https://example.org/chapter3/s2/index.html Introduction In the previous section, you learned that AI security requires an integrated approach – DevSecOps adapted for AI, threat modeling for LLM deployments, and a shared responsibility model between providers and enterprises. But frameworks and principles only take you so far. What you need is a structured architecture that maps every defense control to a specific protection domain, so that when someone asks “are we protected against data poisoning?” you can point to a layer, name the controls, and show how they connect to the rest of the stack. Hugo en-us https://example.org/chapter3/s2/activity/index.html Mon, 01 Jan 0001 00:00:00 +0000 https://example.org/chapter3/s2/activity/index.html Test Your Knowledge: Security for AI Blueprint Overview Let’s see how much you’ve learned! This quiz tests your understanding of the 6-layer Blueprint framework, defense-in-depth principles, how the layers interrelate, and the role of Trend Vision One as a unified platform. --- shuffle_answers: true shuffle_questions: false --- ## A security team is evaluating their AI deployment against the Security for AI Blueprint. They've secured their training data with DSPM, scanned their model containers, and configured IDS/IPS rules. Which Blueprint layers have they addressed? > Hint: Map each control to the specific layer it belongs to. - [ ] Layers 1, 2, and 3 -- data, models, and infrastructure > IDS/IPS is not Layer 3 (Infrastructure). Layer 3 covers posture management (AI-SPM), not network intrusion detection. - [x] Layers 1, 2, and 6 -- data (DSPM), models (container scanning), and zero-day (IDS/IPS) > Correct! DSPM maps to Layer 1 (Secure Your Data), container scanning maps to Layer 2 (Secure Your AI Models), and IDS/IPS maps to Layer 6 (Defend Against Zero-Day Exploits). They've covered three layers but still need Layer 3 (Infrastructure posture), Layer 4 (User protection), and Layer 5 (Access controls). - [ ] Layers 1, 3, and 5 -- data, infrastructure, and access > Container scanning is Layer 2 (Models), not Layer 3 (Infrastructure). IDS/IPS is Layer 6 (Zero-Day), not Layer 5 (Access). - [ ] All six layers -- these three controls provide complete coverage > Three controls cannot cover all six layers. Each layer addresses a distinct protection domain. The team still needs infrastructure posture management (Layer 3), user protection (Layer 4), and access controls (Layer 5). ## Why does the Blueprint use a defense-in-depth approach with six overlapping layers rather than a single comprehensive security layer? > Hint: Think about what happens when any single security control fails. - [ ] Six layers are needed because AI systems are six times more complex than traditional systems > The number of layers isn't derived from relative complexity. Defense in depth is a design principle about redundancy and independent failure modes. - [ ] Each layer addresses a different compliance requirement, and regulations mandate six layers > The Blueprint's six layers are based on AI architecture domains, not compliance requirements. Compliance is addressed through the security controls within each layer. - [x] Each layer provides independent protection so that even if an attacker bypasses one layer, they face additional barriers -- no single control is the only defense > Correct! Defense in depth ensures redundancy. A prompt injection that bypasses Layer 5's prompt filter still faces Layer 6's anomaly detection, Layer 3's posture monitoring, and Layer 1's data access controls. The layers are independent -- bypassing one doesn't automatically bypass the others, forcing attackers to defeat multiple defense mechanisms. - [ ] The six layers correspond to the six stages of the AI lifecycle > The Blueprint layers map to protection domains (data, models, infrastructure, users, access, zero-day), not lifecycle stages. The AI-adapted DevSecOps pipeline from Section 1 covers lifecycle stages. ## According to the Blueprint's layer interrelationship model, how does Layer 1 (Data) inform Layer 5 (Access)? > Hint: Think about what Layer 1 knows that Layer 5 needs for its filtering decisions. - [ ] Layer 1 provides encryption keys that Layer 5 uses for API authentication > Encryption key management is infrastructure-level, not a direct Layer 1 to Layer 5 relationship. The connection between these layers is about data classification informing access decisions. - [x] Data classification from Layer 1 determines what sensitivity levels require stricter prompt/response filtering in Layer 5 -- if RAG corpora contain PII, Layer 5 applies more aggressive output redaction > Correct! Layer 1's data classification directly informs Layer 5's filtering policies. When Layer 1 identifies that RAG corpora contain PII or sensitive business logic, Layer 5's response filtering is configured to apply more aggressive redaction and blocking rules. The layers share information to create more intelligent defense. - [ ] Layer 1 sends blocked data requests to Layer 5 for additional filtering > Layer 1 manages data assets and access controls, not request routing. The relationship flows from Layer 1's classification intelligence to Layer 5's policy configuration. - [ ] Layer 5 operates independently of Layer 1 because access controls and data controls are separate domains > The Blueprint explicitly states that layers are not isolated silos -- they share data and inform each other's policies. Layer 1 and Layer 5 have a direct information-sharing relationship. ## An attacker attempts to extract PII from a model by crafting a prompt injection that bypasses Layer 5's prompt filter. The injection reaches the model, and the model generates a response containing a customer's email address. What prevents this data from reaching the attacker? > Hint: Consider the multiple stages of Layer 5's request flow and what happens after the model generates its response. - [ ] Layer 1's DSPM detects the PII and blocks the response > DSPM operates on data assets at rest and in transit, not on model inference responses in real time. The real-time defense against PII in responses is at the access layer. - [ ] Layer 2's model scanning prevents the model from generating PII > Layer 2 scans model artifacts and containers, not runtime model outputs. Model scanning is a pre-deployment control. - [x] Layer 5's response filtering (output side) detects the PII pattern in the model's response and redacts or blocks it before it reaches the attacker > Correct! Layer 5 operates in both directions -- input filtering catches injection attempts, and output filtering catches data leakage in responses. Even though the injection bypassed the input filter, the AI Gateway's output filter scans the model's response for PII patterns. The email address is detected and redacted before the response leaves the system. This is defense in depth within a single layer. - [ ] Layer 6's behavioral detection flags the unusual response and blocks it > While Layer 6 might eventually detect the anomalous behavior pattern, the immediate defense against PII in responses is Layer 5's response filtering, which operates on every response in real time. ## What is the primary role of Trend Vision One in the Blueprint architecture? > Hint: Consider the challenge of managing six separate defense layers. - [ ] Trend Vision One replaces the need for individual layer controls by providing a single security solution > Vision One doesn't replace layer-specific controls. Each layer has its own products and capabilities. Vision One provides unified visibility across all of them. - [ ] Trend Vision One is the Layer 5 AI Gateway component > While Vision One includes AI Gateway capabilities, its role in the Blueprint is broader than any single layer. - [x] Trend Vision One provides a unified platform that integrates all six Blueprint layers into a single-pane-of-glass view, correlating signals across layers for holistic visibility > Correct! Vision One's primary role is unification. Rather than managing six separate security consoles, Vision One correlates alerts across all layers -- tracing an attack from initial access (Layer 5) through infrastructure impact (Layer 3) to data exposure risk (Layer 1) in one investigation timeline. This reduces mean time to detection and eliminates visibility gaps between layers. - [ ] Trend Vision One provides the zero-day threat intelligence for Layer 6 only > Vision One contributes to all six layers, not just Layer 6. Its unified platform approach is the distinguishing characteristic in the Blueprint architecture. ## A prompt injection attack attempts to extract sensitive data. In the defense-in-depth diagram, the attack must penetrate Layer 6, Layer 5, Layer 3, and Layer 1 in sequence. What does Layer 3 (AI-SPM) contribute to stopping this attack? > Hint: Think about what AI-SPM monitors that would be relevant during an active attack. - [ ] AI-SPM directly blocks the injection payload at the network level > AI-SPM is a posture management tool, not a network-level blocker. It monitors configurations and risk posture, not individual traffic payloads. - [ ] AI-SPM encrypts the sensitive data so it cannot be extracted > Encryption is a Layer 1 (Data) control. AI-SPM manages infrastructure posture, not data encryption. - [x] AI-SPM monitors infrastructure posture and generates alerts when it detects anomalous patterns -- such as unusual API access or configuration changes that might indicate the attack is progressing > Correct! AI-SPM's contribution to stopping this attack is posture monitoring. If the attack causes unusual model endpoint behavior, triggers abnormal API access patterns, or exploits a misconfiguration, AI-SPM's continuous monitoring generates alerts. It doesn't block the injection directly, but it detects the infrastructure-level symptoms of a successful or in-progress attack. - [ ] AI-SPM is not involved in stopping this attack because it only manages infrastructure, not prompts > AI-SPM contributes to the defense-in-depth chain by monitoring infrastructure behavior. Even though it doesn't inspect prompts directly, it detects the infrastructure-level effects of an attack in progress. ## A startup is deploying its first LLM application and can only implement ONE Blueprint layer initially due to limited security budget. The application is a customer-facing chatbot with access to a product knowledge base. Which layer should they prioritize FIRST? > Hint: Consider which layer intercepts the most attack categories for a customer-facing chatbot, and think about what the most immediate runtime threats are for this deployment scenario. - [ ] Layer 1 (Data) -- data is the foundation, so it should always be implemented first > Layer 1 is foundational in the architecture diagram, but "foundational" doesn't mean "implement first." For a customer-facing chatbot, the immediate threats are prompt injection, data leakage through responses, and abuse -- all runtime attacks at the access boundary. Data classification can wait until after the live attack surface is controlled. - [ ] Layer 6 (Zero-Day) -- novel attacks are the most dangerous, so zero-day defense should come first > Zero-day defense catches novel threats, but most attacks against a new chatbot will use known techniques (prompt injection, jailbreaking, PII extraction). Layer 6 is most valuable after other layers generate the threat intelligence baselines it depends on. Without Layer 5 feeding it blocked-attack data, Layer 6 has limited anomaly detection context. - [x] Layer 5 (Access) -- the AI Gateway provides authentication, prompt/response filtering, rate limiting, and abuse prevention, intercepting the most OWASP attack categories at the customer-facing boundary > Correct! Layer 5 is prioritized because it provides the highest coverage-to-cost ratio for a customer-facing chatbot. The judgment framework: (1) attack surface match -- a customer-facing chatbot's primary threats are prompt injection (LLM01), data leakage (LLM02), system prompt extraction (LLM07), and abuse, all intercepted by Layer 5; (2) OWASP coverage breadth -- Layer 5 maps to more OWASP categories than any other single layer; (3) dependency relationships -- Layer 5 generates the blocked-attack intelligence that Layer 6 needs for anomaly baselines, and Layer 5's filtering policies are more effective with Layer 1's data classification, but Layer 5 provides meaningful protection even without those dependencies. Starting here gives the startup immediate runtime defense while creating the foundation for adding other layers incrementally. - [ ] Layer 3 (Infrastructure) -- infrastructure posture management prevents misconfigurations that expose everything > AI-SPM is important for mature deployments, but a startup's first priority is defending the live customer interaction boundary. Infrastructure posture management monitors configurations and risk -- it doesn't intercept prompt injection or filter PII from responses. For a single chatbot deployment, Layer 3's value grows after the basic access controls are in place.