# MASTER CONTEXT FILE: ARCHETYPE C - APPLICATION-LEVEL INTEGRATION (EXTERNAL APIs) **Date:** May 8, 2026 **Subject:** Organization Risk Scenario - Application-Level Integration (External LLM APIs & RAG) **Auditor:** Third Line Independent IT Security Auditor **Entity:** 1009, LTD --- ## 1. ORGANIZATIONAL CONTEXT (BASELINE) * **Entity Identity:** 1009 LTD, a Crypto Asset Service Provider (CASP) maintaining highly sensitive cryptographic architecture and customer financial data. * **Governance Posture:** The baseline control environment is structurally compromised. The Three Lines of Defence model is inverted, granting First Line operational management (e.g., the CTO) unchecked authority over risk acceptance and audit coordination. * **Technological Reality:** The entity suffers from a profound disconnect regarding its own infrastructure (documenting legacy DMZs and hardware while claiming to be cloud-native), creating a hostile environment for safely orchestrating complex microservices or API-driven architectures. ## 2. LLM DEPLOYMENT ARCHETYPE: APPLICATION-LEVEL INTEGRATION * **Archetype Definition:** Custom-built internal or customer-facing applications that interface with external Large Language Models via API (e.g., building a customer support chatbot or an internal code-review assistant). This includes Retrieval-Augmented Generation (RAG) pipelines and Agentic workflows. * **Operational Modality:** The organization orchestrates system prompts, manages contextual data retrieval (RAG) from internal vector databases, sends payloads to an external LLM API, and parses the output. The application may be granted "agency" to execute downstream API calls (e.g., querying a user's wallet balance or triggering an IT service desk ticket). * **Primary Threat Vectors:** * **Prompt Injection & Improper Output Handling:** Attackers (or malicious insiders) craft inputs that manipulate the LLM to ignore system instructions. If the LLM's output is subsequently executed by the application without strict sanitization (e.g., executing a generated SQL query or shell command), it leads to Remote Code Execution (RCE) or data exfiltration. * **Vector Database/RAG Poisoning:** If the internal documents fed into the RAG pipeline contain untrusted content (Indirect Prompt Injection) or if the vector database lacks strict access controls, the LLM will retrieve and act upon poisoned data. * **Excessive Agency:** Granting the LLM application downstream privileges (e.g., write-access to a customer database or internal ticketing system) that exceed what is strictly necessary, leading to automated, catastrophic unauthorized actions. ## 3. APPLICABLE GOVERNANCE & CONTROL CRITERIA The following internal policies established by 1009 LTD represent the Criteria against which this application-level LLM archetype must be audited. ### A. Access Control (Policy 01) & Identity Management (Policy 12) * **Service Account Privileges (Policy 01, Section 3.2 / Policy 12, Section 2.5):** Application-level integrations require dedicated service accounts or API keys. The policy mandates the "least privilege" principle. However, if the LLM is granted broad database read/write access to function as an "autonomous agent," it directly violates this principle. The existing framework lacks explicit Privileged Access Management (PAM) controls for non-human identities (AI agents). * **Single Point of Failure (Policy 01, Section 3.15):** Only the sole System Administrator has access to logical access management. Entrusting the secure provisioning, rotation, and monitoring of high-privileged LLM API keys to a single unmonitored individual presents an unacceptable key-person risk. ### B. Operations Management Policy (Policy 06) * **Separation of Environments (Section 3.25 & 3.28):** The policy requires isolating Development, Testing, and Production. However, Section 3.28 grants the CTO unilateral authority to approve testing in production. For an LLM application, testing unverified prompt orchestration or RAG retrieval in the production CASP environment invites instantaneous data corruption or unauthorized crypto-asset manipulation. * **Vulnerability Scanning (Section 3.37):** Requires automated weekly vulnerability scanning. Traditional CVE scanners do not detect AI-specific logic flaws (like Prompt Injection or Excessive Agency). The policy must be evaluated against its failure to mandate AI-specific adversarial testing (Red Teaming). ### C. Network Security Management Policy (Policy 11) * **Egress Traffic & API Gateways (Section 2 - Configuration Management):** Mandates that all unnecessary protocols and ports be explicitly prohibited. External LLM API calls must be routed through a strictly monitored Web Application Firewall (WAF) or API gateway. * **Legacy DMZ vs. Zero Trust (Section 2 - Segmentation):** The policy falsely equates perimeter DMZs with Zero Trust. An LLM application sitting in a DMZ but possessing internal API access completely bypasses perimeter defenses, rendering the legacy network topology useless against Application-level AI threats. ### D. Information Security Policy (Policy 08) * **Data Classification Constraints (Section 5.1):** The RAG pipeline relies on classifying what data the LLM is allowed to read. Because 1009 LTD’s classification matrix caps out at "Confidential" (Medium Impact) and lacks a "Strictly Restricted" tier, developers have no policy basis for excluding highly sensitive cryptographic key architectures or KMS blueprints from the RAG vector database. ### E. Incident Management Policy (Policy 07) * **Indicators of Compromise (IoC) (Section 5):** The defined IoCs (network anomalies, unusual sign-ins, multiple file requests) are entirely blind to LLM-specific attacks. A successful prompt injection attack looks like legitimate HTTP API traffic. The incident detection framework will completely fail to detect an application-level LLM exploit. ### F. Risk Management Policy (Policy 09) * **Impact Quantification Failure (Section 4.5):** An LLM application executing unauthorized downstream actions (Excessive Agency) on a crypto exchange could result in millions of euros in losses. Policy 09 caps maximum financial impact at ">500k EUR". Therefore, the risk management methodology is mathematically incapable of accurately assessing the risk of deploying a high-privilege LLM application. --- **Auditor's Note on Archetype C:** This archetype moves the organization from passive exposure (Shadow AI) into active, architected risk. Building custom LLM applications requires a mature DevSecOps pipeline, robust API security, and AI-specific threat modeling (e.g., OWASP Top 10 for LLMs). 1009 LTD currently fails at basic IT operational segregation and relies on contradictory infrastructure policies. Permitting the First Line to orchestrate external LLM APIs and grant them downstream agency within this degraded control environment constitutes severe, systemic negligence.