![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeBVzzbq4N029qf31udLK89vZYg0gBNzRwagRRcMUjxi-GlXm6FmJDgipuN2pj_M5hN6ocvBB8BUnwj32N2f_LlYnNA5M1_z14vNS4_FYhLsu-wIFBYAZmiavILEKqBmks9ie6J2lN0XiyejW0-6ZE52AMg2fJF85cvTEXP1379gTcEeoLhKKLeg6Wf2Y/s790-rw-e365/secure-ai.jpg\")
AI technology presents exciting opportunities for enhancing cybersecurity and simplifying the work of security professionals. By leveraging AI, teams can better manage alert overload, identify patterns more efficiently, and achieve a scale that surpasses human capabilities. However, the successful realization of these benefits relies on ensuring the security of the systems enabling AI.
Any organization incorporating AI into their security operations is inadvertently expanding their potential attack surface. Without robust governance, stringent identity controls, and insight into AI decision-making processes, even well-intentioned AI deployments can introduce risks faster than they mitigate them. To fully harness the power of AI, security professionals must approach its security with the same level of diligence applied to safeguarding other critical systems. This involves establishing trust in the data AI learns from, holding it accountable for its actions, and overseeing the outcomes it generates. When properly secured, AI can complement human capabilities instead of replacing them, enabling practitioners to work more efficiently, respond promptly, and defend effectively.
Building Trust for Autonomous AI Systems
As organizations integrate AI into defensive processes, identity security emerges as a fundamental element of trust. Each model, script, or autonomous agent operating in a production environment represents a new identity with the ability to access data, issue commands, and impact defensive results. In the absence of proper governance, these tools designed to enhance security can inadvertently introduce vulnerabilities.
The rise of Autonomous AI systems underscores the significance of this aspect. These systems not only analyze but also have the potential to act without human intervention. They may prioritize alerts, provide context, or trigger response protocols under delegated authority from human operators. Each action essentially involves a transaction of trust, necessitating identity binding, policy-based authentication, and end-to-end auditability.
The same security principles applicable to individuals and services must now extend to AI agents:
- Restricted credentials and least privilege to ensure each model or agent only accesses necessary data and functions.
- Rigorous authentication and key rotation to prevent impersonation or credential compromise.
- Activity origin and audit trail to trace, validate, and reverse every action initiated by AI.
- Isolation and segmentation to prevent unauthorized access between agents, ensuring that a compromised process cannot influence others.
In practice, this involves treating each autonomous AI system as a primary identity within the Identity and Access Management (IAM) framework. Each system should have an assigned owner, lifecycle policy, and monitoring scope akin to any user or service account. Security teams should continuously verify the capabilities of these agents, not just their intended functions, as capabilities often evolve more rapidly than design. With identity serving as the cornerstone, defenders can then focus on securing the broader system.
Securing AI: Recommended Practices for Success
The first step in securing AI is safeguarding the underlying systems that support it— the models, data pipelines, and integrations woven into everyday security operations. Similar to securing networks and endpoints, AI systems must be treated as critical infrastructure necessitating layered and continuous defense.
The SANS Secure AI Blueprint outlines a Protect AI track that serves as a clear starting point. Rooted in the SANS Critical AI Security Guidelines, this blueprint outlines six control domains that directly translate into actionable steps:
- Access Controls: Enforce least privilege and robust authentication for every model, dataset, and API. Continuously log and review access to prevent unauthorized usage.
- Data Controls: Validate, sanitize, and classify all data used for training, augmentation, or inference. Secure storage and lineage tracking mitigate the risk of model poisoning or data exposure.
- Deployment Strategies: Strengthen AI pipelines and environments through sandboxing, CI/CD gating, and red-teaming prior to deployment. Regard deployment as a controlled, auditable process, not an experiment.
- Inference Security: Shield models from prompt injection and misuse by enforcing input/output validation, guardrails, and escalation paths for critical actions.
- Monitoring: Continuously monitor model behavior and output for deviations, anomalies, and signs of compromise. Effective telemetry enables defenders to detect manipulation before it proliferates.
- Model Security: Version, sign, and verify models throughout their lifecycle to ensure authenticity and prevent unauthorized alterations or retraining.
These controls align closely with NIST’s AI Risk Management Framework and the OWASP Top 10 for LLMs, which highlight common vulnerabilities in AI systems— from prompt injection and insecure plugin integrations to model poisoning and data exposure. Implementing mitigation strategies from these frameworks within these six domains helps operationalize guidance into defense measures. Once these foundational elements are in place, teams can then focus on responsibly leveraging AI by discerning when to trust automation and when to involve human intervention.
Striking a Balance between Augmentation and Automation
AI systems offer support to human practitioners akin to an always-on intern. However, it is crucial for security teams to distinguish between tasks suitable for automation and those requiring augmentation. Certain activities lend themselves well to full automation, particularly those that are repetitive, quantifiable, and low-risk in case of errors. Conversely, tasks demanding human oversight due to context, intuition, or ethical considerations should not be fully automated.
Processes such as threat enrichment, log parsing, and alert deduplication are prime candidates for automation. These tasks are data-centric, pattern-driven operations where consistency surpasses creativity. On the other hand, incident scoping, attribution, and response decisions rely on contextual nuances that AI may not fully comprehend. In these scenarios, AI should aid by highlighting indicators, suggesting next steps, or summarizing findings while practitioners retain decision-making authority.
Striking this balance necessitates a mature approach to process design. Security teams should categorize workflows based on their tolerance for error and the repercussions of automation failure. Where the risk of false positives or overlooking nuances is high, human involvement should be maintained. Where precision can be objectively measured, AI can expedite processes.
Join us at SANS Surge 2026!
For a deeper dive into this topic, join me for the keynote session at SANS Surge 2026 (Feb. 23-28, 2026), where we will explore how security teams can confidently rely on AI systems. If your organization is rapidly adopting AI, this event will guide you towards a more secure implementation. Participate to connect with peers, learn from experts, and witness secure AI practices in action.
Register for SANS Surge 2026 here.
Note: This article was contributed by Frank Kim, SANS Institute Fellow.
