LLM input validation protects the pipeline from adversarial inputs, prompt injection, PII leakage, and off-topic usage. Prompt injection is the attempt to override system instructions via user input ("Ignore previous instructions..."). Defence: classify inputs before passing to LLM, sandwich system instructions around user input, use a separate injection-detection classifier. PII detection prevents sensitive data from entering LLM context.
How prompt injection works and how to defend against it.
Detecting injection patterns with regex or classifiers is an arms race. Structural defence is more robust: always send system instructions as role=system and user input as role=user. LLMs are trained to weight system messages differently than user messages.
Once PII enters an LLM context, it may be echoed in responses, logged in traces, or memorized. Redact at the boundary using Microsoft Presidio (open-source NER-based PII detector) before any LLM call.
A customer support bot trained on your product should reject 'write a poem about cats'. Add a binary topic classifier (on/off-topic for your domain). A 100M parameter classifier costs <1ms and prevents jailbreaks via legitimate-looking but off-domain inputs.
Sign in to share your feedback and join the discussion.