By submitting this form, you agree to our 

 is rarely just an infrastructure move. For most DevOps and platform teams in 2026, it’s a once-in-a-decade opportunity to rethink tooling, eliminate legacy bottlenecks, and modernize the 

 end-to-end. One of the most overlooked, but highest-impact, areas to revisit during this transition is 

As organizations shift workloads and security controls into the cloud, the limitations of 

 quickly become visible. What once worked in on-premise environments often creates friction, risk, and massive operational overhead in a cloud-native world.

 isn’t just a "lift-and-shift" event. It’s the ideal moment to reassess how you store, secure, and distribute artifacts across modern 

Why legacy artifact repositories struggle during cloud migration

Traditional, self-hosted repositories were designed for static infrastructure and perimeter-based security. Cloud environments invert those assumptions.

During migration, teams commonly encounter:

 Legacy tools often require manual server provisioning or expensive over-capacity planning.

 Managing patches, database tuning, and storage maintenance for your own repository steals focus from your core product.

 When global teams depend on a single on-premise instance, latency sabotages developer velocity.

Keeping a legacy repository while modernizing everything else often results in a "partially modern" stack with legacy risk still embedded in your delivery pipeline.

Cloud migration exposes hidden software supply chain risk

Modern cloud adoption increases velocity, but speed without control amplifies risk across the 

 Cloud-scale builds pull in thousands of external packages that need immediate scanning.

 Difficulty tracking exactly "who built what and where" across fragmented environments.

 Brittle legacy controls that can't handle the dynamic nature of cloud-native deployments.

Re-evaluating artifact management during migration allows teams to embed 

 governance exactly when redesigning their pipelines.

The modernization opportunity: SaaS artifact repositories

Cloud migration creates the perfect window to replace self-hosted infrastructure with a 

 built for elasticity and global distribution.

 No more storage planning or maintenance; the platform automatically scales with your builds.

 A built-in Package Delivery Network (PDN) delivers artifacts worldwide to reduce latency.

 Features like automated vulnerability scanning and signature verification are baked in, not bolted on.

Instead of recreating legacy architecture in the cloud, organizations can move directly to a fully managed model aligned with cloud‑native principles. This shift transforms artifact management from a maintenance task into a strategic layer of the delivery platform.

When to move: Aligning your migration strategy

Teams often postpone modernization because migration feels complex. However, delaying the decision typically leads to "double migration" work, migrating the legacy tool today and replacing it tomorrow.

Aligning modernization with your cloud move avoids:

 Design your CI/CD for your final destination, not a temporary stop.

 Cloud-native migration scripts (like the Cloudsmith CLI) handle the transfer of binaries and metadata once.

 Ensure your new cloud environment launches with a clean, high-performance foundation from day one.

Signs your artifact management is holding you back

Before moving to the cloud, audit your current state. If these "silent killers" sound familiar, a lift-and-shift solution will only migrate your technical debt:

 Your team spends hours every month on repository upgrades, patching, and storage "garbage collection".

 Global developers or remote build agents face high latency because your on-premise repository lacks a global distribution network.

 You struggle to provide a complete "bill of materials" (SBOM) or audit trail for a security incident.

 Your pipelines rely on custom, "home-grown" scripts to move packages between environments because your tool doesn't support native promotion workflows.

The strategic ROI: What actually changes?

 during a cloud move isn't just a technical swap; it delivers measurable business impact:

 By eliminating manual bottlenecks and enabling faster access to dependencies, teams often see 

 Centralized policy enforcement and automated vulnerability scanning move security from a "final check" to an integrated part of the build.

 removes the "toil" of server management, allowing your DevOps engineers to focus on product innovation rather than infra-maintenance.

 You trade hidden infrastructure costs and administrative salaries for a predictable, transparent SaaS model.

Evaluating alternatives: Beyond JFrog and Nexus

Many organizations begin cloud migration using legacy tools like 

, only to find they were built for a different era of infrastructure. Modern SaaS platforms eliminate the need to manage repository infrastructure while delivering stronger governance and global performance. As a result, more teams are looking for 

 that offer a fully managed, "Zero-Ops" experience.

 streamlines the process to minimize disruption and accelerate value realization.

Why global leaders migrate artifact management to Cloudsmith

, designed specifically for modern DevOps and secure software delivery for the security landscape of 2026 and beyond.

 A true SaaS experience with no databases to manage and no servers to patch.

 Hundreds of nodes deliver artifacts from the edge, ensuring your global build agents always have high-speed access.

 One single source of truth for Docker, npm, Maven, Python, and 30+ other formats.

 Automated provenance tracking and signature verification help keep you compliant with key security standards and ensure that what you ship is exactly what you built.

Conclusion: Don’t just move to the cloud – modernize what matters

Cloud migration is a rare opportunity to fix the "foundation" of your house before you move in the furniture. By re-evaluating your 

 now, you ensure your cloud-native future is fast, secure, and, most importantly, manageable.

The most successful cloud migrations don’t just replicate the past. They modernize the platform that powers everything built next.

 with our experts to simplify the process.

It is the practice of storing, securing, and distributing build outputs, such as Docker images or Maven packages, throughout the development lifecycle. It ensures your builds are reproducible and secure.

Why reconsider artifact repositories during cloud migration?

Updating your repository during a move avoids duplicate work and ensures that a legacy on-premises artifact manager doesn’t constrain your new cloud infrastructure.

What are the risks of keeping a self-hosted repository in the cloud?

 in the cloud still requires manual patching and scaling. This increases costs and creates "visibility gaps" that can lead to security breaches.

How does a SaaS artifact repository improve security?

SaaS platforms provide centralized governance, immutable storage, and automated compliance auditing, all of which are critical to a secure 

Parul Jhawar

Marketing

Why cloud migrations are the best time to re-evaluate your artifact management

Let’s say you’ve got an LLM running on Kubernetes. Pods are healthy, logs are clean, users are chatting. Everything looks fine.

But here's the thing: Kubernetes is great at scheduling workloads and keeping them isolated. It has no idea what those workloads do. And an LLM isn't just compute, it's a system that takes untrusted input and decides what to do with it.

That's a different threat model. And it needs controls Kubernetes doesn't provide.

Understanding what you're actually running

Let's walk through a typical deployment. You deploy 

, a server for hosting and running LLM models locally, in a pod. You expose it via a Service, point 

 (a chat interface similar to ChatGPT's UI) at it. Users type prompts, answers appear. From Kubernetes' perspective, everything looks healthy: pods are running, logs are clean, resource usage is stable.

But consider what you've built. You've placed a programmable system in front of your internal services, tools, logs, and potentially credentials. Kubernetes did its job perfectly, scheduling and isolating the workload. What it can't do is understand whether a prompt should be allowed, whether a response contains sensitive data, or whether the model should have access to certain tools.

This is similar to how API security works. The infrastructure handles routing and isolation, but you still need authentication, authorization, and input validation. Those concerns live at the application layer.

OWASP LLM top 10: a framework for understanding risks

 maintains a list of the top 10 security risks for web applications. It's become the standard checklist for "things that will get you hacked if you ignore them." They've now done the same thing for LLMs: 

the OWASP Top 10 for Large Language Model Applications

This framework catalogs the most critical security risks when building LLM-powered systems, including:

LLM01: Prompt Injection (manipulating model behavior through crafted inputs)

LLM02: Sensitive Information Disclosure (models leaking training data or secrets)

LLM03: Supply Chain (using unverified models or data)

LLM04: Data and Model Poisoning (compromising model behavior through malicious training data)

LLM05: Improper Output Handling (treating generated content as trusted)

LLM06: Excessive Agency (models with too much autonomy)

LLM07: System Prompt Leakage (exposing system instructions)

LLM08: Vector and Embedding Weaknesses (vulnerabilities in RAG and embedding systems)

LLM09: Misinformation (models generating false or misleading content)

LLM10: Unbounded Consumption (resource exhaustion attacks)

Addressing all of these requires defense in depth across your entire stack. This post focuses on four risks that are particularly relevant when running LLMs on Kubernetes:

 can be addressed through policy controls at the application layer, patterns that map to things you already do for APIs.

 requires governance at deployment time, treating models with the same rigor you apply to container images.

Each one connects to infrastructure patterns you're probably already familiar with, just applied to a probabilistic system.

1. Input validation (Prompt Injection - LLM01)

In most setups, this works. LLMs have a "system prompt" that sets their behavior and constraints, but many models treat user input as higher priority than these system instructions. This is prompt injection, the LLM equivalent of SQL injection or command injection. User input crosses a trust boundary and influences behavior in unintended ways.

The operational question is the same one you answer everywhere else: does untrusted input get to control program flow? With APIs, you validate inputs against a schema. With LLMs, you need similar controls, but the validation logic is different because the input is natural language and the behavior is probabilistic.

Let's look at three more patterns, then we'll explore how to actually implement these controls in your cluster.

2. Output filtering (Sensitive Information Disclosure - LLM02)

Here's a subtler failure mode. A user asks: "Show me an example configuration file."

The model didn't crash. It just leaked credentials. Why? Models memorize things from training data. Or someone put secrets in the system prompt. Or the model is pulling from internal docs that contain credentials. It doesn't know these are secrets. It's just generating plausible text.

This is the same class of bug as accidentally logging environment variables, except the content is generated rather than passed through. You need output filtering for the same reason you scrub secrets from logs.

With containers, you worry about pulling compromised images from untrusted registries. With LLMs, the risks are similar but harder to spot.

Models are binary blobs. You can't inspect them the way you can read source code. A model downloaded from Hugging Face could have backdoors, hidden biases, or behaviors that only trigger in specific contexts. Someone could fine-tune a popular model to bypass safety features, score well on benchmarks, and publish it for others to use. You'd have no idea until something goes wrong.

There's also version drift. llama3.2:latest today might behave differently than llama3.2:latest next month. If you're not pinning versions, you're not in control of what's running.

This isn't something a gateway can solve. Supply chain security happens at deployment time: where did this model come from? Who published it? Can you verify it hasn't been tampered with? You need the same governance you apply to container images, versioning, provenance, access controls, audit trails.

We'll come back to this when we talk about artifact management with Cloudsmith.

4. Tool permissions (Excessive Agency - LLM06)

Modern LLMs can be given access to "tools" or "functions", essentially APIs they can call to perform actions like querying databases, sending emails, or executing code. When you give a model access to these capabilities, you're granting it the ability to perform operations:

execute_sql

This is why controllers don't get cluster-admin by default. The principle is identical. The difference is that the entity making authorization decisions is probabilistic rather than deterministic. You need the same kind of least-privilege thinking, but applied to a model's tool access.

Notice something about these patterns. None of them belong in the model runtime itself.

Ollama's job is to load models and generate responses efficiently. It shouldn't also be deciding whether a prompt is safe, whether output contains secrets, or whether a tool should be allowed. That's a separation of concerns issue: mixing inference with policy makes both harder to reason about and harder to change.

What you need is something in front of the model that handles policy. It forwards requests, but it also enforces rules. Think of it as similar to an API gateway, but with awareness of LLM-specific patterns. It understands prompts, tool calls, and generated content, not just HTTP semantics.

If you're using managed AI services like ChatGPT, Claude, or most AI agent platforms, these controls are handled for you. The provider manages prompt filtering, content moderation, and rate limiting. You trade control for convenience.

When you run models in your own cluster, you need to build or adopt a policy layer. Several options exist:

 is a popular open-source gateway that provides a unified OpenAI-compatible API across 100+ models, with features like rate limiting and cost tracking

 brings LLM traffic management into Kong's mature API management platform

 offers caching, observability, and cost controls as a drop-in proxy

 (formerly Gloo) implements the Kubernetes Gateway API with AI-specific extensions

These are solid options, especially if you need multi-provider routing or are already using their ecosystems. But they're also general-purpose tools that may be more than you need, or may not cover the specific OWASP LLM controls we've discussed.

For this post, we're building a minimal reference implementation focused specifically on those security patterns: prompt injection detection, output filtering, model allowlists, and tool restrictions. It's not a product, it's a learning tool you can understand completely, then adapt or replace with something more robust when you need to.

The challenges of running LLMs in Kubernetes

If you've worked with Kubernetes for a while, you've developed workflows for testing, deploying, and governing your services. LLMs break some of those assumptions.

You can't run the full stack locally anymore.

 A 7B parameter model needs significant GPU resources. A 70B model needs multiple GPUs. Your laptop isn't going to cut it, and even local Kubernetes clusters struggle. But your gateway, your policies, your application code - that still needs fast iteration. You need a way to develop and test the components that 

 to the LLM without running the LLM locally.

 You've got container registries, Helm charts, maybe some ML model registries. But LLM models are different: they're large (gigabytes to hundreds of gigabytes), they're versioned differently, and they determine your application's behavior as much as your code does. Where do they live? How do you version them? How do you ensure the model running in production is the one you tested?

Security policies need tuning against real behavior.

 You can't write a prompt injection detection pattern in isolation and trust it works. You need to see how it handles real prompts, edge cases, false positives. That means testing against actual traffic patterns, which traditionally means deploying to a cluster and waiting.

These aren't hypothetical problems. They're what you hit the first time you try to build something serious with LLMs on Kubernetes.

For this walkthrough, we'll use two tools that address these challenges:

 connects your locally running process to a target in your configured cluster. Your local code talks to the real Ollama instance running in the remote cluster, receives real traffic, resolves cluster DNS. You get real environment testing without needing local GPU resources or waiting for deployments.

 provides universal artifact management. Store your gateway images and model files in the same registry, with versioning, access controls, and audit trails. Treat models with the same governance rigor you apply to containers.

Let's see how these fit into the workflow.

An LLM gateway provides a single location to enforce policy:

Which models are allowed to run, which prompts look suspicious, which tools can be called, what gets logged, what gets redacted, what never leaves the cluster.

For this post, we've built a working example gateway you can deploy and experiment with. It's not a production-ready product, it's a learning tool that demonstrates the patterns and gives you a starting point to build from.

The gateway acts as a reverse proxy with LLM-aware middleware. Requests pass through policy checks before reaching the model. Responses pass through output filters before reaching users.

From an operational perspective, this gives you:

 Log policy violations without blocking requests. Useful for understanding what's happening before enforcing rules.

 Block requests that violate policy. Useful once you understand your traffic patterns and trust your rules.

 Start in monitor mode, tune policies based on real traffic, switch to enforce mode when ready. This is the same pattern you use for validating NetworkPolicies or RBAC rules before enforcement.

​​Security policies need tuning against real behavior. A prompt injection pattern that's too aggressive blocks legitimate requests. Too loose, and it misses attacks. You find out which you have by testing.

The obvious approach: run a small model locally, point your gateway at it, iterate. That works for basic functionality testing, but it has gaps:

 A prompt injection that works on llama3.2:1b might not work on llama3.2:70b. Output filtering tuned against one model's response patterns might miss secrets when a different model phrases things differently. If your production model isn't what you tested against, your policies have blind spots.

 You write test prompts you think of. Real users send things you'd never imagine. Testing against actual traffic patterns catches issues synthetic tests miss.

 It might need to resolve cluster DNS, talk to auth services, or access ConfigMaps. Those dependencies don't exist on your laptop.

What you want is your local code running against the real cluster environment: real model, real traffic, real services. But without the 10-15 minute deploy cycle every time you change a config file.

That's what mirrord does. It lets you run your local process in the context of your cluster. When you start your process with mirrord, it creates a temporary agent pod that listens in on your target pod, overriding your local process's syscalls and proxying them to the cluster. Your local gateway talks to the real Ollama instance, receives real traffic, resolves cluster DNS. You edit a file, restart, and test in seconds.

Here's the approach we'll use. The gateway runs in your cluster as normal, but during development, with mirrord you run a local copy that intercepts traffic from the cluster. Your local process talks to real cluster services (Ollama, internal DNS, everything), but you can change configuration and restart in seconds.

Clone the repository and deploy the infrastructure:

LLMs on Kubernetes: same cluster, different threat model

That’s what I want for Northern Ireland’s software sector. And we are doing it together.

Northern Ireland is a great place to live. Culturally, we are a country of innovators and builders, and it is already a great place to build software. Whether you are starting something new or want to contribute to systems and tools used all over the world, the software industry in NI is well-established.

Yes, we have our challenges as a country, just like anywhere else. But we have an exciting and emerging startup ecosystem, circling venture capital, and we are the software development headquarters for big companies like Aflac, Allstate, and Liberty Mutual. And we finally have an official LEGO store.

I left Northern Ireland two days after graduating from Queen’s University Belfast in 2002, and lived in the United States and then England for a few years. But soon the love of grey skies pulled me back home and into a job at a newly minted startup, albeit one that struggled to find its feet. 

After moving on from my first NI-based startup. I then watched Danny Moore sell Wombat Financial Technologies to the mighty New York Stock Exchange in 2008. This was a signpost of what is possible with great leadership and execution. So when Lee and I founded Cloudsmith, our goal was, and still is, to build a world-class product company headquartered in Belfast.

There are many challenges with building a business, especially in a small country with just under 2 million people. We have great universities in Ulster University and Queen’s (and not forgetting our friends at the Open University), producing a steady stream of graduates; there is a growing talent pool and lots of opportunity for innovation.

Those who have tasted success can inspire, guide, and expand the limits of what is possible.

It's pretty unusual to be more than two degrees of (Kevin Bacon) separation away from anyone from Northern Ireland here. We witnessed firsthand the power of diaspora: Northern Ireland looks out for its own, and we made connections all over the world with folks who left to seek their fortune in faraway lands. Some have been absolutely key to Cloudsmith’s success to date, and it’s always a pleasure to hear the unmistakable accent come back at you over Zoom.

We need more success stories. We need to show the workforce that share options are worth something. We need more exits. We need to create more wealth.

I’ve seen the power of being in a well-funded startup with great, founder-friendly early-stage backers (thank you, Techstart, Frontline, and MMC) that can elevate you to take on the competition.

How do we get more money into Northern Ireland companies? How do we get the light from Sauron’s Eye shining on our little country? OK, that sounds ominous, but I mean it in a good way. How can we position ourselves as a hotbed of innovation and talent, to rival Silicon Valley or Tel Aviv?

That is something we are tackling at Software NI, but we need all the help we can get. 

 is dedicated to making Northern Ireland a global leader in technology and software innovation through community, education, advocacy, and support. Everything from championing software literacy in schools to affecting governmental policies to ensure software is part of our future.

We welcome you to engage with the community at the new 

, organized by Software NI. The inaugural event will take place on Thursday, 26th March, in The Mac. It promises to be an excellent opportunity to listen to industry leaders, including Danny Moore, discuss how they scaled their businesses and created value. I’ll be there too :)

Remember, Northern Ireland is amazing, Cloudsmith is building something great, and Software NI is striving to create an ecosystem where people and software companies of all shapes and sizes can thrive.

Alan Carson

Co-founder and Chief Strategy Officer

I love Software (in) NI

For years, the bottleneck in software was “how fast can we write code?” Today, Generative AI shifts that bottleneck to 

For years, the bottleneck in software was “how fast can we write code?” Today, Generative AI shifts that bottleneck to “how fast can we secure it?”

As organizations move from experimentation to production-grade AI, they are discovering that traditional DevOps tooling wasn’t built for a non-deterministic world. For example, static software composition analysis (SCA) scanners that assume deterministic dependency graphs or CI policy gates that validate known build artifacts. When a model generates code rather than a human, the software supply chain changes overnight.

Securing non-deterministic systems: A practical guide for AI artifacts and LLMOps

, explores three emerging security frontiers that every organization adopting AI must address:

1. AI-generated code introduces supply-chain hallucinations

LLMs generate dependencies probabilistically, not deterministically. This creates the emerging 

 attack vector, where attackers register hallucinated package names suggested by AI tools and weaponize them with malicious payloads.Without validation and artifact governance, a single copied command can silently compromise an enterprise environment.

2. AI models behave like executable software, not passive data

Modern model formats can execute arbitrary code during deserialization, most notably through Python pickle-based loading.This 

 means downloading an unverified model from public registries such as Hugging Face or Ollama can result in full system compromise.Secure AI development requires scanning, signing, and favoring restricted formats like 

, alongside enforcing trusted provenance for every model artifact.

3. AI productivity and orchestration layers expand the attack surface

Frameworks that connect models to enterprise data and automate workflows introduce a new class of high-impact vulnerabilities.Recent RCE exploits in orchestration tools demonstrate that 

LLMOps infrastructure itself is now part of the software supply chain

, and must be sandboxed, authenticated, and governed like any production system.

Our full guide provides a strategic roadmap for navigating the shift from DevOps to LLMOps, deconstructing threats in frameworks like Langflow, and building a “sandbox-by-default” development lifecycle.

AI artifacts: The new software supply chain blind spot

 hosted on Hugging Face. While this democratisation of AI is changing how all work and develop with AI, it also introduces a massive supply chain risk. Every time a developer runs 

, they are essentially pulling an opaque blob of data from a public registry.

The core of the issue? We often don't know the provenance of these models, their true licensing constraints, or (most importantly) what code is tucked inside their weight files.

What is a Pickle and why is it dangerous?

 is the standard way to serialise object structures into binary. In machine learning, it is the default format for 

However, the Pickle protocol is not just a data format; it is a stack-based virtual machine. When you 

 a file, you aren't just reading data, you’re also executing a sequence of instructions (

Cloudsmith Blog

Why cloud migrations are the best time to re-evaluate your artifact management

LLMs on Kubernetes: same cluster, different threat model

I love Software (in) NI

AI artifacts: The new software supply chain blind spot

Securing LLM dependencies against serialisation attacks

Top 10 most popular LLM models on Hugging Face

Protect your software supply chain from typosquatting with Cloudsmith

Securing AI-generated code with Cloudsmith

From ingredient list to control point: SBOM-based component-level security

7 key metrics to measure software supply chain security

How artifact management enables S2C2F maturity

Secure containers by default with Cloudsmith and Docker Hardened Images