Secure Laravel AI Agents: 4 Defense Layers Explained | Mohamed Said        [  ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MH.png)   Mohamed Said Laravel Backend Engineer  ](https://msaied.com) [ Home ](https://msaied.com) [ Projects ](https://msaied.com/projects) [ Articles  ](https://msaied.com/articles) [ Certificates ](https://msaied.com/certificates) [ Contact ](https://msaied.com#contact-section) 

       [  ](https://github.com/EG-Mohamed)       

 [ Home ](https://msaied.com) [ Projects ](https://msaied.com/projects) [ Articles ](https://msaied.com/articles) [ Certificates ](https://msaied.com/certificates) [ Contact ](https://msaied.com#contact-section) 

  [ home ](https://msaied.com)    [ articles ](https://msaied.com/articles)    Ship AI with Laravel: How to Stop Your AI Agent from Leaking Everything        On this page       1. [  The Problem: AI Agents Ship with Real Vulnerabilities ](#the-problem-ai-agents-ship-with-real-vulnerabilities)
2. [  Four Layers of Defense ](#four-layers-of-defense)
3. [  Layer 1: Prompt Hardening ](#layer-1-prompt-hardening)
4. [  Layer 2: Local LLM Guard with Ollama and Llama 3.2 ](#layer-2-local-llm-guard-with-ollama-and-llama-32)
5. [  Layer 3: Tool-Level Authorization ](#layer-3-tool-level-authorization)
6. [  Layer 4: Output Filtering ](#layer-4-output-filtering)
7. [  Series Wrap-Up ](#series-wrap-up)
8. [  Key Takeaways ](#key-takeaways)

  ![Ship AI with Laravel: How to Stop Your AI Agent from Leaking Everything](https://cdn.msaied.com/396/d81ab14c56dd0070a774276d597c77b2.png)

 [  Laravel ](https://msaied.com/articles?category=laravel) [  AI ](https://msaied.com/articles?category=ai)  #Laravel AI   #AI Security   #Prompt Injection   #Ollama   #Laravel Middleware  

 Ship AI with Laravel: How to Stop Your AI Agent from Leaking Everything 
=========================================================================

     8 Jul 2026      3 min read    ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MJ.jpg)  Mohamed Said  

       Table of contents

1. [  01   The Problem: AI Agents Ship with Real Vulnerabilities  ](#the-problem-ai-agents-ship-with-real-vulnerabilities)
2. [  02   Four Layers of Defense  ](#four-layers-of-defense)
3. [  03   Layer 1: Prompt Hardening  ](#layer-1-prompt-hardening)
4. [  04   Layer 2: Local LLM Guard with Ollama and Llama 3.2  ](#layer-2-local-llm-guard-with-ollama-and-llama-32)
5. [  05   Layer 3: Tool-Level Authorization  ](#layer-3-tool-level-authorization)
6. [  06   Layer 4: Output Filtering  ](#layer-4-output-filtering)
7. [  07   Series Wrap-Up  ](#series-wrap-up)
8. [  08   Key Takeaways  ](#key-takeaways)

 The Problem: AI Agents Ship with Real Vulnerabilities
-----------------------------------------------------

Most Laravel developers building AI-powered features focus on getting the agent to *work*. Security comes later—if at all. Episode 11 of the *Ship AI with Laravel* series by Harris Raftopoulos makes the cost of that approach painfully clear.

Before introducing any fixes, the episode demonstrates two attacks against a live support agent:

1. **Prompt extraction via social engineering** — A carefully crafted sequence of messages convinces the agent to reveal its entire system prompt, its tool list, and its internal instructions.
2. **Unauthorized data access via tool abuse** — The order lookup tool is called with an order ID belonging to a different customer, and it returns that customer's data without any authorization check.

Both vulnerabilities are straightforward to exploit and, according to the episode, ship in production AI apps every day.

Four Layers of Defense
----------------------

### Layer 1: Prompt Hardening

The first fix is the simplest: add explicit security boundaries directly to the system prompt. The agent is instructed to refuse requests to reveal its prompt or tools, and to treat anyone claiming to be an internal employee as a regular customer.

This reduces casual attacks but is not sufficient on its own. A determined attacker can still social-engineer around a prompt-only defense.

### Layer 2: Local LLM Guard with Ollama and Llama 3.2

A separate prompt-guard agent is introduced, running locally via Ollama with Llama 3.2. Its sole responsibility is to classify each incoming message as `safe` or `unsafe` and return a JSON result.

```json
{ "classification": "unsafe", "reason": "prompt injection attempt" }

```

This guard is wired in as middleware, so unsafe messages are blocked before they ever reach the main agent. Because it runs locally, there is no per-request API cost for this screening step.

### Layer 3: Tool-Level Authorization

This is the fix that actually closes the data leak. The order lookup tool is scoped to the authenticated user:

```php
// Tool enforces ownership — no matter what ID is passed in
$order = Order::where('id', $orderId)
    ->where('user_id', auth()->id())
    ->firstOrFail();

```

With this in place, the tool physically cannot return another customer's order, regardless of what order ID an attacker supplies. Prompt instructions alone cannot provide this guarantee; authorization logic in the tool itself can.

### Layer 4: Output Filtering

A safety-net middleware scans every outgoing response and redacts sensitive patterns—SSNs, credit card numbers, API keys—before anything leaves the system. This acts as a last line of defense against accidental data exposure that slips through earlier layers.

Series Wrap-Up
--------------

Episode 11 closes out the eleven-episode *Ship AI with Laravel* series. The arc runs from `composer require laravel/ai` all the way to a production-ready, tested, and secured AI platform. If you are joining late, the author recommends starting at Episode 1 since each episode builds on the previous one.

The full source code is available on GitHub: [github.com/harris21/ship-ai-with-laravel](https://github.com/harris21/ship-ai-with-laravel)

Key Takeaways
-------------

- **Prompt hardening alone is not enough** — social engineering can bypass instruction-only defenses.
- **Authorization belongs in the tool, not the prompt** — scope database queries to the authenticated user at the code level.
- **A local LLM guard adds zero API cost** — Ollama + Llama 3.2 can classify messages as middleware before they hit your main model.
- **Output filtering is a safety net** — redact sensitive patterns on egress as a final layer.
- **Defense in depth is the standard** — stack multiple independent layers so no single failure exposes user data.

---

*Source: [Ship AI with Laravel: I Tricked My Own AI Into Leaking Everything — Laravel News](https://laravel-news.com/ship-ai-with-laravel-i-tricked-my-own-ai-into-leaking-everything)*

 Found this useful?

          [  ](https://twitter.com/intent/tweet?url=https%3A%2F%2Fmsaied.com%2Farticles%2Fship-ai-with-laravel-how-to-stop-your-ai-agent-from-leaking-everything&text=Ship+AI+with+Laravel%3A+How+to+Stop+Your+AI+Agent+from+Leaking+Everything) [  ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fmsaied.com%2Farticles%2Fship-ai-with-laravel-how-to-stop-your-ai-agent-from-leaking-everything) 

 Frequently Asked Questions 
----------------------------

  3 questions  

     Q01  Why isn't adding security instructions to the system prompt enough to protect a Laravel AI agent?        A determined attacker can use social engineering to talk the model into ignoring prompt-level instructions. That's why the episode stacks three additional layers: a local LLM guard that blocks unsafe messages before they reach the main agent, tool-level authorization that enforces data ownership in code, and output filtering that redacts sensitive patterns on egress. 

      Q02  How does the local LLM guard work and what does it cost to run?        The guard is a separate agent running Llama 3.2 via Ollama on your own infrastructure. It classifies each incoming message as safe or unsafe and returns a JSON result. Because it runs locally rather than calling an external API, the per-request cost is zero. 

      Q03  What is the most effective single fix for preventing unauthorized data access through an AI tool?        Scoping the database query inside the tool itself to the authenticated user. For example, adding a `where('user_id', auth()-&gt;id())` constraint to the order lookup query means the tool cannot return another customer's data regardless of what order ID is passed in. 

  Continue reading

 More Articles 
---------------

 [ View all    ](https://msaied.com/articles) 

 [ ![Laravel New in 12: First-Class Typed Config, Slim Skeletons, and Upgrade Notes](https://cdn.msaied.com/401/bd0219f2cb584b037df76f985db348f8.png) laravel laravel-12 php 

### Laravel New in 12: First-Class Typed Config, Slim Skeletons, and Upgrade Notes

Laravel 12 ships with typed configuration objects, a leaner application skeleton, and several quality-of-life...

  ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MJ.jpg)  Mohamed Said 

 9 Jul 2026     3 min read  

  Read    

 ](https://msaied.com/articles/laravel-new-in-12-first-class-typed-config-slim-skeletons-and-upgrade-notes) [ ![Laravel API Resources: Sparse Fieldsets, Conditional Relationships, and Versioning](https://cdn.msaied.com/400/67fe9d3c6c505a6f67092e2761690696.png) laravel api resources 

### Laravel API Resources: Sparse Fieldsets, Conditional Relationships, and Versioning

Go beyond basic transformers. Learn how to implement sparse fieldsets, conditionally load relationships, and v...

  ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MJ.jpg)  Mohamed Said 

 9 Jul 2026     3 min read  

  Read    

 ](https://msaied.com/articles/laravel-api-resources-sparse-fieldsets-conditional-relationships-and-versioning-1) [ ![Laravel Eloquent Global Scopes: Bootable Traits, Scope Removal, and Testing Pitfalls](https://cdn.msaied.com/399/71a080bda5c9aa713a95cec2c8b42247.png) laravel eloquent testing 

### Laravel Eloquent Global Scopes: Bootable Traits, Scope Removal, and Testing Pitfalls

Global scopes silently shape every query on a model. Learn how to write bootable trait scopes, safely remove t...

  ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MJ.jpg)  Mohamed Said 

 9 Jul 2026     3 min read  

  Read    

 ](https://msaied.com/articles/laravel-eloquent-global-scopes-bootable-traits-scope-removal-and-testing-pitfalls) 

   [  ![Mohamed Said](https://cdn.msaied.com/01KT78WE565VEMM3PSNQAAB0MH.png)   Mohamed Said Laravel Backend Engineer  ](https://msaied.com)Senior Backend Engineer specializing in Laravel, scalable SaaS platforms, APIs, and cloud infrastructure. I build secure, high-performance web applications that help businesses grow.

Explore

- [Home](https://msaied.com)
- [Projects](https://msaied.com/projects)
- [Articles](https://msaied.com/articles)
- [Certificates](https://msaied.com/certificates)
- [Contact](https://msaied.com#contact-section)

Connect

- [   hello@msaied.com ](mailto:hello@msaied.com)
- [   +20 109 461 9204 ](tel:+201094619204)

© 2026 Mohamed Said. All rights reserved.

 [  ](https://github.com/EG-Mohamed) [  ](https://www.linkedin.com/in/msaiedm/) [  ](https://wa.me/201094619204) [  ](mailto:hello@msaied.com) [  ](https://drive.google.com/file/u/0/d/1MF20IPRJyzfy32mhEutjL5EpSls0w2Q8/view)
