Abstract

The rapid pace of Large Language Model (LLM) adoption and incorporation into existing multi-tenant SaaS suites brings new security risks that challenges application security paradigms. RAG, AI agents with tool access, and newly articulated patterns for context orchestration all provide attack surfaces specific to GenAI systems. Multi-tenancy creates a further layer of risk through cross-tenant data leakage, shared inference infrastructure, and the difficulty in enforcing tenant isolation when AI models are processing chunks of tokens from multiple tenants in the same infrastructure. In this work, we surfed a wave of content created by AI researchers and researchers studying AI, such as OWASP Top~10 for LLM Applications (2025), NIST AI~600-1, and other more recent academic sources to get the lay of the land regarding security threats residing specifically in multi-tenant SaaS setups with LLM integration hung off the side. We derive a taxonomy of threats categorized by five classes of attack surface vulnerability, and map each threat to specific defenses in a defense-in-depth style framework. The analysis is rooted in real-world SaaS architectures like Context Orchestration Layers (COL), RAG pipelines, and Model Context Protocol (MCP). We prove that 12 out of the 18 discovered vulnerabilities experience greater amplification from multi-tenancy than single-tenant deployments. Cross-tenant data exfiltration and knowledge base poisoning had the highest amplification factors. Defending LLMs in SaaS requires a composite approach to safeguarding input, enforcing tenant isolation, sanitizing output, hardening the supply chain, and monitoring over time. We provide a mitigation matrix tying all our discovered threats to specific defenses, along with guidance for SaaS architects on implementing them.

Statistics