Everyone wants to be an LLM engineer right now.
And I get it. The space is moving fast and the opportunities are real.
But here is what most people getting into it are skipping.
LLMs are powerful. They are also unpredictable; expensive to run and surprisingly easy to break if your infrastructure is not solid underneath them.
Prompt injection is real. If your application takes user input and passes it directly to a model without sanitization; you have already built a vulnerability. Not a bug. A vulnerability.
Your API keys are sitting in environment variables. Your model endpoints have no rate limiting. Your logs are capturing sensitive user inputs. Your cost per token is scaling faster than your revenue.
These are not AI problems. These are cloud security and engineering problems that happen to live inside an AI product.
The best LLM engineers I have seen are not just good at prompting. They understand IAM; secrets management; rate limiting; observability and cost controls. They treat the model like any other production service.
Because it is.
If you are building with LLMs and not thinking about security; you are not building a product. You are building a liability.
Secure the infrastructure first. Then ship the intelligence.
Top comments (1)
The point about API keys sitting in environment variables is more widespread than most people realize. When we scanned 508 public MCP servers at mcpsafe.io, hardcoded secrets were the most common finding — showing up in 22% of servers. Not env vars at runtime, but literally committed credentials in the source code or config files. People building fast move the secret once and forget it.
The prompt injection point is worth expanding on. For LLM apps that use tools or MCP servers, the injection surface isn't just user input. Tool descriptions are also model-readable content, and a malicious or compromised package can embed instructions there that the user never sees and the developer never audited. The model will read a tool description the same way it reads a system prompt.
"Treat the model like any other production service" is the right frame. You'd never deploy a web service without checking its dependencies for CVEs. Pre-install scanning for MCP servers and LLM tooling is the same idea applied to agentic infrastructure.