1. Integrating Security into AI Architectures
Introduction
Every attack you studied in Chapter 2 shares a common thread: they exploit gaps where security wasn’t designed in from the start. Prompt injection succeeds when input validation is an afterthought. Data poisoning persists when training pipelines lack integrity checks. Model theft goes undetected when monitoring is bolted on rather than built in. The attacks are varied, but the root cause is the same – security was treated as a feature to add later, not a principle to build around.
This section bridges the gap between knowing the attacks and building the defenses. You’ll learn how traditional DevSecOps extends to AI systems, how to threat-model an LLM deployment, and how a shared responsibility model divides defense duties between AI providers and enterprise security teams. By the end, you’ll have the architectural mindset needed for the Blueprint layers that follow in Sections 2-8.
What will I get out of this?
By the end of this section, you will be able to:
- Extend DevSecOps to AI systems by identifying where AI-specific security checkpoints fit into the development lifecycle.
- Apply threat modeling to LLM deployments using STRIDE adapted for AI, covering prompt processing, data pipelines, and agentic tool use.
- Describe the shared responsibility model for AI security and distinguish between what AI providers handle and what enterprises must secure themselves.
- Map Chapter 2’s OWASP attack framework to defense strategies, connecting each vulnerability category to the defense approach covered in this chapter.
DevSecOps for AI
Traditional DevSecOps integrates security into every phase of the software development lifecycle – planning, coding, building, testing, deploying, and monitoring. AI systems follow the same principle but add stages that traditional software doesn’t have: data curation, model training, fine-tuning, and inference monitoring. Each of these stages requires its own security checkpoints.
The AI-Adapted DevSecOps Pipeline
graph LR
P["Plan<br/><small>Threat Model</small>"]
D["Develop<br/><small>Secure Coding</small>"]
T["Train<br/><small>Data Integrity</small>"]
V["Validate<br/><small>Red Team Testing</small>"]
De["Deploy<br/><small>Container Scanning</small>"]
M["Monitor<br/><small>Runtime Protection</small>"]
F["Feedback<br/><small>Incident Response</small>"]
P --> D --> T --> V --> De --> M --> F
F -.->|"Continuous<br/>Improvement"| P
SP["Security Checkpoint:<br/>AI Threat Model Review"]
SD["Security Checkpoint:<br/>Prompt Hardening, Dependency Audit"]
ST["Security Checkpoint:<br/>Data Lineage, Poisoning Detection"]
SV["Security Checkpoint:<br/>AI Scanner Assessment,<br/>Adversarial Testing"]
SDe["Security Checkpoint:<br/>Model Integrity Verification,<br/>AI-SPM Posture Check"]
SM["Security Checkpoint:<br/>AI Guard Runtime Filters,<br/>Anomaly Detection"]
SP -.-> P
SD -.-> D
ST -.-> T
SV -.-> V
SDe -.-> De
SM -.-> M
style P fill:#2d5016,color:#fff
style D fill:#2d5016,color:#fff
style T fill:#2d5016,color:#fff
style V fill:#2d5016,color:#fff
style De fill:#2d5016,color:#fff
style M fill:#2d5016,color:#fff
style F fill:#2d5016,color:#fff
style SP fill:#1C90F3,color:#fff
style SD fill:#1C90F3,color:#fff
style ST fill:#1C90F3,color:#fff
style SV fill:#1C90F3,color:#fff
style SDe fill:#1C90F3,color:#fff
style SM fill:#1C90F3,color:#fff
The key difference from traditional DevSecOps: the Train and Validate stages are entirely new, and the Monitor stage gains AI-specific responsibilities (prompt/response filtering, behavioral anomaly detection, cost monitoring).
What Changes for AI?
| DevSecOps Stage | Traditional Focus | AI-Specific Additions |
|---|---|---|
| Plan | Threat modeling, architecture review | AI-specific threat categories (OWASP LLM Top 10), data supply chain risk assessment |
| Develop | Secure coding, dependency scanning | Prompt hardening, system prompt design, guardrail configuration |
| Train | (not applicable) | Data lineage tracking, poisoning detection, bias evaluation, training data access controls |
| Validate | Penetration testing, code review | AI red-teaming, adversarial input testing, prompt injection testing (AI Scanner) |
| Deploy | Container scanning, config management | Model integrity verification, AI-SPM posture checks, model artifact signing |
| Monitor | SIEM, intrusion detection | Runtime prompt/response filtering (AI Guard), cost anomaly detection, drift monitoring |
| Feedback | Incident response, patch management | AI incident playbooks, model retraining triggers, guard rule updates |
Defense Connection
The DevSecOps testing phase directly addresses the prompt injection techniques and jailbreaking methods covered in Chapter 2 by integrating AI-specific security testing before deployment. Rather than discovering prompt injection vulnerabilities in production, organizations catch them during the Validate stage through AI Scanner assessment and adversarial testing.
AI Threat Modeling
Threat modeling for AI systems builds on established methodologies but adapts them for the unique attack surfaces of LLM deployments. The goal is the same as traditional threat modeling: systematically identify what can go wrong, assess the risk, and design mitigations before deployment.
STRIDE Adapted for AI
STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) is one of the most widely used threat modeling frameworks. Here’s how each category applies to AI systems:
| STRIDE Category | Traditional Application | AI-Specific Application |
|---|---|---|
| Spoofing | Impersonating users or services | Agent identity spoofing, deepfake-generated credentials, impersonating legitimate MCP servers |
| Tampering | Modifying data in transit or at rest | Training data poisoning, RAG corpus manipulation, model weight tampering, memory/context poisoning |
| Repudiation | Denying actions were performed | AI-generated content attribution, agent action audit gaps, missing tool call logs |
| Information Disclosure | Unauthorized data access | System prompt leaking, training data extraction, PII in model responses, embedding inversion attacks |
| Denial of Service | Resource exhaustion | Unbounded consumption, context window stuffing, GPU exhaustion, API cost amplification |
| Elevation of Privilege | Gaining unauthorized access | Prompt injection escalating to tool use, agent privilege abuse, excessive agency exploitation |
Threat Model for an LLM Deployment
The diagram below shows a threat model for a typical enterprise LLM deployment. Each numbered threat maps to an OWASP category, and each defense control maps to a Blueprint layer you’ll learn in subsequent sections.
graph TB
subgraph "External"
U["End Users"]
A["Attackers"]
end
subgraph "Access Layer"
GW["API Gateway /<br/>AI Gateway"]
PF["Prompt Filter"]
RF["Response Filter"]
end
subgraph "Application Layer"
LLM["LLM Engine"]
RAG["RAG Pipeline"]
TOOLS["Tool / Agent<br/>Executor"]
end
subgraph "Data Layer"
VS["Vector Store"]
TD["Training Data"]
MEM["Conversation<br/>Memory"]
end
U -->|"Prompts"| GW
A -->|"1. Prompt Injection<br/>(LLM01)"| GW
GW --> PF --> LLM
LLM --> RF --> GW
LLM -->|"Retrieval queries"| RAG
RAG --> VS
LLM -->|"Tool calls"| TOOLS
A -.->|"2. Data Poisoning<br/>(LLM04)"| TD
A -.->|"3. RAG Poisoning<br/>(LLM08)"| VS
A -.->|"4. Memory Poisoning<br/>(ASI06)"| MEM
TD -.-> LLM
MEM --> LLM
style A fill:#8b0000,color:#fff
style U fill:#2d5016,color:#fff
style GW fill:#1C90F3,color:#fff
style PF fill:#1C90F3,color:#fff
style RF fill:#1C90F3,color:#fff
style LLM fill:#2d5016,color:#fff
style RAG fill:#2d5016,color:#fff
style TOOLS fill:#cc7000,color:#fff
style VS fill:#cc7000,color:#fff
style TD fill:#cc7000,color:#fff
style MEM fill:#cc7000,color:#fff
The numbered threats in this diagram correspond to the attack categories you studied in Chapter 2. The blue-shaded defense controls (API Gateway, Prompt Filter, Response Filter) correspond to Blueprint Layer 5 (Secure Access to AI Services), which you’ll study in detail in Section 7. The orange-shaded components (Tool Executor, Vector Store, Training Data, Memory) are the at-risk assets that multiple Blueprint layers protect.
Defense Connection
This threat model directly maps to the AI lifecycle attack surface you studied in Chapter 2 Section 1. Where that diagram showed attack vectors at each lifecycle stage, this diagram shows where defense controls intercept those vectors. The two diagrams are complementary – attack surface mapping drives threat model design.
The Shared Responsibility Model for AI Security
Cloud computing established the shared responsibility model: the provider secures the infrastructure, the customer secures their data and applications. AI systems follow a similar pattern, but with additional layers that reflect the unique components of AI deployments.
Who Secures What?
| Responsibility Area | AI Provider (e.g., OpenAI, Anthropic) | Enterprise Security Team |
|---|---|---|
| Base model safety | Model alignment, safety training, content policies | Validate model safety for your use case, monitor for drift |
| API infrastructure | API availability, DDoS protection, encryption in transit | API key management, rate limiting, cost controls |
| Model weights | Protect proprietary weights from extraction | Protect fine-tuned weights, adapter security, model artifact integrity |
| Training data | Curate pre-training data, remove PII at scale | Curate fine-tuning data, RAG corpora integrity, data classification |
| Prompt/response filtering | Basic content filtering in hosted APIs | Custom guardrails, domain-specific filtering, AI Guard deployment |
| Tool and agent security | (typically not provided) | Tool allowlisting, permission scoping, execution monitoring, agent guardrails |
| User authentication | API authentication mechanisms | User identity management, RBAC for AI features, session controls |
| Compliance and auditing | SOC 2, data processing agreements | Industry-specific compliance (HIPAA, PCI-DSS), audit logs, AI governance |
The critical gap: most of the security responsibility for production AI deployments falls on the enterprise, not the AI provider. Providers offer safe base models and basic API infrastructure, but everything from prompt hardening to agent security to data classification is the enterprise’s responsibility.
The Self-Hosted Responsibility Shift
When organizations self-host models (using open-source LLMs, on-premises GPU clusters, or private cloud deployments), the responsibility boundary shifts dramatically. The enterprise takes on nearly all responsibilities – including model infrastructure security, weight protection, and even base model safety validation.
This is directly relevant to the infrastructure attacks covered in Chapter 2 Section 4: serialization exploits, adversarial inputs, and denial of service attacks all target components that self-hosting organizations must secure themselves.
From Attack Taxonomy to Defense Strategy
Chapter 2 gave you the attack vocabulary – the OWASP LLM Top 10, the Agentic AI Top 10, and the MITRE ATLAS framework. This chapter translates that vocabulary into defense architecture.
The mapping follows a simple principle: every attack category implies a defense requirement, and every defense requirement maps to one or more Blueprint layers.
| Attack Domain (Chapter 2) | Defense Approach (Chapter 3) | Blueprint Layer(s) |
|---|---|---|
| Prompt-level attacks (S2) | Input/output filtering, prompt hardening | Layer 5 (Access), Layer 6 (Zero-Day) |
| Data and training attacks (S3) | Data integrity, DSPM, supply chain scanning | Layer 1 (Data), Layer 2 (Models) |
| Model and infrastructure attacks (S4) | Container security, posture management | Layer 2 (Models), Layer 3 (Infrastructure) |
| Agentic attack vectors (S5) | Tool controls, execution monitoring, ZTSA | Layer 3 (Infrastructure), Layer 5 (Access) |
| Output and trust exploitation (S6) | Response filtering, human-in-the-loop | Layer 4 (Users), Layer 5 (Access) |
| SLM threats (S7) | Endpoint security, edge model governance | Layer 4 (Users), Layer 6 (Zero-Day) |
The next section introduces the Blueprint framework in full detail. You’ll see how these six layers stack together into a defense-in-depth architecture, with Trend Vision One providing unified visibility across all layers.
Defense Connection
The attack-to-defense mapping above connects every section from Chapter 2 to a specific defense strategy. As you progress through the Blueprint layers in Sections 3-8, you’ll see these mappings become concrete controls with real product capabilities behind them.
Defense Perspective: Microsoft LLMjacking
The attack (from Chapter 2 Section 1): Attackers stole Azure OpenAI API credentials and resold access for harmful content generation, costing victims over $100,000 per day.
What integrated security architecture would have caught:
An organization with AI-adapted DevSecOps would have had multiple detection points for this attack:
- Plan phase: Threat modeling would have identified API credential theft as a high-risk scenario, leading to credential rotation policies and monitoring requirements.
- Deploy phase: AI-SPM posture management would have flagged API keys stored in public repositories or without rotation policies (a common credential harvesting vector).
- Monitor phase: Cost anomaly detection would have triggered alerts when consumption patterns deviated from baseline – catching the unauthorized usage within hours, not days.
- Feedback phase: Incident response playbooks with automated credential revocation would have contained the damage immediately.
The key insight: no single control stops this attack. It’s the integration of security across the full lifecycle – posture management (Layer 3), access controls (Layer 5), and anomaly detection (Layer 6) working together – that turns a catastrophic breach into a contained incident.
Key Takeaways
- AI security requires integrating security checkpoints into every phase of the AI-adapted DevSecOps lifecycle, including the new Train and Validate stages
- STRIDE threat modeling extends to AI systems by mapping each category to AI-specific threats such as training data tampering, system prompt leaking, and prompt injection escalating to tool use
- The shared responsibility model places most production AI security on the enterprise, not the AI provider – especially prompt hardening, agent security, and data classification
- Every OWASP attack category from Chapter 2 maps to a specific defense approach and Blueprint layer, creating a systematic attack-to-defense translation
Test Your Knowledge
Ready to test your understanding of AI security architecture? Head to the quiz to check your knowledge.
Up next
Now that you understand how security integrates into AI architectures, it’s time to see the defense framework that organizes it all. In the next section, you’ll explore the Security for AI Blueprint – a 6-layer defense architecture that maps every control to a specific protection domain.