The Prompt Is Not a Security Boundary: Building Robust AI Privacy with Code, Not Just Instructions
News & Blogs

The Prompt Is Not a Security Boundary: Building Robust AI Privacy with Code, Not Just Instructions

Global · · ontiveros.me

This article argues that AI prompts are not sufficient as security boundaries for sensitive data. It details TeachMetrics' approach, which treats the AI model as an untrusted SQL author and implements a multi-layered defense in code to protect PII, even against successful prompt injection attacks. The core principle is that the security boundary must be in the code, not in the AI's instructions.


Rethinking AI Security: From Etiquette to Code

The conventional wisdom in AI privacy often relies on instructing the language model (LLM) through prompts not to reveal sensitive information. However, this article critically challenges this approach, asserting that such instructions are merely "etiquette," not a true security boundary. For internal audit and assurance professionals, this distinction is crucial. Relying on an LLM to self-regulate its access to sensitive data is a significant vulnerability, as the model's behavior can be unpredictable or maliciously manipulated. The author, Jamie Ontiveros, advocates for a paradigm shift: treating the AI model as an untrusted entity, akin to a hostile SQL author, and building robust security directly into the application's code.

TeachMetrics' Multi-Layered Defense Strategy

The article showcases TeachMetrics, an analytics platform, as a practical example of this code-centric security philosophy. TeachMetrics employs a six-layer defense-in-depth strategy to protect student Personally Identifiable Information (PII) when interacting with third-party LLMs. Key to this is a "semantic layer" that exposes only 24 read-only, aggregate MySQL views to the AI, deliberately excluding any PII. This design ensures that even if an LLM attempts to extract sensitive data, no such data exists in the views it can access. Furthermore, the system implements:

  • Static SQL Validation: An allow-list validator scrutinizes generated SQL for banned keywords and ensures queries target only approved aggregate views.
  • Read-Only Transactions: All AI-generated queries run within a read-only transaction with strict timeouts and row limits.
  • Grant Sandbox: Where possible, a dedicated database user with SELECT-only privileges on the aggregate views enforces access at the database level.
  • Error Hygiene: Generic error messages prevent database errors from becoming data exfiltration channels.
  • Outbound Transport Controls: Strict validation of AI provider endpoints prevents Server-Side Request Forgery (SSRF) and DNS rebinding attacks.
  • Transparency: Every AI response includes a disclosure of the exact payload sent to the AI, allowing for inspectable privacy claims.

Implications for Audit and Assurance Professionals

For internal auditors and assurance professionals, this article provides invaluable insights into securing AI integrations, particularly those handling sensitive data. The core takeaway is that security guarantees must be enforced by the application's architecture and code, not by the AI's prompt instructions. This approach significantly reduces the "blast radius" of prompt injection attacks, rendering them largely ineffective in compromising PII. The author emphasizes Kerckhoffs's principle, advocating for designs that hold even when their mechanisms are public. This means auditors should scrutinize the underlying code, data access layers, and validation mechanisms, rather than solely relying on prompt engineering or policy documents, to ensure data privacy and security in AI-powered systems. The pattern presented is scalable and does not require exotic infrastructure, making it a practical model for many organizations.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →