Governance

Security

What it is, why it matters for businesses, and key questions to ask.

What it is

Security for AI covers access control (who can use the system and what data they can see), audit trails (who did what, when), breach risk, and supply chain security (trust in the models and providers you use).

Why it matters for businesses

AI systems handle sensitive data and can automate high-stakes decisions. A breach or misuse can expose customer data, IP, or internal strategy. Supply chain attacks: compromised models or poisoned training data are an emerging risk. Security must be built in, not bolted on.

Example workframe

Best practice

Principle of least privilege: only grant access needed for the role
Log and retain AI usage: who queried what, when, and what was returned
Segment data: AI should only access what it needs for the use case
Review provider security posture: SOC 2, ISO 27001, certifications
Plan for breach: incident response that includes AI-specific scenarios

Areas to explore

Access control: who can use the AI and what data can they query?
Audit logs: who did what, when? Can you trace a decision back?
Supply chain: how do you trust the model and the provider?
Prompt injection: are you protected against malicious or accidental inputs?
Data retention: how long does the provider keep prompts and responses?

Suggestions

Map AI to your existing security framework (e.g. ISO 27001)
Run an OWASP LLM Top 10 checklist for your use case
Include AI in penetration testing and incident response drills

Key questions to ask

Who has access to our AI system and the data it uses?
Do we log and audit AI usage?
What happens if our AI provider is breached?
Have we assessed the security of our model and data pipeline?
Do we have incident response for AI-related security events?