LLM and agent security audit: prompt injection is only the beginning

Prompt injection is the visible part of the problem. The deeper issue is that agentic systems can read context, call tools, move data, and sometimes take action.

That means security is no longer only about the prompt. It is about the whole operating surface.

What I review

1. Context boundaries. What can the model see, retrieve, summarize, and leak?
2. Tool permissions. What can the agent call, under whose identity, with what scope, and with what approval?
3. Prompt injection paths. Where can untrusted text enter the system: documents, tickets, chats, web pages, CRM notes, emails?
4. MCP and integration risk. Which external tools expand the attack surface and how are they approved?
5. Evals and observability. Can the team reproduce failures, inspect traces, and measure risky behavior?
6. Human review. Which actions must pause for approval before anything irreversible happens?

The output

A useful LLM / Agent Security Audit produces:

• threat model;
• attack surface map;
• risky tool and permission inventory;
• prompt injection test cases;
• guardrails and approval policy;
• tracing and monitoring requirements;
• remediation backlog.

The principle

The goal is not to make the model “obedient”. The goal is to make the system safe even when the model sees hostile input, ambiguous instructions, stale knowledge, and overloaded users.

That requires architecture, not vibes.