Skip to main content

Security & Access Controls

AI Products must enforce secure, governed, and auditable access.
Because AI Products expose powerful capabilities, they require controls that go beyond generic API security — including entitlements, usage boundaries, and abuse prevention.

Why Security & Access Controls Matter

  • Prevent misuse → unauthorized or malicious use of AI Products can cause harm.
  • Compliance → regulations may require identity verification and access restrictions.
  • Trust → consumers need confidence that their data and interactions are secure.
  • Governance → security interfaces must align with organizational and regulatory policies.

Core Security Requirements

1. Authentication

  • AI Products must authenticate consumers before granting access.
  • Supported mechanisms may include:
    • OAuth2 / OIDC
    • API keys (with rotation policies)
    • Mutual TLS
    • Service accounts for automation

2. Authorization & Entitlements

  • Must declare who is allowed to use the product and for what purposes.
  • Policies may follow:
    • RBAC (Role-Based Access Control)
    • ABAC (Attribute-Based Access Control)
    • PBAC (Policy-Based Access Control)
    • ReBAC (Relationship-Based Access Control)
    • OBAC (Organization-Based Access Control)
  • Entitlements should align with AI Product governance declarations (e.g., prohibited uses).

3. Rate Limiting & Quotas

  • Prevent denial-of-service or excessive resource usage.
  • Define per-consumer or per-tenant quotas.

4. Data Protection

  • Encrypt all data in transit (TLS) and at rest.
  • Support anonymization/pseudonymization where appropriate.
  • Declare whether inputs/outputs are logged or stored.

5. Abuse & Misuse Detection

  • Monitor for adversarial attacks (prompt injection, evasion).
  • Detect abnormal usage patterns (e.g., bulk scraping, disallowed tasks).
  • Provide automated alerts or shutdown mechanisms for abusive use.

Governance Integration

  • Access Policies must align with the AI Product’s declared risk classification and prohibited uses (see AI Product Definition).
  • Audit Logs → All access requests and decisions must be logged.
  • Review Processes → Periodic review of access policies and entitlements.

Example

LLM Service AI Product

  • Authentication: OAuth2 with service-to-service tokens.
  • Authorization: PBAC → policies restricting use to enterprise workflows.
  • Rate Limiting: 100 requests/minute per user.
  • Data Protection: TLS 1.3, outputs logged for 30 days, inputs anonymized.
  • Abuse Detection: Prompt injection detection + auto-block if misuse exceeds threshold.
  • Governance: Audit logs stored in compliance system, reviewed quarterly.

Summary

  • Security and access control are mandatory characteristics of AI Products.
  • Must include authentication, authorization, quotas, encryption, and abuse detection.
  • Policies must align with governance, risk classification, and prohibited use declarations.

Principle: An AI Product without secure, governed, and auditable access is not a true product — it is an ungoverned asset.