LLM Primer VII — Series Introduction & Index
A chapter-by-chapter walkthrough of LLM Primer VII: AI Security — the series finale, where the LLM Primer's engineering arc lands on the discipline that decides whether any of it survives adversaries, regulators, or the daily failure modes of probabilistic systems.
Why this series exists
In traditional security, code and data are different things. Parsers, escapes, and parameterised queries all rest on that separation. In LLM systems, the same string that carries the developer's instructions also carries the user's input, the retrieved document, the tool result, and whatever the model saw during training that resembles any of these. There is no syntactic position provably inert to a transformer, and no substring the model is guaranteed to read as data rather than as instruction. That structural collision is why prompt injection, jailbreaks, and adversarial attacks are not implementation bugs to patch but design consequences to manage. The security discipline for LLM systems inherits the vocabulary of traditional security — assets, adversaries, controls, incidents — and rebuilds the substrate underneath it. Volume VII is that rebuild written down, from the threat model to the regulatory perimeter.
Who I wrote this for
Security engineers who now own an LLM in production and are wondering which parts of their existing playbook still apply. ML engineers who trained or fine-tuned the model and now have to reason about who might attack it. Platform leads and SREs who run the inference stack and get paged when abuse patterns spike. CISOs who have to sign off on AI deployments and answer to boards, regulators, and auditors about what "safe" means when the component in question emits probability distributions. The book assumes fluency with production engineering and does not assume prior familiarity with adversarial ML; it builds the model-centric parts from first principles and connects them to the existing security disciplines where the connection is real.
How to read it
The seventeen chapters divide into six parts. Chapters 1–3 build the foundations — why AI security is different, how to threat-model an LLM system, and the data dimension across its lifecycle. Chapters 4–6 walk the prompt-and-interaction layer: prompt injection, input and output filtering, and retrieval-augmented generation. Chapters 7–9 walk the model itself: hallucinations as a reliability failure, adversarial attacks, and the model supply chain. Chapters 10–12 walk the system architecture around the model — isolation, observability, and access control. Chapters 13–15 walk the governance perimeter — regulation, responsible AI, and the organisation that carries the discipline. Chapter 16 walks fine-tuning as its own security surface, and Chapter 17 closes with the emerging threats that are still forming.
The 17-chapter walk
Between May 10 and May 26 the walkthrough posts one chapter per day. Each article distills the chapter's three key ideas into roughly a five-minute read; the book chapter carries the worked examples, the code, and the In Plain English sidebars.
- May 10 — Chapter 1 — Why AI Security Is Different. Traditional security vs model-centric security; why LLMs break the code/data separation and turn the behavioural envelope into the attack surface.
- May 11 — Chapter 2 — Threat Modeling for LLM Systems. STRIDE, PASTA, and MITRE ATLAS applied to LLM assets, adversaries, and attack surfaces.
- May 12 — Chapter 3 — Data Security and Privacy. Training-data risks, memorisation and extraction, the Samsung and Garante incidents, and encryption, isolation, and retention discipline.
- May 13 — Chapter 4 — Prompt Injection and Jailbreaks. Direct and indirect injection, jailbreak taxonomies, universal suffixes, and why the mitigation must be layered rather than syntactic.
- May 14 — Chapter 5 — Input Validation and Output Filtering. Sanitisation staging, structured prompting, Llama Guard, red teaming with Garak and PyRIT, and honest safety metrics.
- May 15 — Chapter 6 — Retrieval-Augmented Generation Risks. Trust boundaries in RAG, malicious document injection, index and embedding poisoning, and monitoring the retrieval path.
- May 16 — Chapter 7 — Hallucinations and Reliability. Why models fabricate, calibration and temperature scaling, hybrid verification architectures, and effective human-in-the-loop patterns.
- May 17 — Chapter 8 — Adversarial Attacks on Models. The lineage from FGSM through TextFooler to universal suffixes, black-box API attacks, and model-stealing as a confidentiality concern.
- May 18 — Chapter 9 — Model Integrity and Supply Chain Risks. BadNets, Sleeper Agents, pickle deserialisation vs safetensors, Sigstore, and monitoring for behavioural drift.
- May 19 — Chapter 10 — Designing Secure LLM Architectures. Isolation, multi-tier validation, OPA and Cedar policy engines, secure API design, and zero-trust applied to model calls.
- May 20 — Chapter 11 — Observability, Logging, and Incident Response. What to log with OpenTelemetry GenAI conventions, abuse detection, alerting, and NIST-shaped incident playbooks.
- May 21 — Chapter 12 — Access Control and Identity. OAuth, mTLS, RBAC vs ABAC, multi-tenant isolation, rate limits, and the enterprise governance overlay.
- May 22 — Chapter 13 — Regulatory Landscape. The EU AI Act's phased applicability, GDPR as it applies to AI, auditability, model cards, and risk-classification frameworks.
- May 23 — Chapter 14 — Bias, Fairness, and Responsible AI. Sources of bias, fairness benchmarks and their limits, the safety-utility trade-off, and organisational AI policy.
- May 24 — Chapter 15 — Building a Secure AI Organization. AI-specific security culture, internal red teams, vendor risk, continuous evaluation, and long-term model stewardship.
- May 25 — Chapter 16 — Secure Fine-Tuning and Adaptation. Alignment erosion through benign data, deliberate poisoning, evaluation gates in CI, and rollback discipline.
- May 26 — Chapter 17 — Future Threats and Emerging Defenses. Autonomous agents and tool-use blast radius, multimodal attack surfaces, synthetic identity, and AI-versus-AI assurance.
About this book and the series
The LLM Primer series is seven volumes written by Sho Shimoda, published on Amazon KDP and read chapter-by-chapter here on the ReceiptRoller blog. The series argues that building with LLMs is a systems discipline, and that the discipline is best learned by walking each layer of the stack in mechanism-first prose rather than checklist form. Volume VII closes that arc. It is the security volume, and it is also the volume that reads back through the other six with an adversarial lens — the retrieval pipeline of Volume III as an injection channel, the inference stack of Volume VI as a rate-limit boundary, the alignment work of Volume II as an attack surface for fine-tuning. Where the earlier volumes said "here is how it works," this one says "here is how it can be made to fail, and what to do about it."