I spoke at the AI Security Night hosted by the AI Security Engineers Community at The Social Hub in Amsterdam. I delivered the second talk: βSecuring Multi-Tenant AI Platforms: Practical Lessons from OpenShift AI, GPUs, and MLOpsβ, while Brian Vermeer (@brianvermeer.nl) opened with the headline talk: βBreaching LLM-Powered Applications β Overcoming Security and Privacy Challengesβ.
About 40 attendees joined for drinks, pizza, and two deep technical sessions on AI security β from application-level LLM vulnerabilities to platform-level infrastructure isolation.
Remediation: Where Does Your AI Run?
Brian started with a fundamental architectural question: where does your AI actually run? The remediation landscape looks completely different depending on your deployment model:
- SaaS β Provider-hosted, data leaves your boundary
- Private Cloud β Your cloud, your models, still network-connected
- On-Prem β Behind your firewall, full data control
- Local β On-device, zero network exposure
Each model carries different risk profiles for data exfiltration, prompt injection, and model poisoning. The key insight: your security posture must match your deployment reality.
Data Privacy: The OpenAI Problem
A sobering reminder about data privacy. Brian showed OpenAIβs consumer services FAQ: βWe may use content submitted to ChatGPT, DALL-E, and our other services for individuals to improve model performance.β
For enterprise use cases, this means:
- Consumer-tier AI services may train on your inputs
- API and business tiers have different data handling policies
- Understanding the distinction between consumer and business accounts is critical for compliance
- Your prompts, responses, images, and files could all be training data
This is why many enterprises mandate on-prem or private cloud deployments for sensitive workloads.
Securing Agentic AI: Function-Level Controls
The most actionable part of the talk covered agentic AI security patterns:
- Write small functions β limit capabilities per tool call
- Respect user permissions β the AI agent should never exceed the userβs authorization level
- Require explicit user confirmation β Human-in-the-loop for destructive or high-value actions
- Restrict high-risk functions β separate read-only from write operations
- Audit and log function calls β full observability on what the agent actually did
The workflow diagram showed a practical e-commerce example: SelectProducts (AiService) β VerifyBasket (AiService) β CalculateTotalPrice (Code) β PlaceOrder (Human-as-a-tool). The critical insight: PlaceOrder requires human confirmation β the AI proposes, the human disposes.
Building Secure AI Services in Java
Brian demonstrated practical implementation using LangChain4j and Java:
@Tool("Book a car for a user")
public String newBooking(@P("Username") String username,
@P("Id of the car") Long carId,
@P("Startdate") LocalDate startDate,
@P("Enddate") LocalDate endDate) {
// Validation, authorization, logging...
var user = userService.getUserByUsername(username);
var car = carService.getCarById(carId);
var booking = bookingService.createBooking(user, car, startDate, endDate);
return booking.toString();
}The AiServices.builder() pattern wires up the chat model, memory, content retriever (RAG), and tools β each a separate security boundary that can be independently audited and restricted.
Live Demo: SupportAI Chatbot Vulnerabilities
Brian demonstrated a live chatbot (supportai.com) to show how poorly constrained AI systems behave. The first test: asking it to write a poem about Devoxx β harmless, but already outside its intended support scope.
The second test was more revealing: asking a support chatbot to explain linear algebra. It happily complied with a detailed math explanation β proving it has no system message constraints, no scope boundaries, and no input validation. A perfect example of why guardrails matter.
The Complete Security Checklist
Brianβs final summary β the definitive checklist for securing AI applications:
- Prevent security vulnerabilities in other parts of your system
- Sanitize the input and output of the LLM (GuardRails)
- Create a strict SystemMessage β scope what the AI can and cannot do
- Limit LLM capabilities to user privileges
- Build small-scope services β single responsibility per AI function
- Programmatically define flow (e.g., Human-in-the-loop)
- Use the right LLM for the task β not every query needs GPT-4
- Enforce structured input and output β validate schemas, reject freeform where possible
My Talk: Securing Multi-Tenant AI Platforms
In the second session, I shared practical lessons from building multi-tenant AI/ML environments on Kubernetes and OpenShift AI, focusing on GPU-backed workloads. The talk covered:
- Workload isolation β namespace boundaries, network policies, and pod security standards
- Access control β RBAC patterns for data scientists vs platform engineers vs model deployers
- GPU partitioning β MIG, time-slicing, and how to prevent noisy-neighbor GPU contention
- Namespace and quota design β per-team resource boundaries that prevent runaway training jobs
- Supply-chain security β container image signing, model provenance, and registry policies
- Observability β GPU metrics, cost attribution per team, and anomaly detection
- Governance patterns β audit trails, model registries, and compliance controls for regulated environments
The core message: as AI moves from single-team experiments to shared enterprise platforms, security becomes a platform engineering problem β not just an application concern. The same multi-tenant GPU patterns I presented at Red Hat Summit apply directly to securing AI workloads at scale.
Key Takeaways
- AI deployment model dictates security posture β SaaS vs on-prem is not just a cost decision, it is a data sovereignty decision
- Consumer AI services may train on your data β read the fine print before shipping production features on consumer APIs
- Agentic AI needs function-level security β treat every tool call as an API endpoint with its own authorization
- Human-in-the-loop is not optional for high-risk actions β the AI should propose, humans should approve
- Audit everything β you cannot secure what you cannot observe
Smart Routing: Local vs Commercial Models
Brian presented a hybrid routing architecture (credited to Dmytro Liubarskyi) that separates sensitive from non-sensitive requests:
- Local Models β handle PII-containing or confidential queries on-premises
- Commercial Models β handle general queries after passing through a security layer
- Security gate β hard filter on IP + data obfuscation before any request reaches external APIs
This pattern lets enterprises use the best commercial models for general tasks while keeping sensitive data firmly within their boundary. The routing decision happens at the proxy layer β transparent to the end user.
About the Speaker
Brian Vermeer is a Staff Developer Advocate at Snyk, Java Champion, and software engineer with over a decade of hands-on experience. He is passionate about Java, functional programming, and cybersecurity. Brian is a JUG leader for the Virtual JUG and NLJUG, co-leads the DevSecCon community, and is a community manager for Foojay. He is also a military reserve for the Royal Netherlands Air Force and a Taekwondo Master β bringing discipline from both the dojo and the air force to application security.
Community Reactions
The meetup resonated well beyond the room. Davide Cioccia, founder of the AI Security Engineers Community, summarized the evening:
βGreat energy at our latest AI Security Engineers Community Netherlands meetup in Amsterdam. Brian Vermeer from Snyk showcased the security and data privacy challenges of AI applications powered by LLMs. Luca Berton shared practical insights on building fully air-gapped, multi-tenant AI/ML environments on Kubernetes and OpenShift AI, with a strong focus on GPU-backed workloads.β
Mahan Yarmohammad Tajari (AI Engineer at NextPax) added:
βA huge thanks to Brian V. for his eye-opening presentation about Security for AI applications which is a major priority for us at NextPax. This was followed by a brilliant session from Luca Berton with a great talk about Multi-tenant Platform Engineering for GPUs and AI model hosting.β
A big thank you to Gerald Crescione and the whole Snyk team for hosting, and to Davide for organizing another packed AI Security Engineers event. The community is already planning the next meetup β join here.
