The NVIDIA AI Red Team (AIRT) has pinpointed several critical vulnerabilities in AI-enabled systems, particularly those utilizing large language models (LLMs). One major risk stems from executing LLM-generated code using functions like exec or eval without proper isolation. If attackers manipulate the LLM to produce malicious code, executing that code can result in remote code execution (RCE), allowing them to control the application environment. The recommended approach is to avoid these risky functions and instead parse LLM responses for intent, mapping them to a safe set of functions. If dynamic code execution is necessary, it should occur in a secure, isolated sandbox environment. Another significant vulnerability lies in retrieval-augmented generation (RAG) data sources. Inadequate access controls can expose sensitive information to unauthorized users. For instance, if the original permissions on documents aren’t properly set, users might access confidential data. Additionally, broad write access to the RAG data store can lead to indirect prompt injection attacks. Mitigation strategies include reviewing authorization management and implementing content security policies to restrict data exfiltration. For applications that summarize emails or documents, segmenting access based on user roles can help limit exposure to malicious data. The third vulnerability involves active content rendering of LLM outputs, which can facilitate data exfiltration. Attackers can embed links or images that, when rendered, send sensitive information to their servers. To combat this, AIRT suggests enforcing content security policies that restrict image loading to trusted domains, sanitizing LLM outputs to eliminate active content, and considering disabling such content in the user interface entirely. These actions can help protect against the potential risks posed by LLMs and ensure more secure application development.