Security is a major concern for us. When exposing local functions to an LLM via Semantic Kernel plugins, how can we prevent a user from "tricking" the model into executing unauthorized commands? Are there built-in filters for input validation?
3 answers
To secure a Semantic Kernel application, you must adopt a "Zero Trust" approach to AI-generated inputs. Use "Function Filters" (introduced in later versions) to intercept calls before they reach your native code. This allows you to inspect the arguments the LLM is attempting to pass. Additionally, ensure your native functions use strict type checking and range validation. Never let the Semantic Kernel have direct access to a database; instead, wrap your data access in an API layer with its own Authentication and RBAC (Role-Based Access Control) to limit what the agent can actually touch.
Would you recommend using a separate "Moderation Agent" to screen the user's prompt before it even reaches the main Semantic Kernel loop? Or is that just adding unnecessary cost and latency to the system?
We've had success using Pydantic in Python to validate the dictionary outputs from the Semantic Kernel before our business logic processes them. It adds a reliable layer of defense.
Typing and schema validation are indeed the first line of defense. It forces the Semantic Kernel to adhere to a structure that your backend expects, preventing arbitrary code execution.
Brandon, it depends on the risk. For high-stakes operations, a moderation layer is a must. However, Semantic Kernel allows you to integrate the Azure OpenAI Content Safety filter directly into the kernel configuration, which is a more cost-effective way to catch malicious intent without needing a second LLM call for every single user message.