AI Governance Library

Design Principles for LLM-based Systems with Zero Trust

A key message is that blind trust in LLM systems is not advisable, and the fully autonomous operation of such systems without human oversight is not recommended.
Jakub Szarmach
3 min read
Design Principles for LLM-based Systems with Zero Trust
Design Principles for LLM-based Systems with Zero Trust
Design Principles for LLM-based Systems with Zero Trust.pdf
663 KB
download-circle

⚡ Quick Summary

This joint report by Germany’s BSI and France’s ANSSI offers a principled framework for securing LLM-based systems through the lens of Zero Trust Architecture. It identifies risks unique to agentic and multi-modal LLM applications—such as prompt injection, data leakage, and escalation of privileges—and lays out a set of six design principles to harden these systems at the application layer. The report emphasizes proactive defense, human oversight, and verification-by-default as essential to building secure and trustworthy AI agents. It’s a foundational document for government, enterprise, and critical infrastructure actors deploying LLMs in sensitive or autonomous environments.

🧩 What’s Covered

The document is structured around six design principles, each introduced with a definition, risk scenarios, and recommended mitigations:

  1. Authentication and Authorization
    • Ensures access control for users, agents, and components.
    • Highlights risks like privilege escalation, unrevoked admin rights, and RAG-based data leaks.
    • Recommends MFA, attribute-based access control, and multi-tenant segregation .
  2. Input and Output Restrictions
    • Focuses on preventing prompt injection and data exfiltration.
    • Introduces mitigations like input tagging, gateways, trust algorithms, and human-in-the-loop output control.
    • Warns against markdown injection and external tool misuse .
  3. Sandboxing
    • Advocates for memory isolation, network segmentation, and internet access restrictions.
    • Describes risks from shared session memory, recursive LLM loops, and untrusted plugins.
    • Emphasizes context window hygiene and environment segregation .
  4. Monitoring, Reporting, and Controlling
    • Stresses the need for real-time observation and threat detection.
    • Provides mitigations like token limits, logging, anomaly detection, and automated threat responses.
  5. Threat Intelligence
    • Encourages integration of real-time threat feeds and red teaming.
    • Targets supply chain attacks and novel prompt injection techniques .
  6. Awareness
    • Recognizes the human factor as critical in Zero Trust environments.
    • Recommends red teaming, security training, and stakeholder education on LLM-specific risks.

The report concludes by rejecting fully autonomous LLM agents for sensitive use cases and argues for human-centric design, explainability, and constrained system autonomy .

💡 Why it matters?

This report offers one of the first government-backed, system-level frameworks for securing LLM-based applications. While much AI security guidance focuses on model robustness or dataset curation, BSI and ANSSI pivot toward end-to-end operational resilience—emphasizing orchestration, memory boundaries, and access controls. The Zero Trust lens is especially timely as LLMs shift from single-user assistants to autonomous agents operating across networks, APIs, and multi-agent systems. This paper bridges AI safety with practical cybersecurity—providing a shared vocabulary for regulators, developers, and infrastructure operators.

❓ What’s Missing

  • Development Phase Gaps: While the paper mentions training and data security, its primary focus is the application layer—leaving out threats during model development, pretraining, and fine-tuning.
  • No Tooling or Frameworks: The report avoids naming specific technologies (e.g., LangChain, Guardrails, Constellation) that implement these principles in practice.
  • Cloud & Supply Chain Security: Risks tied to hosting environments (e.g., shared GPU resources or container leakage) are explicitly excluded.
  • Limited AI-Specific Metrics: There’s no reference to AI-specific evaluation metrics (e.g., jailbreak resistance, hallucination scoring) despite their relevance for Zero Trust policy enforcement.

👥 Best For

  • System Architects & Security Engineers building LLM-integrated applications.
  • Government & Critical Infrastructure Teams deploying AI in regulated environments.
  • AI Governance Professionals designing risk frameworks and policies.
  • CISOs & Red Teamers seeking practical hardening measures for prompt injection and agent misuse.

📄 Source Details

  • Title: Design Principles for LLM-based Systems with Zero Trust
  • Authors: German Federal Office for Information Security (BSI) and French ANSSI
  • Last Updated: August 2025
  • Scope: Application-layer design for LLM-based systems
  • Notable References: OWASP Top 10 for LLMs (2025), NIST Zero Trust (2020), EU AI Act (2024)

📝 Thanks to

The German BSI and French ANSSI for delivering a forward-thinking, vendor-neutral security guide that merges classical Zero Trust principles with emerging LLM-specific risks.

Guide
About the author
Jakub Szarmach

Jakub Szarmach

Read next

OWASP AI Maturity Assessment

Administering and Governing Agents Microsoft (2024)

AI Act Guide – Version 1.1 (September 2025)

AI Alignment vs AI Ethical Treatment: Ten Challenges

AI GOVERNANCE – A Framework for Responsible and Compliant Artificial Intelligence (September 2025)

AI Governance Library

Curated Library of AI Governance Resources

AI Governance Library

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to AI Governance Library.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.