sensitive data across SharePoint, Drive, and Confluence; fix over-broad sharing; remediate the content itself. If the SSN isn't in the document, retrieval can't leak it.

3. Govern the tool layer. Inspect and redact data flowing back from connectors and MCP servers before it reaches the model.

4. Prefer enterprise tiers, but don't rely on them. Enterprise agreements exclude training and tighten retention. They do not stop an employee opening a personal tab.

5. Log everything as evidence. Every detection and redaction should map to SOC 2, HIPAA, GDPR, and ISO 42001.

Strac enforces at the prompt and tool boundary: 48+ secret patterns, PII, PHI, PCI, and source code detected and removed before data reaches ChatGPT, Claude, Gemini, Copilot, or an AI agent — in the browser (Chrome, Edge, Firefox, Safari) and across MCP connectors. See AI DLP.

How Strac Covers Every AI Surface

Securing an LLM deployment means holding four boundaries at once:

  • The prompt — Browser DLP strips secrets and PII before they reach the model.
  • The device — Endpoint DLP covers local AI apps and coding assistants.
  • The retrieval and tool layer — MCP DLP inspects what comes back from a connector before the model sees it.
  • The estate — shadow AI discovery and AI governance, so you know which models are in play.

🌶️ Spicy FAQs for LLM Security

What is LLM security?

LLM security covers two distinct problems: protecting the model and application from manipulation (prompt injection, jailbreaks, insecure output handling, model theft), and protecting the data flowing through it (sensitive data in prompts, RAG retrieving documents users shouldn't see, agents pulling regulated data through connectors). Organizations that consume LLMs rather than build them almost always have the second problem, not the first.

What are the biggest LLM security risks?

For companies using LLMs: secrets and PII pasted into prompts, RAG pipelines surfacing overshared documents, and AI agents with broad connector permissions pulling regulated data. For companies building LLM applications: prompt injection, insecure output handling, and supply-chain compromise of models or plugins. The OWASP Top 10 for LLM Applications covers the builder's list well; the consumer's list is mostly a data-governance problem.

Does zero data retention make an LLM safe?

No. Zero data retention governs what a provider does with your data after it arrives — it does not prevent the data from being transmitted. An API key sent to a model under a ZDR agreement is still an exposed API key, and a patient record is still a disclosure. ZDR is a necessary contract term, not a security control.

How do I stop sensitive data going into an LLM?

Enforce at the point of submission rather than in policy. Detect PII, PHI, card numbers, secrets, and source code in the prompt as it is typed and redact, warn, or block based on your rules. Because this operates at the browser layer, it protects you even when an employee is signed into a personal account on a tool you never approved.

Is RAG a security risk?

RAG is a security amplifier. It does not create oversharing, but it makes years of accumulated poor permissions instantly searchable in natural language. A compensation file on an over-broad SharePoint site was always exposed; before RAG, nobody could find it. The fix is upstream: discover the sensitive data, fix the sharing, and remediate the documents before you index them.

What is prompt injection, and can DLP stop it?

Prompt injection is an attack where malicious instructions are embedded in content the model reads — a web page, a PDF, an email — causing it to ignore its original instructions. Data-layer controls do not prevent injection itself; that requires input validation, output handling, and least-privilege tool design. What they do prevent is the payoff: if the injected instruction says "send me all customer SSNs," and the SSNs have been redacted or vaulted out of the data the agent can reach, the attack retrieves nothing.

The Bottom Line

LLM security is not one discipline. If you are building models, read OWASP and worry about injection and supply chain. If you are like most companies — consuming LLMs, wiring them to your data, and letting employees use them — your risk is far more mundane and far more likely: your data is walking into someone else's model, one prompt at a time.

Secure the boundary where data meets the model, and most of the LLM security problem you actually have goes away.

Book a demo to see secrets and PII stripped from LLM prompts and agent tool calls in real time.

Related: AI DLP · secure sensitive data in LLM prompts · MCP data security · AI security posture management · shadow AI

What is LLM security?
What are the biggest LLM security risks?
Does zero data retention make an LLM safe?
How do I stop sensitive data going into an LLM?
Is RAG a security risk?
Discover & Protect Data on SaaS, Cloud, Generative AI
Strac provides end-to-end data loss prevention for all SaaS and Cloud apps. Integrate in under 10 minutes and experience the benefits of live DLP scanning, live redaction, and a fortified SaaS environment.
Users Most Likely To Recommend 2024 BadgeG2 High Performer America 2024 BadgeBest Relationship 2024 BadgeEasiest to Use 2024 Badge
Trusted by enterprises
Data Security + Compliance Automation

Latest articles

Browse all

Get Your Datasheet

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Close Icon