AI Security & Guardrails

Threat Modelling for LLM and Agent Applications

Traditional threat models do not cover the attack surface of LLM-powered systems. We deliver threat models specific to AI applications that map risks including prompt injection, data exfiltration through model outputs, tool abuse by compromised agents, and jailbreak techniques that bypass content policies.

Each threat is assessed for likelihood and impact within your specific deployment context. A customer-facing chatbot has a different risk profile than an internal code-generation tool. The threat model reflects these differences rather than applying a generic checklist.

Fry Express produces threat models as working documents that evolve with your application. New features, new tool integrations, and new model capabilities trigger updates, not a full reassessment.

Policy Enforcement, Safe Tool Use, and Output Constraints

Guardrails are only effective if they cannot be bypassed by clever prompting. We implement policy enforcement layers that validate inputs before they reach the model and constrain outputs before they reach the user or downstream system. These layers operate independently of the model itself, so they remain effective regardless of which provider or version is in use.

Safe tool use controls ensure that agents can only invoke tools within their defined permission scope and that tool inputs are validated against expected schemas. An agent instructed to query a database cannot be manipulated into executing arbitrary commands.

Output constraints enforce format, length, content policy, and data classification rules. Responses that violate constraints are blocked, logged, and optionally rerouted for human review.

RAG Security: Access Control, Source Allowlisting, and Redaction

Retrieval-augmented generation introduces a data access layer that must be secured independently of the model. We implement access controls on the retrieval pipeline so that the model can only surface documents the requesting user is authorised to see. Source allowlisting restricts which document collections, databases, or APIs the retrieval layer can query.

Sensitive-data redaction operates as a post-retrieval filter. Before retrieved content is injected into the prompt, personally identifiable information, classified data, or content marked as restricted is detected and removed. This prevents the model from incorporating sensitive material into its response, even if the retrieval index contains it.

Fry Express tests RAG security controls with adversarial queries designed to circumvent access boundaries. The controls are validated, not assumed.

Data Governance: Retention, PII Handling, and Environment Separation

AI systems that process real data must comply with the same data governance standards as any other production service. We establish retention rules that define how long prompts, responses, and intermediate data are stored, and ensure that deletion policies are enforced automatically.

PII handling covers detection, classification, and appropriate treatment throughout the pipeline. Data that enters the system is classified at ingestion; data that leaves the system is checked against classification rules before delivery. The handling rules are consistent across the application, not implemented ad hoc in individual components.

Environment separation ensures that production data does not leak into development or staging environments. Models trained or fine-tuned in development use synthetic or anonymised datasets. Fry Express enforces this separation at the infrastructure level, not through policy documents alone.

Red Teaming, Adversarial Testing, and Operational Controls

Security controls must be tested under adversarial conditions, not just reviewed in documentation. We conduct red teaming exercises that simulate realistic attack scenarios against your LLM and agent applications: prompt injection campaigns, multi-step social engineering through agent interfaces, data extraction attempts, and privilege escalation through tool chains.

Findings from red teaming feed directly into guardrail improvements, policy updates, and monitoring rules. Each finding includes a reproduction path, a severity assessment, and a remediation recommendation.

Operational controls close the loop: monitoring and audit logs detect anomalous behaviour in production, and incident playbooks define the response when a security event is identified. Alerts are tuned to the threat model so that security-relevant signals are not lost in operational noise.

These deliverables establish a security posture for AI systems that is tested, governed, and operationally maintained. Threats are modelled before they materialise, guardrails are enforced at every layer, and the team has the tools and processes to detect and respond to incidents when they occur.