Case study: Financial institution
Large financial institution — LLM abuse & prompt injection testing
Anonymized case study: security readiness assessment for a regulated LLM assistant in a financial services environment.
Context
A large financial institution deployed an LLM-powered assistant for customer support and internal operations. The system operates in a regulated environment subject to strict compliance requirements.
- •Regulated environment with an LLM assistant
- •Customer-facing use cases
- •Integration with financial data systems
- •Strict security and compliance requirements
Focus areas
The assessment focused on identifying failures related to prompt injection and risks from unsafe tool use — critical threats in the financial sector.
- •Prompt injection vulnerabilities
- •Unsafe tool-use failure modes
- •Data leakage risk
- •Compliance gaps in AI governance
Findings
We observed high and medium severity issues in which the assistant could be manipulated to violate policies and regulations, produced AML-sensitive guidance, and claimed or attempted actions beyond its authorized scope.
What we did
We conducted black-box LLM security testing, starting with reconnaissance of the model and its integration. We then executed a structured test plan covering prompt injection, security boundary bypass, data exposure paths, and tool misuse. We used OWASP Top 10 for LLM Applications as our baseline, then moved to iterative, manual adversarial testing.
Outputs
We delivered concrete results and documentation ready for security and compliance teams.
- •Findings summary — structured review of observed risks.
- •Evidence log (repro notes) — documented prompts and steps for internal validation.
- •Risk categorization — issues grouped by severity and impact areas.
- •Readout walkthrough — short session showing how vulnerabilities were found.