The model layer introduces risks that do not exist in traditional software. No compliance framework has a clause about prompt injection — but every framework cares about the consequences.
A rule-based system fails in ways you can enumerate. A conditional branch
either executes or it doesn't. An API call either succeeds or returns an
error code. The failure space is finite, and testing can cover most of it.
An LLM-based agent fails differently. It can be manipulated into taking
actions you never intended. It can invent facts and act on them. It can
produce different outputs from identical inputs on different days. These
are not edge cases. They are properties of the system.