Main Catalog Informatics, Computer Engineering and Control Methods and Systems of Information Protection, Information Security

A method for assessing data leak risks when using LLM in a corporate environment: organizational, technical, and legal aspects

Authors: Pechenov D.A., Nigmatullin A.R.
Published in issue: #3(104)/2026
DOI:
Category: Informatics, Computer Engineering and Control \| Chapter: Methods and Systems of Information Protection, Information Security
Keywords: large language models, information security, data leakage, risk assessment, corporate security, risk matrix, confidential information
Published: 25.05.2026

The paper is devoted to the problem of assessing the risks of confidential information leakage when integrating large language models (LLM) into corporate business processes. The authors explore existing approaches to data protection in the environment of artificial intelligence (AI), identify critical vectors of information leakage through user requests (prompta) and analyze gaps in the regulatory framework in this area. Particular attention is paid to the lack of systematic risk assessment methods, which leads to the subjectivity of decision-making on the permissibility of processing confidential data in the LLMs. The article offers an original risk matrix that takes into account the type of data being processed, the level of user access, and the architecture of model development (cloud or local). The conducted research made it possible to develop a methodology for classifying user requests by risk level with a set of rules for filtering prompt, and recommendations are formulated for the application of the proposed approach in organizations that process personal data and trade secrets.

References

[1] Intelligence Justifies the Means: Russia Market Revenue. Available at: https://www.kommersant.ru/doc/7989450 (accessed March 22, 2026).

[2] GOST R 50739–95. Computer Equipment. Protection against Unauthorized Access to Information. General Technical Indicators. Moscow, House of Standards Publ., 1995. (In Russ.).

[3] GOST R ISO/IEC 15408-1–2012. Information Technology. Security Methods and Tools. Information Technology Security Assessment Criteria. Moscow, Standartinform Publ., 2014, Part IV, 54 p. (In Russ.).

[4] Microsoft Threat Modeling Tool. Available at: https://learn.microsoft.com/ru-ru/azure/security/develop/threat-modeling-tool-threats (accessed March 22, 2026).

[5] Alberts C., Dorofee S. OCTAVE Criteria, Version 2.0. Technical Report CMU/SEI-2001-TR-016. Pittsburgh, PA, Software Engineering Institute, Carnegie Mellon University, 2001, 109 p.

[6] On Commercial Secrets. Federal Law of July 29, 2004, no. 98-FZ. 2004, no. 31, art. 3217. (In Russ.).

[7] On Personal Data. Federal Law of July 27, 2006, no. 152-FZ. 2006, no. 31 (Part 1), art. 3451. (In Russ.).

[8] Samolkaeva A.M., Shvedova S.M. Artificial Intelligence in Information Security: Advantages, Limitations, and Prospects. Science Bulletin, 2024, no. 3(72), pp. 534–539. (In Russ.).

[9] Generative Artificial Intelligence is Used by 70 % of Russian Companies. Available at: https://www.forbes.ru/tekhnologii/535047-generativnyj-iskusstvennyj-intellekt-ispol-zuut-70-rossijskih-kompanij (accessed March 22, 2026).

[10] Artamonov V.A., Artamonova E.V. Artificial Intelligence and Security: Problems, Misconceptions, Reality, and Future. Russia: Development Trends and Prospects. XXI Nat. Sci. Conf. with International. Studies: Proc. Moscow, INION RAS Publ., 2022, No. 17-1. (In Russ.).