Comment by SahAssar

2 days ago

So you are going to take the untrusted tool that kept leaking your secrets, keep the secrets away from it but still use it to code the thing that uses the secrets? Are you actually reviewing the code it produces? In 99% of cases that's a "no" or a soft "sometimes".

7 comments

SahAssar

Reply
TeMPOraL  2 days ago

That's exactly what one does with their employees when one deploys "credential vaults", so?

  • SahAssar  2 days ago

    Employees are under contract and are screened for basic competence. LLMs aren't and can't be.

    • TeMPOraL  1 day ago

      > Employees are under contract and are screened for basic competence. LLMs aren't

      So perhaps they should be.

      > and can't be.

      Ah but they must, because there's not much else you can do.

      You can't secure LLMs like they were just regular, narrow-purpose software, because they aren't. They're by nature more like little people on a chip (this is an explicit design goal) - and need to be treated accordingly.

      4 replies →