All Volumes/

AI Security Framework

Security controls spanning the AI development lifecycle, prompt engineering, API security, identity management, and third-party supply chain protection.

5.1 Secure Development Lifecycle

AI systems shall be developed, deployed, and operated using a Secure Development Lifecycle (SDL) that integrates security controls into every phase. The SDL for AI extends traditional software security to address model-specific risks including prompt injection, data poisoning, model extraction, and adversarial evasion.

SDL Phases & Security Controls

PhaseSecurity ActivityDeliverableOwner
RequirementsThreat modelling, risk assessment, security requirements definitionSecurity Requirements Document, Threat ModelSecurity Architect
DesignSecure architecture review, privacy by design, access model designArchitecture Security Review, Data Flow DiagramSolution Architect
DevelopmentSecure coding standards, dependency scanning, secrets managementCode review sign-off, SCA reportTechnical Lead
Training DataProvenance verification, bias audit, poisoning detection, sanitisationData Security Assessment, Bias ReportData Engineer
Model TrainingEnvironment hardening, training log integrity, checkpoint securityTraining Environment Hardening ChecklistML Engineer
TestingAdversarial testing, red teaming, penetration testing, fuzzingSecurity Test Report, Red Team FindingsSecurity Tester
DeploymentContainer security, API security, runtime protection, monitoringDeployment Security ChecklistDevOps Engineer
OperationsVulnerability management, incident response, model drift detectionOperational Security RunbookSOC Analyst

5.2 Secure Prompt Engineering

Prompt engineering for large language models and generative AI introduces unique security risks. This section establishes standards for secure prompt design, prompt injection mitigation, and prompt governance.

Secure Prompt Design Principles

  1. Least Privilege Prompting: Prompts shall request only the minimum information and capabilities necessary to fulfil the task. Avoid over-prompting that exposes system context or internal data.
  2. Input Sanitisation: All user inputs destined for LLM prompts shall be sanitised to remove or escape control characters, delimiters, and escape sequences that could alter prompt structure.
  3. Context Isolation: System prompts, user prompts, and retrieved context shall be clearly separated using structured formats that resist injection attacks.
  4. Output Validation: All LLM outputs shall be validated against expected schemas, length limits, and content policies before downstream processing or user display.
  5. Prompt Versioning: All production prompts shall be version-controlled, reviewed, and approved before deployment. Ad-hoc prompt changes are prohibited.

Prompt Injection Mitigation

Direct prompt injection (jailbreaking) and indirect prompt injection (via external data sources) are critical attack vectors. Implement defence-in-depth: input filtering, output encoding, privilege separation, human-in-the-loop for sensitive actions, and continuous monitoring for anomalous prompt patterns.

5.3 API & Identity Security

AI systems expose and consume APIs that require robust security controls. This section covers API security, identity management, access control, encryption, and secrets management for AI infrastructure.

API Security Requirements

RequirementControlVerification
AuthenticationOAuth 2.0 / OIDC with PKCE for all API access; no API keys in client-side codePenetration test, code review
AuthorisationRBAC with principle of least privilege; ABAC for sensitive operationsAccess review quarterly
Rate LimitingTiered rate limits per client; anomaly detection for abuseLoad testing, DDoS simulation
Input ValidationSchema validation, type checking, length limits, reject unexpected fieldsFuzzing, negative testing
Output EncodingContext-appropriate encoding; no sensitive data in error messagesCode review, error message audit
Logging & MonitoringComprehensive audit logs with tamper protection; real-time alertingLog review, SIEM coverage audit
Encryption in TransitTLS 1.3 minimum; certificate pinning for mobile clientsSSL Labs scan, certificate inventory

5.4 Monitoring, Logging & Threat Detection

Continuous monitoring and threat detection are essential for AI security. AI-specific threats including model drift, adversarial inputs, data poisoning, and anomalous inference patterns require specialised detection capabilities.

Security Monitoring Requirements

  • All AI model inference requests and responses shall be logged with timestamp, client identity, model version, and input/output hashes.
  • Model prediction distributions shall be monitored for drift, outliers, and unexpected class imbalances.
  • Adversarial input detection shall be deployed using input perturbation analysis, anomaly detection, and rule-based filters.
  • Privilege escalation attempts, unauthorised access to model artefacts, and abnormal API usage patterns shall trigger automated alerts.
  • Third-party model and data supply chain components shall be monitored for disclosed vulnerabilities, license changes, and integrity compromises.
SIEM integration covers all AI infrastructure logs.
Alert thresholds are tuned to minimise false positives while capturing genuine threats.
Runbooks exist for all AI-specific security alerts.
Threat intelligence feeds include AI-specific sources (academic, vendor, government).
Quarterly purple-team exercises test detection and response capabilities.

5.5 Third-Party & Supply Chain Security

Third-party AI components — including foundation models, APIs, training data, cloud infrastructure, and MLOps tools — introduce supply chain risks that must be systematically managed.

Vendor Security Assessment

Assessment AreaMinimum RequirementsEvidence
Security CertificationsISO 27001, SOC 2 Type II, or equivalent; AI-specific attestations preferredCertificate, audit report
Data HandlingClear data residency, processing, and retention commitments; no unauthorised training on client dataDPA, data flow diagram
Model ProvenanceDocumented training data sources, fine-tuning methodology, known limitationsModel card, data sheet
Incident ResponseDefined SLAs for breach notification; cooperative incident investigationContract clause, IR plan review
Business ContinuityRedundancy, failover, and exit strategy for critical AI servicesBCP documentation, test results
Subcontractor TransparencyDisclosure of all subcontractors with access to organisational data or modelsSubprocessor list, assessment reports

Supply Chain Integrity

Verify the integrity of all third-party model weights, container images, and libraries using cryptographic signatures, checksums, and software bills of materials (SBOMs). Maintain an AI Software Bill of Materials (AI-SBOM) for every production AI system.