Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Attacking generative AI

Managing risks in large language models

Large language models (LLMs) such as GPT-3 and Copilot have become increasingly popular for efficieint translation, chatbots and content generation. However, as with any technology, this type of artificial intelligence can open up new attack surfaces.

Consider the following potential vulnerabilities in both the training phase and production phase.

1

Training phase

An LLM can only perform as well as it is trained to do, based on select datasets provided by AI engineers. These datasets create risk for:

  • Data leakage or poisoning. LLM training data can be unintentionally exposed to tampering that leads to vulnerabilities or biases, which can compromise the security, effectiveness or ethics of the model.

  • Model theft. While an LLM is in development, many people are typically given access to complete the model, which increases its susceptibility to theft by an insider threat actor. The development phase also increases the risk of other identity-related vulnerabilities.

  • Insecure plug-in design. Without proper testing, third-party plug-ins for LLMs can introduce risks such as insecure authentication and authorization configurations. They can also allow for insecure inputs.

2

Production phase

Once an LLM has been deployed, users throughout an organization can typically access it for a wide array of purposes. Look out for risks such as:

  • Prompt injection. Similar to SQL injections or cross-site scripting (XSS), an attacker could input payloads into an active LLM, causing it to perform unintended actions.

  • Sensitive information disclosure. If an LLM isn’t properly trained and configured, an attacker could craft a prompt that causes the model to reveal sensitive information.

  • Excessive agency. Often, LLMs are granted far more permissions than are required for them to accomplish their functions. Attackers can recognize and leverage these permissions to elevate their own privileges, causing harm to back-end systems.

3


A need for ongoing testing

To mitigate risks throughout the LLM lifecycle, consider the following high-level approach for security testing:

This kind of testing is an important part of cybersecurity, as threats to LLMs can result in additional attack vectors against related application programming interfaces (APIs) and networks. Conducting a thorough penetration test for LLM applications at each phase of the lifecycle can help you identify vulnerabilities, improve your security posture, and mitigate risks. 

How KPMG can help

KPMG offers end-to-end security testing as an outcome-based managed service, helping you consistently validate controls while minimizing remediation efforts. That’s because business transformation is not a fixed destination; it’s an ongoing journey. With managed services, we help you continually evolve your business functions to keep up with ever-changing targets, while driving outcomes like cost reduction, resilience, and stakeholder trust.

Learn more about KPMG Managed Application Security Testing.

Learn more about KPMG AI Security Services.

Explore more

Insight
Webcast Replay Webcast Upcoming Listen Now

Social engineering

A fatal flaw in cybersecurity

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now

Preventing broken trust

Managed services can help fill critical role of application security

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now

Application security as a culture

How to counter agile adversaries

Read more

Meet our team

Image of Evan Rowell
Evan Rowell
Managing Director, Advisory, KPMG US
Read bio
Image of Evan Rowell
Evan Rowell
Managing Director, Advisory, KPMG US
Read bio

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline