Regulatory Compliance

Ensuring security in AI copilots: tackling the evolving threat landscape

Wednesday, 10 December 2025 2:36PM UTC

AI copilots are becoming central to operations but introduce complex security risks. Experts emphasise that securing these systems requires a comprehensive, defence-in-depth approach to mitigate traditional and novel threats across the entire data pipeline.

AI copilots are rapidly becoming the operational nerve centre for many organisations, but their usefulness brings concentrated security risk across the entire data pipeline. According to the original presentation by Andra Lezza, Principal AppSec Specialist, the core challenge is protecting sensitive material , intellectual property, financial records and personally identifiable information , from ingestion through monitoring, because persistent access or leakage of that data creates major liability for firms. ^[1]

Many threats are familiar to application-security teams, but they take new forms in LLM-based assistants. Traditional failures such as broken access control, misconfiguration and insecure third‑party components still dominate: industry guidance stresses that roughly 85% of AI security is “traditional security done well” adapted to new interfaces like prompts, plugins and embedding services. At the same time, generative models introduce novel risks , system prompt leakage, vector/embedding weaknesses in retrieval-augmented generation, and intrinsic misinformation or hallucination , that demand fresh controls. ^[1]^[6]

Two deployment patterns illustrate the trade-offs. An independent copilot is tightly embedded in a single product and can offer deep domain logic and faster responses, but deeper access to specific datasets increases the potential impact of targeted attacks such as data poisoning or cached-data disclosure. An integrated, multi‑tenant copilot scales across products with shared services and generic skills, but creates a complex permission matrix and a larger attack surface for cross‑tenant data leakage and lateral movement. Lezza emphasises there is no inherently safer architecture , security depends on implementation. ^[1]

Prompt injection remains a particularly intractable problem: a user-supplied input can alter an assistant’s behaviour, exfiltrate system prompts or cause the model to request privileged actions. Mitigations combine prompt engineering, runtime guardrails and templated job definitions that limit the model’s view of data and the actions it may request. Lezza recommends a defence‑in‑depth approach that validates both inputs and outputs and funnels LLM interactions through constrained templates and skills. Industry guidance and vendor tools (for example, cloud providers’ built‑in guardrails) should be used where appropriate, but researchers continue to find weaknesses in real‑world agents. ^[1]^[3]^[4]

Supply‑chain threats extend from CI/CD tool compromise to poisoned training data and malicious models. The presentation highlights controls such as model‑hash verification, safetensors or other safe file formats, behavioural testing and AI “red‑teaming” to detect backdoors or harmful outputs before deployment. Recent academic work has formalised evaluation frameworks for agent security , for example, ASTRA tests system‑prompt level guardrails and autonomous agent behaviour against attacks inspired by the OWASP LLM Top Ten, demonstrating wide variance between models’ ability to respect boundaries. ^[1]^[2]

Operational controls map to the five‑stage AI pipeline Lezza outlines: secure ingestion (encryption, provenance and automated compliance checks); transformation and training (adversarial training, differential privacy); deployment (immutable artifacts, signed containers, SBOMs); and monitoring (real‑time auditing, continuous feedback into retraining). DevSecOps practices , SAST/DAST, SBOMs, Sigstore signing, ephemeral training environments , remain essential to reduce the risk surface around model artefacts and dependencies. ^[1]^[6]

Access control must be granular and derived from user tokens and session context; Lezza describes On‑Behalf‑Of scoped tokens and recommends deriving the copilot’s least‑privilege scope from the requesting user’s permissions. Organisations should consider ACLs, RBAC or ABAC as fits their environment, plus tenant segregation, rate limiting and strict auditing to limit financial and availability abuse (for instance, token‑draining floods of LLM requests). Several practitioner guides reinforce these mitigations and the need for proactive governance of third‑party integrations. ^[1]^[4]^[5]

Because many of the OWASP LLM Top Ten and practitioner blogs converge on similar mitigations, a practical mitigation programme is to: (1) adopt templates and guardrails that strictly confine the model’s visibility and actions; (2) vet and sign models and dependencies; (3) perform continuous model behaviour testing and red‑teaming; and (4) instrument detailed logging and provenance to detect caching, leakage or pivoting attempts. Active monitoring and human‑in‑the‑loop gates, together with quantified risk‑assessment workflows, are essential as the landscape and regulatory expectations evolve. ^[3]^[4]^[5]^[6]^[7]

Securing AI assistants is therefore an extension of established secure‑engineering practice adapted for the particularities of LLMs: generative failure modes, embedding vectors and agentic capabilities. The practical advice is defence in depth, granular least‑privilege controls, continuous testing (including adversarial scenarios) and tight supply‑chain hygiene , supplemented by the latest evaluation frameworks and threat models so organisations can validate that their guardrails actually hold in the face of novel attacks. ^[1]^[2]^[3]^[6]

📌 Reference Map:

##Reference Map:

^[1] (InfoQ transcript of Andra Lezza presentation) - Paragraph 1, Paragraph 2, Paragraph 3, Paragraph 4, Paragraph 5, Paragraph 6, Paragraph 7, Paragraph 8, Paragraph 9
^[2] (arXiv ASTRA paper) - Paragraph 5, Paragraph 9
^[3] (ActiveFence blog) - Paragraph 4, Paragraph 8, Paragraph 9
^[4] (Protecto.ai blog) - Paragraph 4, Paragraph 6, Paragraph 8
^[5] (Medium: OWASP LLM Top 10) - Paragraph 8
^[6] (OWASP GenAI data security white paper) - Paragraph 2, Paragraph 6, Paragraph 9
^[7] (Bugcrowd blog) - Paragraph 8

Source: Noah Wire Services

More on this

https://www.infoq.com/presentations/securing-ai-assistants/?utm_campaign=infoq_content&utm_source=infoq&utm_medium=feed&utm_term=global - Please view link - unable to able to access data
https://arxiv.org/abs/2511.18114 - The ASTRA framework evaluates the effectiveness of Large Language Models (LLMs) in creating secure AI agents by enforcing custom guardrails at the system-prompt level. It simulates diverse autonomous agents and tests them against novel attacks inspired by the OWASP Top 10, revealing significant differences in LLMs' ability to maintain security and operate within defined boundaries. This work aims to provide a unified methodology for building and validating more secure and reliable agentic AI systems.
https://www.activefence.com/blog/ai-safety-owasp-llm-top-ten/ - This article aligns AI safety and security with the OWASP LLM Top Ten, discussing threats like prompt injection, sensitive information disclosure, and supply chain vulnerabilities. It provides mitigation strategies such as implementing prompt injection policies, enforcing data minimisation, and securing third-party integrations. The piece underscores the importance of proactive measures to safeguard AI systems against emerging risks.
https://www.protecto.ai/blog/owasp-llm-top-10-securing-large-language-models - The blog outlines the OWASP LLM Top 10 vulnerabilities, including prompt injection, insecure plugin and API integrations, training data poisoning, and model inversion attacks. It offers mitigation strategies like enforcing role-based access control, vetting third-party integrations, establishing strict data validation pipelines, and implementing rate limiting. The article emphasises the need for comprehensive security measures to protect LLMs from various threats.
https://medium.com/@p.pradhan1997/owasp-top-10-for-llms-2025-762fc9e23d75 - This article discusses the OWASP Top 10 for LLMs in 2025, highlighting risks such as prompt injection, sensitive information disclosure, and supply chain vulnerabilities. It suggests mitigation strategies like conducting threat modelling, implementing defence in depth, and performing regular security testing. The piece advocates for a security-by-design approach to address emerging challenges in AI systems.
https://genai.owasp.org/resource/llm-and-gen-ai-data-security-best-practices/ - The OWASP GenAI Security Project's white paper outlines best practices for LLM and Gen AI data security, addressing risks like data breaches and challenges in meeting data protection regulations. It provides a comprehensive set of practices designed to mitigate emerging vulnerabilities and effectively safeguard sensitive information in AI systems.
https://www.bugcrowd.com/blog/owasp-top-10-security-threats-facing-ai-systems/ - This blog post discusses the OWASP Top 10 security threats facing AI systems, including overreliance, model theft, and supply chain vulnerabilities. It offers mitigation strategies such as implementing confidence scores, human-in-the-loop gates, and rollback plans to prevent cascading failures. The article highlights the importance of proactive measures to secure AI systems against various threats.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 8

Notes: The narrative is based on a presentation by Andra Lezza at QCon London 2025, which took place on April 8, 2025. ([qconlondon.com](https://qconlondon.com/presentation/apr2025/securing-ai-assistants-strategies-and-practices-protecting-data?utm_source=openai)) The InfoQ article summarising this presentation was published on April 24, 2025. ([infoq.com](https://www.infoq.com/news/2025/04/day-two-qcon-london-2025/?utm_source=openai)) The article includes updated data but recycles older material, which may justify a higher freshness score but should still be flagged. ([infoq.com](https://www.infoq.com/presentations/securing-ai-assistants?utm_source=openai)) The narrative has not appeared elsewhere in the past seven days. The content is original, with no evidence of being republished across low-quality sites or clickbait networks. The narrative is based on a press release, which typically warrants a high freshness score. No discrepancies in figures, dates, or quotes were found.

Quotes check

Score: 10

Notes: The quotes in the narrative are directly sourced from Andra Lezza's presentation at QCon London 2025. No identical quotes appear in earlier material, indicating original content. No variations in quote wording were found. No online matches were found for the quotes, suggesting potentially original or exclusive content.

Source reliability

Score: 9

Notes: The narrative originates from InfoQ, a reputable organisation known for its coverage of software development and technology topics. The content is based on a presentation by Andra Lezza, a Principal Application Security Specialist at Sage, with over seven years of experience in application security. ([infoq.com](https://www.infoq.com/presentations/securing-ai-assistants?utm_source=openai)) Lezza is also a co-leader of the OWASP London Chapter since 2019, further establishing her credibility. No unverifiable entities or individuals are mentioned in the report.

Plausibility check

Score: 9

Notes: The claims made in the narrative are plausible and align with current discussions in AI security. The narrative is covered by reputable outlets, including InfoQ. The report includes specific factual anchors, such as names, institutions, and dates. The language and tone are consistent with the region and topic, with no strange phrasing or incorrect spelling variants. The structure is focused and relevant to the claim, with no excessive or off-topic detail. The tone is professional and resembles typical corporate or official language.

Overall assessment

Verdict (FAIL, OPEN, PASS): PASS

Confidence (LOW, MEDIUM, HIGH): HIGH

Summary: The narrative is based on a recent presentation by a reputable expert in the field, summarised by a credible organisation. The content is original, with no evidence of being recycled or republished elsewhere. The quotes are directly sourced from the presentation, and the source is reliable. The claims are plausible and supported by specific factual anchors. The language and tone are appropriate for the topic and region. No significant credibility risks were identified.

AI security
Copilots
Data protection