Four ways organizations meet LLMs
The same nominal risk — for example, data leakage — manifests entirely differently depending on how an organization integrates LLM capability. An employee pasting client text into a public web interface is not the same risk as a retrieval-augmented generation (RAG) pipeline accidentally pulling restricted internal documents. The control settings required to address each are different in kind, not in degree. The framework therefore distinguishes four deployment archetypes and scores every applicable control independently for each.
Direct
Definition
Direct employee use of external LLM services — typically ChatGPT, Claude, Gemini, or similar consumer-grade interfaces accessed through a web browser or mobile application, without organizational mediation.
Risk profile
Risk is driven by uncontrolled prompting, data disclosure, and weak organizational visibility. Employees commonly paste source code, client data, draft contracts, internal communications, or strategic documents into the prompt window with no awareness of where the data goes or how it is retained. The organization has no log, no DLP signal, and no formal record that the interaction occurred.
Control implications
Most ISO 27002 controls were designed for deterministic systems where the organization controls the boundary. Under Direct, the boundary is the employee's intent, which is invisible to telemetry. Controls that work elsewhere — DLP, access logging, supplier oversight — become structurally inapplicable. This is the archetype where the framework expects to find the most Design Gaps.
Enterprise
Definition
Enterprise-embedded assistants integrated into productivity or collaboration environments — Microsoft 365 Copilot, Google Workspace Gemini, Slack AI, Notion AI, Atlassian Rovo, and similar in-product capabilities. The vendor is typically the productivity-suite vendor or a closely integrated partner.
Risk profile
Broad accessibility and default workflow integration normalize AI use before governance catches up. Because the assistant inherits the user's permissions on the productivity environment, it can summarize, retrieve, or generate content that touches sensitive records the user already has access to — but the audit trail does not always reflect that the AI was the agent.
Control implications
Many traditional controls partially apply (identity, access, logging are inherited from the productivity suite). The gap is typically in specificity — controls exist but treat the AI as a passive integration rather than as an active agent making decisions on the user's behalf.
Application
Definition
Application-level integration through external model APIs (OpenAI, Anthropic, Google, Mistral, open-source models on managed inference platforms). The organization builds custom applications — chatbots, retrieval pipelines, agentic workflows — that call LLM APIs as a component.
Risk profile
Risk concentrates in architecture, privilege design, prompt orchestration, retrieval pipelines, and automated downstream actions. This is where prompt injection most often becomes a structural risk, because untrusted inputs (user prompts, retrieved documents, third-party tools) flow through the same channel as trusted instructions.
Control implications
Secure development lifecycle, logging, and supplier oversight controls have direct application. The gap is typically in operationalizability — the controls are written for traditional software and do not specify the prompt-, retrieval-, or tool-mediated failure modes that dominate LLM applications.
Fine-Tuned
Definition
Internally managed or fine-tuned models — running on the organization's own infrastructure or a private cloud, with custom training data, internal serving stacks, and full lifecycle ownership.
Risk profile
The organization bears more direct responsibility for training data, model maintenance, logging, access control, and performance degradation. Data poisoning and model poisoning become first-order concerns; supplier exposure decreases but is replaced by internal change-management exposure.
Control implications
This is where ISO 27002 controls most closely resemble their original use case (the organization controls the boundary) but new threat surfaces emerge: training-data integrity, model drift, dataset provenance. The gap is typically in adaptability — controls assume static software, not models that update with new training runs.
The four archetypes are derived from observable patterns of organizational LLM adoption rather than from a vendor taxonomy. They are not exhaustive — agentic deployments and federated arrangements introduce additional patterns that the framework treats as variants of Application or Fine-Tuned. The four are sufficient to expose the fundamental control-translation problem the study is designed to surface.