AI Governance Library

Critical AI Security Guidelines, v1.2

A comprehensive and technically rigorous blueprint for securing AI systems, especially LLMs and agentic AI, covering access controls, deployment strategies, data protection, inference security, monitoring, and regulatory compliance.
Jakub Szarmach
3 min read
Critical AI Security Guidelines, v1.2
Critical AI Security Guidelines, v1.2
Critical AI Security Guidelines, v1.2.pdf
1 MB
download-circle

⚡ Quick Summary

The Critical AI Security Guidelines v1.2 by SANS offers an expert-driven, tactical playbook for defending modern AI systems. Developed with contributions from cybersecurity leaders (Fortinet, SAP, Palo Alto Networks, OWASP AI, etc.), the draft outlines end-to-end recommendations across six domains: access control, data protection, deployment, inference security, monitoring, and GRC. With a clear emphasis on risks such as model tampering, prompt injection, data poisoning, and the threat of insecure public models, the paper provides up-to-date and nuanced advice grounded in current adversarial realities. It goes beyond reactive controls, proposing architectural shifts like zero trust and AIBOM, and highlights the pressing need for incident readiness and red teaming in AI-specific contexts.

🧩 What’s Covered

The document is structured around six primary control categories critical to AI security:

  1. Access Controls – Advocates zero trust models, TEE-based protections, and layered access strategies for models and vector databases. Real-world threats like auditor model subversion are explored to show how misaligned access can be exploited .
  2. Data Protection – Details threats to training and augmentation data. It warns about data commingling in RAG systems, the sensitivity of prompt data, and the use of anonymization and encryption to mitigate risks .
  3. Deployment Strategies – Evaluates trade-offs between local vs. cloud model hosting. It flags IDE integration risks (e.g., API key leakage in VSCode) and encourages caution with third-party model repositories like HuggingFace due to potential backdoors or malware-wrapped packages .
  4. Inference Security – Covers prompt injection, multilingual jailbreaks, unsafe encoding (Base64, Hex), and the use of inference guardrails. Emphasizes the importance of output validation, input sanitization, and separation of user/system prompt contexts .
  5. Monitoring – Urges tracking of inference refusals, continuous logging, and drift detection. Page 12’s Figure 2summarizes best practices like logging sensitive outputs, audit protections, and integration with existing security controls.
  6. GRC (Governance, Risk, Compliance) – Discusses AI risk boards, AIBOMs, and model registries. It includes an annotated Table 1 (page 14) listing global regulatory frameworks: EU AI Act, EO 14110, China’s interim generative AI rules, and the ELVIS Act, among others.

The guidelines conclude with a practical incident response framework tailored to AI-specific breaches (e.g., model poisoning, unauthorized model extraction), urging model integrity baselines, red teaming, and forensic logging across the entire AI stack .

💡 Why it matters?

This resource stands out for its operational maturity. Unlike high-level policy guides, it targets practitioners tasked with real-world AI deployments—engineers, CISOs, and red teams. Its relevance is amplified by today’s rising threats from public model tampering, agentic autonomy, and the use of LLMs in critical business functions. The guide bridges gaps between AI innovation and enterprise-grade security, emphasizing that AI misuse isn’t theoretical—it’s already here. By contextualizing LLM risks in terms familiar to infosec professionals (e.g., SBOM → AIBOM, model registries, sandboxing), it aligns AI governance with proven cybersecurity strategies.

❓ What’s Missing

  • Maturity model or prioritization: No risk-tiering to help resource-constrained teams decide which controls to implement first.
  • Real-world case studies: The guidance would benefit from practical deployment examples or failure retrospectives (e.g., misconfigured vectorDB, sandbox escapes).
  • Tooling references: Beyond OWASP links, there’s limited mention of specific open-source or commercial tools that teams can adopt for monitoring or red teaming AI.
  • Vendor guidance: While AWS, Azure, and Google are briefly referenced, their specific capabilities (e.g., fine-tuned guardrails, trust layers) are underexplored.

👥 Best For

  • Security engineers deploying LLMs or agent-based AI
  • CISOs integrating AI into existing security frameworks
  • AI red teams testing prompt injection and model poisoning vectors
  • GRC professionals mapping regulatory exposure across AI systems
  • AI product owners looking to shift left on security-by-design

📄 Source Details

TitleCritical AI Security Guidelines, v1.2

Authors: 25+ contributors from Fortinet, SAP, HiddenLayer, Binary Defense, OWASP AI, US Congress, and others

Publisher: SANS Research Program

License: CC BY 4.0

Date: Draft v1.2 (2025)

📝 Thanks to

The SANS Institute team and contributors including Jason Ross (OWASP AI), Jochen Staengler (BSI), Sounil Yu (Knostic AI), and others for shaping a robust, actionable AI security framework.

Guide
About the author
Jakub Szarmach

Jakub Szarmach

Read next

OWASP AI Maturity Assessment

Administering and Governing Agents Microsoft (2024)

AI Act Guide – Version 1.1 (September 2025)

AI Alignment vs AI Ethical Treatment: Ten Challenges

AI GOVERNANCE – A Framework for Responsible and Compliant Artificial Intelligence (September 2025)

AI Governance Library

Curated Library of AI Governance Resources

AI Governance Library

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to AI Governance Library.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.