Search papers, labs, and topics across Lattice.
This paper systematically reviews vulnerabilities in large language model (LLM) systems by analyzing the entire lifecycle and application stack, emphasizing how risks extend beyond model weights to include interactions with data, prompts, and user authority. The authors categorize attacks across eight stages, detailing attacker capabilities and the implications for security objectives such as confidentiality and integrity. Key findings reveal that traditional point defenses are insufficient, highlighting the need for a comprehensive understanding of trust boundaries and the amplification of model errors through delegated authority.
Trust boundaries in LLM systems are failing, allowing untrusted data to become executable instructions and amplifying model errors through delegated authority.
Large language models are no longer only text generators. They are increasingly embedded in retrieval pipelines, enterprise assistants, coding environments, robotic systems, security-operation workflows, and autonomous agents that can read private data, call tools, write files, execute code, and act across organizational boundaries. This shift changes the security problem: risks do not arise from the model weights alone, but from the full lifecycle and application stack through which data, prompts, model outputs, tools, memories, and user authority interact. This paper systematizes the literature on vulnerabilities in large language model systems through a lifecycle and application-stack lens. We organize attacks across eight stages: data collection, pretraining, post-training alignment, model packaging and supply chain, retrieval and memory, prompting and inference, tool/agent execution, and deployment/maintenance. For each stage, we analyze attacker capabilities, affected security objectives, representative attacks, practical risks, evaluation practices, and defenses. We further map LLM-specific vulnerabilities to confidentiality, integrity, availability, safety, privacy, fairness, accountability, and agency-control objectives. Unlike taxonomies that list isolated attack names, the proposed systematization emphasizes where trust boundaries fail, how untrusted data becomes executable instruction, how delegated authority amplifies model errors, and why point defenses rarely compose. We close with a research agenda for secure LLM systems, including compositional security, provenance-aware retrieval, tool-call containment, long-horizon agent evaluation, privacy-preserving adaptation, realistic red teaming, and deployment-grade incident response.