24 controls for AI security

Requirement: Enforce MFA for cloud consoles and code repos. Restrict access to model weights, prompt repositories, and fine-tuning data to approved ML engineers.

Evidence: Access review logs; IdP configuration; model repo permission screenshots.

Requirement: Use AES-256 for databases and TLS 1.2+ for all traffic. Encrypt vector database volumes and embeddings in transit.

Evidence: KMS policies; storage encryption settings; TLS test report.

Requirement: All user inputs pass through a guardrail layer that detects and blocks prompt injection patterns before model execution.

Evidence: Middleware code; prompt-injection pen test results; blocked request logs.

Requirement: Scan model outputs for malicious payloads or unsafe links before rendering to users.

Evidence: Output filtering configuration; logs of blocked outputs.

Requirement: Incident response includes AI-specific scenarios and a kill switch to disable tool use or external API access.

Evidence: IR playbooks; tabletop exercise report simulating runaway model behavior.

Requirement: Log prompts, tool calls, and retrieval events with tamper-resistant storage. Alert on abnormal prompt patterns or elevated refusal rates.

Evidence: Logging architecture diagram; SIEM alert rules; sample alert tickets.

Requirement: AI agents only receive scoped tool access, with explicit allowlists for external APIs and file access.

Evidence: Tool permission manifests; access approval records.

Requirement: Tag data as Public, Confidential, or Restricted. Embeddings inherit classification and are filtered by user role.

Evidence: Data flow diagrams; vector DB metadata schema; access policy rules.

Requirement: Retrieval enforces user permissions before a chunk enters the context window.

Evidence: Retrieval policy tests; screenshots of denied queries.

Requirement: Contracts with LLM providers include explicit no-training or zero-retention terms.

Evidence: Vendor agreements; API settings showing retention disabled.

Requirement: Enforce isolation between user sessions and cryptographically verify context window reset between sessions.

Evidence: Session management code review; penetration test attempting cross-session leakage.

Requirement: Detect and mask PII before embedding to prevent irreversible exposure in vector stores.

Evidence: Pipeline configuration; scrubber logs and sample redaction reports.

Requirement: Remove secrets or API keys from prompts and outputs using pattern detection and secret scanning.

Evidence: Secret scanning configuration; blocked secret leakage logs.

Requirement: Maintain backups for model registries and prompt configs with tested rollback within minutes.

Evidence: Rollback test logs; model registry screenshots.

Requirement: Apply token-level limits to prevent model DoS and runaway compute costs.

Evidence: API gateway configuration; rate limit logs.

Requirement: Track time-to-first-token and end-to-end latency with SLA thresholds.

Evidence: Monitoring dashboards; alert configurations.

Requirement: Forecast GPU usage and enforce budget alerts to prevent overload or outage during spikes.

Evidence: Capacity plan; billing alerts; autoscaling policies.

Requirement: Document third-party model dependencies and establish a failover plan or graceful degradation path.

Evidence: Dependency map; failover runbook; outage simulation report.

Requirement: Run a golden set evaluation on every model or prompt change; maintain a defined quality threshold.

Evidence: CI/CD evaluation logs; versioned evaluation dataset.

Requirement: For RAG, force the model to prioritize retrieved context with low temperature settings for factual tasks.

Evidence: System prompt configuration; grounding metrics.

Requirement: If retrieval confidence is low, the system refuses or escalates instead of fabricating an answer.

Evidence: Refusal logs; confidence threshold logic.

Requirement: Route calculations, dates, and compliance logic to deterministic code paths rather than the model.

Evidence: Architecture diagram; function-calling or tool-use code.

Requirement: Sample production outputs and measure hallucination rates with defined remediation thresholds.

Evidence: Sampling plan; review logs; remediation tickets.

Requirement: Treat prompts and model configs as production code with version control and change approvals.

Evidence: Git history for prompt/config files; change request tickets.

Requirement: A domain expert reviews a sample of outputs before promotion to production.

Evidence: Sign-off records; review checklist.

Requirement: Use canary or staged rollouts with defined rollback triggers for prompt or model updates.

Evidence: Release pipeline logs; rollback criteria documentation.

Requirement: Document the expected impact of changes on safety, reliability, and customer-facing behavior.

Evidence: Change impact templates; review meeting notes.