James Henderson

Application Security for AI-Augmented Systems

Threat modeling and hands-on controls for LLM products and AI-assisted development — prompt-injection mediation, secrets hygiene, supply-chain review, model isolation.

AI features ship faster than security review cycles. The teams building them are senior, but the attack surface is new: prompt injection, secrets leakage into model contexts, supply-chain risk in AI-augmented codebases, insufficient isolation between tenants and tools, and insecure-by-default agent wiring. This service exists to close that gap without blocking delivery.

The practice is veteran-led, threat-modeled rather than vibes-modeled, and delivered by one principal across advise, build, and verify. I do not write a slide deck and hand it to a junior to implement. The principal and the background behind this work are described on the about page.

What I ship

  • Prompt injection defense. Input and output mediation, channel separation between trusted instructions and untrusted content, tool-call allowlists, response validation, and canary tokens to detect exfiltration attempts in test and production.
  • Supply-chain review for AI-augmented codebases. Model provenance, dataset lineage, vendored agent review, pinned dependency versions, signed releases, CI gates on AI-generated diffs for authentication, cryptography, and I/O paths, and SBOM coverage that includes model artifacts.
  • Secrets hygiene in LLM contexts. Pre-flight redaction of prompts, scoped and short-lived credentials, data classification before context-window inclusion, vendor retention review, and egress logging that survives a forensic question six months later.
  • Model isolation and blast-radius control. Per-tenant context separation, sandboxed tool execution, egress allowlists, rate and cost ceilings, and anomaly circuit breakers that page a human before a runaway agent burns a quarter of your inference budget.
  • AI-assisted threat modeling. STRIDE and LINDDUN with a human in the loop, documented assumptions, and a written register of accepted risks and their compensating controls.

Where it fits

SaaS shipping "ask your data" chat

The feature is in beta. The architecture review is overdue. Customer data flows into a model context that also receives untrusted user input, and nobody has written down what happens when those two sources disagree. I review the architecture, identify the injection surface, write the mediation layer or specify it for your team to write, and verify the controls under adversarial test cases.

Regulated organizations rolling out Copilot or Claude Code

AI-assisted development tools amplify senior engineers and amplify junior mistakes equally. I write the guardrails: which repositories the tools can touch, which file paths require human review of generated diffs, how secrets and PII are kept out of model contexts, how audit trails are captured, and how the security team verifies the policy is actually enforced rather than aspirational.

Startups integrating third-party agent frameworks

Agent frameworks default to broad tool permissions because that is what makes the demo work. I review the supply chain, audit the tool wiring, isolate the blast radius per tenant, and replace default-allow tool permissions with default-deny plus an explicit allowlist. Audit logs become replayable traces; tool invocations on sensitive resources require human approval.

The top five risks I review against

  1. Prompt injection, direct and indirect. Controls: untrusted-input treatment, channel separation, tool allowlists, output validation, canary tokens.
  2. Secrets and PII leakage into LLM context. Controls: pre-flight redaction, scoped short-lived credentials, data classification, vendor retention review, egress logging.
  3. Supply-chain risk in AI-augmented codebases. Controls: human review of AI-generated diffs on auth, crypto, and I/O; SBOM coverage for model artifacts; pinned versions; signed dependencies; CI SAST and secret scanning.
  4. Insufficient model isolation and blast radius. Controls: per-tenant isolation, sandboxed tools, egress allowlists, rate and cost ceilings, anomaly circuit breakers.
  5. Insecure-by-default agent and tool wiring. Controls: default-deny tool permissions, per-tool authentication policies, audit logs, replayable traces, human-approval gates on sensitive operations.

How I work

Every engagement opens with a written scope: which systems, which data, which threat model, which controls in scope, and which are explicitly out. I deliver a threat model, a prioritized risk register, and a control catalog with concrete implementation guidance. Where the engagement includes build work, I write the controls or pair with your engineers and verify them under adversarial tests.

I do not promise a calendar-bound delivery on security work. The honest answer is that security findings drive scope, and pretending otherwise produces a worse report. What I do commit to is a written plan within the first week, weekly checkpoints, and a final report your auditors can read.

Engagement model

Review-only engagements run two to four weeks and deliver the threat model, the risk register, and the control catalog. Build-and-verify engagements run four to twelve weeks depending on scope and include implementation of controls plus an adversarial test pass. Retainer arrangements are available for organizations shipping LLM features on a continuous cadence. To scope a review, get in touch.

This service is the security arm of an AI consulting practice. If your roadmap includes an LLM product launch, the security review and the strategy advice come from the same principal.

FREQUENTLY ASKED

What is prompt injection and why does it matter?

A class of attack where untrusted content — user input, retrieved documents, tool output — hijacks the model into exfiltrating data or invoking destructive tools. Direct injection comes from the user; indirect comes from content the model retrieves. Both need engineering controls, not just policy.

Will you guarantee my LLM product is "secure"?

No. I deliver a threat model, a prioritized risk register, and a control catalog implemented in code and verified under adversarial test cases. The system is hardened against named risks. "Secure" is not a binary, and selling it that way is the amateur tell.

How is this different from a traditional pentest?

Traditional pentest assumes static attack surfaces. AI-augmented systems have new ones: prompt injection, secrets-in-LLM-context, supply-chain risk on AI-generated code, model-isolation failures, insecure-by-default agent wiring. Most of those do not show up on a classic web pentest. The work is engineering controls before the pentest, not after.

RELATED SERVICES

AI Strategy for Business

Define a practical roadmap to augment teams with AI.

Internal AI Copilots

Design and implement copilots for internal workflows.

Laravel 13 and Livewire 4 Application Engineering

Server-state-first web apps on Laravel 13 and Livewire 4 — internal portals, B2B MVPs, and content systems shipped with production defaults and tests.

C# .NET 10 and MAUI Cross-Platform Engineering

ASP.NET Core services and MAUI clients on .NET 10 — Xamarin migrations, field-force apps, and Azure-native enterprise tools from a single C# codebase.

PHP 8 Engineering and Modernization (Non-Laravel)

Senior PHP 8 hands on Symfony, WordPress, CodeIgniter, and bespoke codebases — version uplifts, security audits, integrations, and performance work without a rewrite.

Technical SEO Engineering

Forensic engineering for how search engines crawl, parse, and index a site — schema, sitemaps, Core Web Vitals, canonicals, redirects. Code in your repo, not a PDF.

AI SEO and Generative Search Optimization

Engineering that makes a site legible and quotable to AI crawlers and answer engines — llms.txt, named AI-bot policy in robots.txt, citation-friendly schema, auditable retrieval.