every LLM app you ship has three attack surfaces. confidentiality, integrity, availability. the framework is from 1976. the attack classes under it are from this year. and the mapping still holds. this is the checklist i run before any LLM feature goes near production. it leans on OWASP LLM Top 10 and MITRE ATLAS. both of those taxonomies sort the entire surface the same way the triad does. what the triad actually means for an LLM forget the database analogy. for an LLM: confidentiality covers what the model knows and processes: system prompts, RAG (retrieval-augmented generation) context, chat history, tool credentials integrity covers what the model produces: refusals, generated content, tool call decisions, and training-time behavior baked into weights availability covers whether the inference endpoint can serve the next request without burning your bill every documented production exploit on OpenAI, Microsoft, Anthropic, and Google LLMs maps onto one of those three.…