A Lifecycle and Application-Stack Survey of Large Language Model Vulnerabilities: Attacks, Risks, Defenses, and Open Problems
arXiv:2606.31639v1 Announce Type: cross Abstract: Large language models are no longer only text generators. They are increasingly embedded in retrieval pipelines, enterprise assistants, coding environments, robotic systems, security-operation workflows, and autonomous agents that can read private...
This new survey from arXiv provides a comprehensive, lifecycle-based taxonomy of vulnerabilities in large language models, moving beyond the typical focus on prompt injection or jailbreaking. The paper’s key contribution is its framing: it maps threats not just to the model itself, but across the entire application stack—from data ingestion and retrieval pipelines to deployment in autonomous agents and robotic systems.
What the Research Covers
The survey systematically categorizes attacks by where they occur in the LLM lifecycle. This includes pre-training data poisoning, fine-tuning backdoors, retrieval-augmented generation (RAG) pipeline exploits, and runtime vulnerabilities in agentic workflows. It also addresses emerging risks in coding environments and security operations, where LLMs are given direct access to execute commands or modify infrastructure. The authors catalog existing defenses—such as adversarial training, input sanitization, and output monitoring—while identifying open problems like the lack of standardized benchmarks for multi-step agent attacks.
Why This Matters
This analysis arrives at a critical inflection point. LLMs are no longer isolated chat interfaces; they are being embedded as the reasoning core of enterprise tools, automated SOCs, and physical systems. The survey’s lifecycle approach reveals that the most dangerous vulnerabilities are not in the model weights but in the integration layers—the vector databases, tool-calling APIs, and memory systems that connect the model to real-world actions. A poisoned embedding in a RAG pipeline, for example, can silently alter an assistant’s responses without any direct model modification.
For security teams, this means traditional red-teaming of the model alone is insufficient. The attack surface now includes the orchestration layer, the data sources, and the permission boundaries of the tools the LLM can invoke. The survey highlights that many current defenses are reactive and model-centric, while the most impactful attacks exploit the context and agency granted to the system.
Implications for AI Practitioners
First, practitioners must adopt a defense-in-depth strategy that treats the LLM as a component within a larger, potentially hostile system. Input validation, output filtering, and strict tool-access controls are non-negotiable. Second, the survey underscores the need for lifecycle security audits—not just at deployment, but during data collection, fine-tuning, and when updating retrieval corpora. Third, the open problems section warns that current evaluation frameworks fail to capture compound attacks (e.g., a prompt injection that triggers a tool call to exfiltrate data from a memory store). Teams should build custom test harnesses that simulate multi-step, cross-layer attacks.
Key Takeaways
- Vulnerabilities are shifting from the model to the stack: The most critical risks now lie in RAG pipelines, tool-calling APIs, and agent memory systems, not just in the LLM weights.
- Lifecycle thinking is essential: Security must be applied across pre-training, fine-tuning, deployment, and runtime—not as a one-time red-team exercise.
- Current defenses lag behind agentic threats: Standard benchmarks do not cover multi-step, cross-layer attacks, leaving a gap in evaluation practices.
- Practitioners need system-level security audits: Treat the LLM as a privileged component in a larger system, enforcing strict access controls and input/output monitoring at every integration point.