Security Architecture for AI Systems — Risk Management

Security Architecture for AI Systems — Risk Management

Zen AI Governance — Knowledge Base EU/UK alignment Updated 05 Nov 2025 www.zenaigovernance.com ↗

Security Architecture for AI Systems

EU AI Act Compliance Risk Management EU/UK aligned
+ On this page
Key takeaways
  • Assume prompt injection, data exfiltration, model abuse, and compromised integrations — design for failure.

Threats & scenarios

  • Prompt injection & tool abuse; data poisoning; model stealing; jailbreaks; lateral movement via plugins.

Boundaries & isolation

  • Network segregation, tenant isolation, per-project environments; least-privilege services; deny-by-default egress.

Secrets & tokens

  • Short-lived tokens; audience scoping; vault-backed rotations; no secrets in prompts or logs.

Egress & provenance

  • HTTP allow-lists; provenance checks for RAG sources; content hashing; watermark verification.

Guardrails & filters

  • Input/output filters; safety classifiers; policy rules; jailbreak pattern blocks; sensitive action approvals.

Tooling & sandboxing

  • Function/tool sandboxes; resource quotas; file-system restrictions; constrained interpreters.

Observability & alerts

  • Safety/abuse metrics; anomaly detection; paging; evidence bundles for incidents; dashboards for cohorts.

Supply chain & SBOM

  • Signed artifacts; SBOM; dependency pinning & scanning; supplier attestations and incident SLAs.

Vulnerability mgmt

  • Detect → assess → patch → verify; tracked against risk register; public CVE handling; disclosure policy.

Resilience & DR

  • Multi-AZ/region; backups; failover; downgrade modes; recovery tests; runbooks with RTO/RPO.

Security testing

  • Threat modelling; red team prompts; penetration tests; purple team drills; tabletop exercises.

Security checklist

  • Boundaries enforced; secrets managed; guardrails live; observability & incident process operational; evidence captured.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 05 Nov 2025 • This page is general guidance, not legal advice.

    • Related Articles

    • Obligations for High-Risk AI Systems (EU/UK aligned)

      Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 05 Nov 2025 www.zenaigovernance.com ↗ Obligations for High-Risk AI Systems (EU/UK aligned) EU AI Act Compliance Regulatory Knowledge EU/UK aligned + On this page On this page Scope & ...

    • What is the EU AI Act and who does it apply to?

      ? Overview The EU Artificial Intelligence Act (EU AI Act) is the world’s first comprehensive law regulating the development, deployment, and use of Artificial Intelligence within the European Union. Its aim is to ensure that AI systems placed on the ...

    • Incident Playbooks (Safety, Security, Privacy) — Risk Management

      Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 05 Nov 2025 www.zenaigovernance.com ↗ Incident Playbooks (Safety, Security, Privacy) EU AI Act Compliance Risk Management EU/UK aligned + On this page On this page Scope & severity Triage ...

    • Logging & Traceability — Risk Management

      Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 05 Nov 2025 www.zenaigovernance.com ↗ Logging & Traceability — EU/UK aligned EU AI Act Compliance Risk Management EU/UK aligned + On this page On this page Telemetry schema Privacy & ...

    • Human Oversight — Risk Management

      Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 05 Nov 2025 www.zenaigovernance.com ↗ Human Oversight — EU/UK aligned EU AI Act Compliance Risk Management EU/UK aligned + On this page On this page Oversight patterns Operator capability ...