Governance
Security
What it is, why it matters for businesses, and the questions worth asking before you adopt.
The definition
Security for AI covers access control (who can use the system and what data they can see), audit trails (who did what, when), breach risk, and supply chain security (trust in the models and providers you use).
Why businesses care
AI systems handle sensitive data and can automate high-stakes decisions. A breach or misuse can expose customer data, IP, or internal strategy. Supply chain attacks: compromised models or poisoned training data are an emerging risk. Security must be built in, not bolted on.
A starting checklist
Best practice
- Principle of least privilege: only grant access needed for the role
- Log and retain AI usage: who queried what, when, and what was returned
- Segment data: AI should only access what it needs for the use case
- Review provider security posture: SOC 2, ISO 27001, certifications
- Plan for breach: incident response that includes AI-specific scenarios
Areas to explore
- Access control: who can use the AI and what data can they query?
- Audit logs: who did what, when? Can you trace a decision back?
- Supply chain: how do you trust the model and the provider?
- Prompt injection: are you protected against malicious or accidental inputs?
- Data retention: how long does the provider keep prompts and responses?
Suggestions
- Map AI to your existing security framework (e.g. ISO 27001)
- Run an OWASP LLM Top 10 checklist for your use case
- Include AI in penetration testing and incident response drills
What to ask before you adopt
- Who has access to our AI system and the data it uses?
- Do we log and audit AI usage?
- What happens if our AI provider is breached?
- Have we assessed the security of our model and data pipeline?
- Do we have incident response for AI-related security events?
Sources worth your time
Need a governance assessment?
We'll map your AI plan against GDPR, security, and sovereignty constraints, and produce a report you can hand to compliance.