Hardening / detection summary

Concrete posture changes a Swiss federal / cantonal / EU public-sector SOC can implement based on this report alone, in priority order:

1. Egress allowlisting for LLM-API endpoints: only workloads where LLM access is justified should be permitted outbound to *.googleapis.com/v1beta/, api.openai.com/v1/, api.anthropic.com/, etc. — enforce at SWG and at host firewall on production servers. Catches PROMPTFLUX / HONESTCUE / CANFAIL-class runtime LLM calls from workloads that should not be making them.
2. LLM-API-key secrets management: treat as Tier-1; rotate quarterly minimum; enable provider-side usage alerting on per-key baselines.
3. Exploit-artefact LLM-output heuristics added to triage pipelines for PoC scripts pulled from public sources — docstring-density / hallucinated-metadata / ANSI-bootstrap pattern, used as a triage prior, not a verdict.
4. CI/CD secrets hygiene at the runner level — directly applicable both to the AI-key theft trend and to the SANDCLOCK / TeamPCP Jenkins compromise carried as the § 4 UPDATE. OIDC-federated short-lived credentials where the platform supports it; no long-lived PATs in runner environment.
5. Behavioural-sequence detector cross-validation: where ML-based EDR is in use, validate against API-call-sequence pollution by sampling current detection thresholds against synthetic LLM-generated benign sequences.