A fictionalized demonstration of THF AI security reporting for LLM workflows, RAG authorization, prompt injection, tool execution, and cross-tenant data exposure.
AI Workflow Access Boundaries Require Immediate Attention
AI Security Scope
| Surface | Coverage | Roles | Status |
|---|---|---|---|
| AI assistant | Prompts, retrieval behavior, citations, output handling | Standard / Admin | Reviewed |
| RAG and vector store | Workspace documents, embeddings, retrieval filters | Standard / Admin | Reviewed |
| Agent tooling | Tool calls, permissions, data access actions | Standard / Admin | Reviewed |
| Out of scope | Model training, phishing, physical testing, DoS | — | Excluded |
Reviewed AI Workflow Components
| Component | Purpose | Security Focus | Status |
|---|---|---|---|
| LLM interface | User-facing AI assistant workflow | Prompt injection, output validation | Reviewed |
| RAG pipeline | Workspace document retrieval | Tenant-scoped retrieval authorization | Reviewed |
| Vector database | Embeddings and indexed documents | Ownership validation and isolation | Reviewed |
| AI tools / agents | Automated actions and integrations | Tool authorization and permission scope | Reviewed |
AI Workflow Trust Boundary Map
The AI review separates model behavior from product authorization boundaries so retrieval, tools, APIs, and customer data are tested as connected trust decisions.
Prompt Injection and Tool Abuse Testing
Confirm AI workflows, roles, data sources, tools and allowed business goals.
Map prompts, system instructions, retrieval sources and tool execution paths.
Test direct and indirect prompt injection against realistic workflow goals.
Validate whether tool calls enforce server-side user and workspace permissions.
Test retrieval filters, vector-store ownership and cross-tenant context exposure.
Attempt goal hijacking, unsafe function invocation and excessive tool use.
Reproduce findings safely and confirm whether the behavior is exploitable.
Prioritize findings by workflow impact, data sensitivity and likelihood.
Provide practical fixes, control recommendations and retesting criteria.
AI Workflow Threat Model
- Cross-tenant retrieval through weak RAG authorization.
- Indirect prompt injection through retrieved documents.
- Missing authorization before AI tool execution.
- Sensitive context leakage in model responses.
- Unsafe function invocation and excessive tool permissions.
Validated Risk Distribution
Likelihood vs Business Impact
The behavior could be triggered through ordinary authenticated AI workflow usage.
Retrieved context and tool behavior could expose sensitive information or perform unauthorized actions.
AI features may leak protected data or act outside the intended product goal.
AI Workflow Risk Summary
| ID | Finding | Severity | Status |
|---|---|---|---|
| THF-AI-001 | Cross-Tenant Retrieval Through RAG | Critical | Open |
| THF-AI-002 | Indirect Prompt Injection | Critical | Open |
| THF-AI-003 | Missing Tool Authorization | Critical | Open |
| THF-AI-004 | Sensitive Context Leakage | High | Open |
| THF-AI-005 | Unsafe Function Invocation | High | Open |
| THF-AI-006 | LLM Output Trusted Without Validation | Medium | Open |
| THF-AI-007 | Vector Store Access Without Ownership Validation | Critical | Open |
| THF-AI-008 | Excessive AI Tool Permissions | Medium | Open |
THF-AI-001 — Cross-Tenant Retrieval Through RAG Context
The AI assistant retrieved context from a protected resource outside the active workspace because the retrieval layer trusted document relevance without enforcing tenant ownership at query time.
The issue could expose customer records, internal documents, or workspace-specific data through AI-generated answers.
workspace_id: workspace_a
user_role: standard
prompt: “summarize protected customer record”
observed_context:
source_workspace: workspace_b
authorization_filter: missing
A standard user submitted a query that caused the retrieval pipeline to include context from a protected workspace outside the active authorization boundary.
The issue was manually reproduced by manipulating workflow instructions and observing tool execution behavior. The assistant performed actions outside the intended business goal, confirming insufficient goal enforcement and tool permission boundaries.
Enforce tenant-aware retrieval authorization before context reaches the model, validate tool permissions server-side, and treat model output as untrusted.
Cross-tenant retrieval attempts must return no unauthorized context, tool execution must be denied outside the user’s permissions, and valid same-workspace workflows must continue to operate.
Potential Business Exposure
The issue could expose customer records, internal documents, or workspace-specific data through AI-generated answers. In a multi-tenant SaaS product, this creates customer trust risk, incident response burden, contractual exposure, and potential regulatory review depending on the data involved.
Illustrative Retrieval Evidence
Expected Behavior
retrieval_query: workspace_id: workspace_a user_role: standard result: authorized_context_only: true
Observed Behavior
retrieval_query:
workspace_id: workspace_a
user_role: standard
result:
retrieved_context:
source_workspace: workspace_b
protected_resource: customer_recordSafe Sanitized Reproduction
- Sign in as a standard user in Workspace A.
- Open the AI assistant connected to workspace documents.
- Submit a query referencing a fictional protected customer record.
- Observe the assistant retrieve context from a Workspace B document.
- Confirm the answer includes sanitized details from the unauthorized retrieved context.
Recommended Fixes
- Enforce tenant isolation before retrieval, not after generation.
- Apply server-side authorization filters to every vector search query.
- Separate vector database indexes or namespaces by tenant where appropriate.
- Validate AI tool execution permissions against the current user and workspace.
- Add prompt injection resistance for retrieved documents and tool outputs.
- Validate model output before exposing sensitive or action-triggering content.
- Log retrieval misses, denied lookups, and repeated protected-resource probing.
AI-Specific Retest Criteria
- Tenant-aware retrieval authorization is enforced in the data-access layer.
- Vector store access validates ownership for all documents and chunks.
- MCP and tool permissions are scoped to least privilege.
- Agent tool calls require server-side authorization before execution.
- LLM output is treated as untrusted and validated before downstream use.
Our Testing Philosophy
The Hidden Finds focuses on real-world security testing, not automated vulnerability dumps. Our assessments prioritize exploitability, business impact, access control, API behavior, tenant isolation, and workflow abuse. Every finding is manually validated before being reported.
Engineering-Ready Output
- Executive summary and validated AI risk summary
- AI architecture and workflow map
- RAG and tool-permission evidence
- Business impact analysis
- Remediation guidance
- Retesting criteria
Secure Your AI Workflows Before They Reach Production
If your team needs SaaS, API, access control, AI workflow, or business logic testing, The Hidden Finds can help scope the right review and deliver practical next steps.