Securing the AI Attack Surface
A cross-cutting capability, not a lifecycle stage. Five pillars for defending enterprise AI end to end — input defense, data & supply chain, access & least privilege, output & content safety, and detection & response — plus a 10-control AI Security Baseline mapped to OWASP's LLM Top 10 and MITRE ATLAS. Prompt injection has no perfect defense; agents that act multiply the blast radius.
By Tom Ward, Enterprise Architect — Cloud & AI

The five security pillars
Input Defense
“Untrusted input is the attack”Prompt injection — untrusted content carrying instructions that hijack the model — has no perfect defense today, and that is the single most important fact for a security team. You can't filter your way to safety; you contain damage through layered controls and least privilege. Input defense is the first layer: shields, jailbreak screening, and treating every input the model consumes as potentially hostile.
Data & Supply Chain
“Trust what you train and ground on”An AI system is only as trustworthy as what went into it. Data poisoning (corrupting what the model learns or retrieves) and supply-chain compromise (a tampered model or dependency) are attacks with no analog in a traditional app, invisible unless you've built provenance to detect them. Know where every model came from, verify integrity, vet dependencies, and control who can write to your corpora.
Access & Least Privilege
“An agent's reach is its risk”Because injection can't be fully prevented, security comes down to what a compromised model can actually do — a question of access, not prompts. An agent inherits the blast radius of every credential and tool you hand it, and can act thousands of times a minute. It should never hold permissions its accountable human owner doesn't; scope every tool to the task. This ties straight to the autonomy ladder in Part 4.
Output & Content Safety
“What comes out can hurt too”Output is an attack surface in its own right: it can leak PII or secrets from context, emit harmful content, or — most subtly — produce output a downstream system executes without sanitizing (insecure output handling). Treat every output as untrusted until filtered. Content safety and PII redaction on the way out, plus strict handling of anything a database, browser, or shell will act on.
Detection & Response
“Assume breach; rehearse it”Because you can't prevent every attack, you must see and stop one. Adversarial red-teaming finds weaknesses before attackers do; monitoring surfaces anomalous prompts and actions; and a rehearsed, AI-specific incident-response plan turns an incident from existential to managed. Red-teaming especially deserves a standing cadence — AI systems fail in ways functional testing never finds.
The AI Security Baseline
Ten controls that turn “we take AI security seriously” into something you can evidence — mapped to the OWASP Top 10 for LLM Applications and MITRE ATLAS, the vocabulary your security team already recognizes.
- Trusted and untrusted inputs are separated, and injection/jailbreak shields screen everything the model treats as instructions.
- Least-privilege by design — no agent holds access its human owner doesn't, and every tool is scoped to the task.
- Every action an agent can take has a known, bounded blast radius, with rate limits on writes to systems of record.
- Model provenance is verified — you know where each model came from and check its integrity before it runs.
- Retrieval corpora are write-controlled, so an attacker can't plant indirect-injection content in your knowledge base.
- Output is filtered like input — PII redaction and content safety on the way out, and no model output is executed unsanitized.
- Secrets never enter model context where they could leak into a response.
- Adversarial red-teaming runs on a standing cadence, not just once before launch.
- Monitoring watches behavior — anomalous prompts, actions, and outputs — not just infrastructure health.
- An AI-specific incident-response plan has been rehearsed against a real scenario.
Going deeper
Sources worth your time, roughly in the order a program team should read them.
- OWASP Top 10 for LLM ApplicationsThe canonical LLM threat list — prompt injection, insecure output handling, data poisoning, excessive agency. Start here.
- MITRE ATLASThe adversarial threat landscape for AI systems, in the familiar ATT&CK style — your red team's map.
- NIST — Adversarial Machine Learning Taxonomy (AI 100-2)The authoritative taxonomy of attacks and mitigations for ML and generative systems.
- Google — Secure AI Framework (SAIF)A practitioner's framework for securing AI systems across their lifecycle.
- Microsoft — AI Red TeamPractical guidance on adversarially testing AI systems, from a team doing it at scale.
- Cloud Security Alliance — AIVendor-neutral research and guidance on securing AI in the enterprise.
- NIST AI Risk Management FrameworkTies security into the broader governance model — where AI risk is owned and managed.
Next parts ship over the coming weeks.
Get the next part by email