Extend Prompt Shield to Custom Enterprise LLM Endpoints
Implementation Effort: Medium – Requires understanding the request and response format of each custom LLM endpoint to define conversation schemes that Prompt Shield can parse.
User Impact: Low – Transparent to users; extends existing prompt inspection to additional AI endpoints without changing user workflows.
Overview
The default Prompt Shield configuration inspects traffic to well-known LLM platforms — Azure OpenAI, OpenAI, Anthropic — using built-in conversation schemes that understand each platform's API structure. Many organizations also operate custom AI applications that proxy LLM calls through enterprise APIs, wrap models in internal abstractions, or host fine-tuned models on custom endpoints. These custom endpoints use proprietary request and response formats that the built-in conversation schemes cannot parse, leaving them outside Prompt Shield's inspection scope.
Custom conversation schemes define how Prompt Shield identifies the prompt and response boundaries within traffic to a specific endpoint. The administrator specifies the URL pattern for the enterprise LLM endpoint and maps the request fields that contain user prompts and the response fields that contain model completions. Once a custom scheme is added and linked to the existing prompt policy, Prompt Shield inspects traffic to that endpoint using the same injection detection engine applied to known platforms.
This supports Assume breach by extending prompt injection detection to the organization's full AI surface area rather than only covering public LLM APIs. Internal LLM endpoints are often built with less adversarial testing than major platform APIs, making them higher-risk targets for injection attacks. It supports Verify explicitly by ensuring that prompt content is inspected regardless of which LLM endpoint serves it, eliminating blind spots created by custom routing or abstraction layers. If custom conversation schemes are not configured, threat actors who identify internal AI endpoints can deliver prompt injection payloads that bypass all network-layer inspection.