PromptGuard: Identity-First Zero Trust Access Control Architecture for Large Language Models

PromptGuard proposes a new LLM security paradigm—identity-first zero trust access control, shifting security protection from "what you ask" to "who is asking", and enabling dynamic, fine-grained capability boundary management through enterprise IAM integration. This architecture addresses the flaws of existing content-filtering-based LLM security solutions, including core innovations like a seven-layer architecture design and a five-level trust framework, providing a compliant and efficient solution for enterprise AI governance.

Current enterprise LLM security mechanisms rely on passive post-content filtering, which has eight fatal weaknesses: high false positive rates, difficulty in preventing prompt injection, lack of context awareness (unable to distinguish legitimate requests from different roles), missing internal threat management, incomplete audit trails, binary decision-making, etc. These make it hard to meet enterprise compliance requirements such as SOX, SOC2, and HIPAA.

The core innovation of PromptGuard is the identity-first paradigm, shifting security focus from content to user identity. Its seven-layer architecture forms a closed loop:

1. Request Interception: Gateway captures LLM requests
2. Identity Identification: Integrate enterprise IAM systems to obtain user identity and permissions
3. Trust Scoring: Calculate dynamic trust scores based on six dimensions including role baseline and UEBA
4. Prompt Enhancement: Inject role-customized system prompts
5. Policy Execution: Send enhanced requests to LLM
6. Response Validation: Check output compliance
7. Audit Logging: Record interactions to SIEM or audit logs

PromptGuard designs a five-level trust framework that maps roles to LLM capability boundaries:

Trust Level	Score Range	Typical Users	Core Capabilities	Query Length Limit
L1 - Basic	0-20	Interns, new employees, outsourced staff	General Q&A, simple summarization	200 characters
L2 - Business	21-40	Sales, admin, customer service	Document processing, market research, basic scripting	500 characters
L3 - Technical	41-60	Senior developers, IT admins, team leads	Code generation, system architecture, security best practices	1,500 characters
L4 - Management	61-80	Directors, legal counsel, executives	Regulatory interpretation, crisis management, strategic analysis	3,000 characters
L5 - Security	81-100	CISO, penetration testers, incident response teams	Vulnerability research, red team support, forensic analysis	Unlimited
This framework divides LLM capabilities into nine categories, implementing the principle of least privilege.

Dynamic trust scoring supports real-time trust elevation: For example, when a developer handles a fault late at night, the system temporarily elevates the trust level based on signals like abnormal time and device status, then automatically reverts after the session ends. The hybrid policy architecture combines:

• Policy-as-Prompt: Inject customized system prompts to flexibly handle complex scenarios
• Policy-as-Code: Use OPA and Rego to implement deterministic hard constraints, ensuring compliance bottom lines The two complement each other to form defense in depth.

Compared to mainstream solutions (LiteLLM, Portkey, etc.), PromptGuard has four unique capabilities: network boundary-based real-time identity query, dynamic role-aware prompt conversion, fine-grained trust classification framework, and enterprise SIEM integration with self-hosting support. Implementation effects: False positive rate reduced from about 20% to below 3%, reducing computing resource waste, and highly compatible with existing IAM/SIEM ecosystems, lowering adoption barriers.

PromptGuard represents a paradigm shift in the LLM security field, proving that effective AI governance should be based on requester identity identification and authorization, not content filtering. As enterprise AI applications deepen, this identity-first zero trust architecture will become an industry standard. It is recommended that security architects and CISOs refer to this framework and deploy LLM security solutions in combination with existing infrastructure.