A lot of good information for infra teams to internalise, although I worry that it gets a bit lost in the structure of the piece (there's kind of like 3-5 separate essays here but nothing a good edit couldn't fix.) One thing I'll add (or at least crystallise because I think the pieces are there) is that attack surface management is critical. A lot of the issues here are relevant in exactly the same scenario as exposing web applications. I have reported vulnerabilities in a lot of AI applications in prod and the issues aren't magic or even novel. They're typically the same authorisation and injection issues people have been talking about for decades. The methods of securing them are the same. Unfortunately it's not uncommon for companies to get compromised via a good old fashioned REST API on an exposed dev domain, but I probably wouldn't go so far as to say "REST APIs will compromise your cybersecurity posture." I would just say companies have found another tool to flex their indifference towards protecting user and company data.

Properly securing LLMs goes agains branding, I guess. "this tool is like getting new intern every 15 minutes! they read and write fast and know a lot of stuff, but can accidentally attack or sabotage you if they get distracted! oh, and they work remotely only!" doesn't sound like a good pitch