LLM Primer VII — Series Introduction & Index

Published on: 2026-05-09 Last updated on: 2026-07-13 Version: 2
LLM Primer VII — Series Introduction & Index

LLM Primer VII — Series Introduction & Index

A chapter-by-chapter walkthrough of LLM Primer VII: AI Security — the series finale, where the LLM Primer's engineering arc lands on the discipline that decides whether any of it survives adversaries, regulators, or the daily failure modes of probabilistic systems.


Why this series exists

In traditional security, code and data are different things. Parsers, escapes, and parameterised queries all rest on that separation. In LLM systems, the same string that carries the developer's instructions also carries the user's input, the retrieved document, the tool result, and whatever the model saw during training that resembles any of these. There is no syntactic position provably inert to a transformer, and no substring the model is guaranteed to read as data rather than as instruction. That structural collision is why prompt injection, jailbreaks, and adversarial attacks are not implementation bugs to patch but design consequences to manage. The security discipline for LLM systems inherits the vocabulary of traditional security — assets, adversaries, controls, incidents — and rebuilds the substrate underneath it. Volume VII is that rebuild written down, from the threat model to the regulatory perimeter.

The book in one sentence: LLM security is the discipline of defending systems whose most powerful component is a probabilistic function that reads all input as potentially instructional, and whose failure modes therefore have to be managed through architecture, evaluation, observability, and governance rather than through patches.

Who I wrote this for

Security engineers who now own an LLM in production and are wondering which parts of their existing playbook still apply. ML engineers who trained or fine-tuned the model and now have to reason about who might attack it. Platform leads and SREs who run the inference stack and get paged when abuse patterns spike. CISOs who have to sign off on AI deployments and answer to boards, regulators, and auditors about what "safe" means when the component in question emits probability distributions. The book assumes fluency with production engineering and does not assume prior familiarity with adversarial ML; it builds the model-centric parts from first principles and connects them to the existing security disciplines where the connection is real.

How to read it

The seventeen chapters divide into six parts. Chapters 1–3 build the foundations — why AI security is different, how to threat-model an LLM system, and the data dimension across its lifecycle. Chapters 4–6 walk the prompt-and-interaction layer: prompt injection, input and output filtering, and retrieval-augmented generation. Chapters 7–9 walk the model itself: hallucinations as a reliability failure, adversarial attacks, and the model supply chain. Chapters 10–12 walk the system architecture around the model — isolation, observability, and access control. Chapters 13–15 walk the governance perimeter — regulation, responsible AI, and the organisation that carries the discipline. Chapter 16 walks fine-tuning as its own security surface, and Chapter 17 closes with the emerging threats that are still forming.

The 17-chapter walk

Between May 10 and May 26 the walkthrough posts one chapter per day. Each article distills the chapter's three key ideas into roughly a five-minute read; the book chapter carries the worked examples, the code, and the In Plain English sidebars.

The LLM Primer series concludes here: Volume I built the foundations of transformer architecture, Volume II the mathematics of training and alignment, Volume III the retrieval-augmented generation pipeline, Volume IV the protocol-shaped cognition and tooling that surrounds it, Volume V the production applications, Volume VI the inference infrastructure at scale — and Volume VII is where all six meet the adversary. The Physical AI companion volume extends the map into embodied systems, where the same probabilistic substrate now controls actuators and shares physical space with humans.

About this book and the series

The LLM Primer series is seven volumes written by Sho Shimoda, published on Amazon KDP and read chapter-by-chapter here on the ReceiptRoller blog. The series argues that building with LLMs is a systems discipline, and that the discipline is best learned by walking each layer of the stack in mechanism-first prose rather than checklist form. Volume VII closes that arc. It is the security volume, and it is also the volume that reads back through the other six with an adversarial lens — the retrieval pipeline of Volume III as an injection channel, the inference stack of Volume VI as a rate-limit boundary, the alignment work of Volume II as an attack surface for fine-tuning. Where the earlier volumes said "here is how it works," this one says "here is how it can be made to fail, and what to do about it."

Grab a copy. The book has the full worked examples, the runnable Python for redaction, guardrails, and rollback, the YAML for OPA policies and CI evaluation gates, the incident playbooks in longer form, and the In Plain English sidebars that these articles only summarise. LLM Primer VII on Amazon →

SHO
SHO
CTO of Receipt Roller Inc., he builds innovative AI solutions and writes to make large language models more understandable, sharing both practical uses and behind-the-scenes insights.