In this section

The AI Security Literature — What the Standards Bodies Say

3-4 hours · Module 1 · Free

What you already know

Section 1.2 mapped AI capabilities to six SOC functions and established the deployment sequence. This section provides the governance frameworks your organization needs to manage AI risk at a policy and compliance level. These are the frameworks your CISO, risk team, and auditors reference when evaluating AI adoption.

Scenario

Your CISO asks you to present the AI governance landscape at the next security leadership meeting. She wants three things: which frameworks apply to your organization, what each requires, and which gaps exist in your current AI usage. The leadership team includes the Chief Risk Officer, the Data Protection Officer, and external auditors. You need to know five frameworks well enough to explain which one answers which question.

Five frameworks, five different questions

Each framework answers a different operational question. Using one for all questions leaves three or four categories uncovered. The frameworks are ordered by operational impact for security teams.

OWASP LLM Top 10 v2.0 (2025)

Answers: What are the specific security risks of deploying LLMs in your environment?

The 2025 edition reflects the shift from standalone chatbots to production agentic systems with tool access, RAG pipelines, and multi-model architectures. The ten risks: prompt injection (LLM01), sensitive information disclosure (LLM02), supply chain vulnerabilities (LLM03), data and model poisoning (LLM04), improper output handling (LLM05), excessive agency (LLM06), system prompt leakage (LLM07), vector and embedding weaknesses (LLM08), misinformation (LLM09), and unbounded consumption (LLM10).

Three entries are directly relevant to how you deploy AI in your SOC. System prompt leakage (LLM07) addresses the misconception that system prompts function as security boundaries. They do not. If your system prompt contains API keys or sensitive environmental context, an attacker with model access can extract it. The 2025 guidance is explicit: system prompts are not security controls. Vector and embedding weaknesses (LLM08) clarifies that RAG is a new attack surface, not a shield. Excessive agency (LLM06) addresses AI systems that take actions beyond user intent, critical when you integrate AI with automated playbooks.

To see how the OWASP mapping works in practice, apply it to the AI-assisted triage workflow from sections 1.1 and 1.2:

Claude Exchange

Analyst Prompt

Map our AI-assisted triage workflow against the OWASP LLM Top 10 v2.0. The workflow: analysts paste Defender alert details into a Claude Team Project, receive a triage summary with enrichment queries, run the queries in Sentinel, paste results back for iteration. The Project has a system prompt with our org name, SIEM type, query language preference, and output formatting. No automated actions — all queries are manually executed by the analyst. Identify which OWASP risks apply and which are mitigated by our workflow design.

Claude Response (excerpt)

LLM02 — Sensitive Information Disclosure: APPLIES. Analysts paste alert data containing UPNs, IPs, and device identifiers into Claude Team. While Team plans prohibit training, data is retained for 30 days. Risk: investigation evidence resides on a third-party platform.

LLM07 — System Prompt Leakage: APPLIES. Your system prompt contains your org name and SIEM type. If an analyst shares a conversation link or the prompt is extracted via indirect methods, environmental details are exposed.

LLM06 — Excessive Agency: MITIGATED. No automated actions. All queries are manually executed. The analyst reviews every output before acting. This is the correct design for a SOC workflow.

LLM09 — Misinformation: PARTIALLY MITIGATED. The five-check validation discipline addresses hallucinated table names and field errors. Residual risk: confident-but-wrong analytical conclusions that sound correct but mischaracterize the attack technique.

Analyst Evaluation

✓ Correct mappings. LLM02 and LLM07 are the right risks. LLM06 mitigation through manual execution is accurately assessed. The residual risk on LLM09 is well-identified.

✗ Missing: LLM01 (Prompt Injection) was not addressed. If a phishing email body is pasted into Claude as part of triage, the email content could contain adversarial instructions that manipulate Claude's analysis. This is an indirect prompt injection vector that the OWASP mapping should flag.

That exchange demonstrates both the value of using AI for framework mapping and the limitation. Claude correctly identified four applicable risks but missed the indirect prompt injection vector in LLM01. The analyst caught it because they understood the attack surface of their specific workflow: pasting untrusted email content into a language model creates an injection path that a generic OWASP mapping exercise does not surface without workflow-specific analysis.

MITRE ATLAS v5.1.0

Answers: What adversary tactics and techniques target AI systems?

ATLAS is ATT&CK for AI. Version 5.1.0 (November 2025) contains 16 tactics, 84 techniques, 56 sub-techniques, 32 mitigations, and 42 real-world case studies. The February 2026 update added agent-focused techniques for autonomous AI systems. Secure AI v2 (May 2026) expanded threat emulation through ATLAS Arsenal and Caldera plugins.

For SOC teams, ATLAS serves two purposes. First, threat modeling: when you deploy an AI-assisted investigation workflow, ATLAS identifies the adversary perspective. An attacker who compromises your AI tool's API can generate queries that exfiltrate data or manipulate output to conceal attacks. Second, detection engineering: ATLAS techniques map to detection opportunities. The SesameOp case study (AML.CS0042) documents a backdoor using the OpenAI Assistants API for command and control, illustrating AI service APIs exploited as living-off-the-land infrastructure. Module 9 uses ATLAS as the threat model for adversarial AI scenarios. Approximately 70% of ATLAS mitigations map to existing security controls, meaning your current SOC capabilities provide a foundation you extend rather than replace.

NIST AI Risk Management Framework 1.0

Answers: How do you build a governance program for AI?

Four core functions: Govern (policies, roles, who can use AI tools with what data), Map (identify AI risks in your context), Measure (assess output quality, hallucination rates, time-to-resolution), Manage (implement controls and monitor effectiveness). The GenAI Profile (NIST-AI-600-1, July 2024) layers 12 generative AI risks onto the four functions. The April 2026 Critical Infrastructure concept note signals sector-specific guidance for energy, healthcare, and transportation.

NIST AI RMF is becoming the de facto governance standard for regulated industries. The Colorado AI Act explicitly references it for safe harbor protection. Federal contractors must follow NIST-aligned governance. Multinational companies adopt it as the operational layer beneath the EU AI Act. Module 7 maps your AI governance implementation to AI RMF functions.

SANS Secure AI Blueprint

Answers: What specific controls do you implement?

The most operationally prescriptive framework. Three control areas matter for SOC teams: access control (who uses which AI tools, with what data, under what conditions), monitoring (detect shadow AI, audit AI interactions, log decisions), and incident response for AI (what constitutes an AI-related incident, how to respond). Most organizations have not defined AI-specific incident categories, meaning data leakage through prompts and hallucinated credentials in reports fall through the existing classification system.

EU AI Act (Regulation 2024/1689)

Answers: What are the legal obligations?

Phased enforcement. Prohibited AI practices took effect February 2, 2025. GPAI model obligations August 2, 2025. High-risk AI system obligations under Annex III scheduled for August 2, 2026. The proposed Digital Omnibus delay to December 2027 had not been enacted as of the April 28, 2026 trilogue. Plan for August 2026. Most SOC AI tools fall into limited or minimal risk tiers because they assist human decisions rather than replacing them. Penalties reach 35 million euros or 7% of global annual turnover.

Anti-Pattern

Treating one framework as comprehensive

A security lead adopts NIST AI RMF as the "AI governance framework" and considers the governance requirement satisfied. When the red team asks how to model AI-specific attack techniques, NIST has no answer because it is a governance framework, not a threat model. When the penetration tester asks which LLM vulnerabilities to test, NIST does not enumerate specific risks. When legal asks about EU compliance, NIST is a voluntary US framework. Each framework answers one question well. Using one for all questions leaves three or four categories uncovered.

The single-framework approach also fails the Claude Exchange test from earlier in this section. The OWASP mapping surfaced four applicable risks and missed one. ATLAS would have identified the adversary perspective. NIST would have structured the governance response. No single framework caught everything because no single framework was designed to.

AI Operations Principle

The five frameworks form a complementary stack. OWASP and ATLAS provide the technical threat model. NIST and SANS provide the governance and controls structure. The EU AI Act provides the legal compliance layer. Your AI governance program uses all five, mapped to different stakeholders: OWASP and ATLAS for your security team, NIST and SANS for risk and compliance, and the EU AI Act for your legal team.

For the leadership presentation from the scenario, the answer is now concrete: OWASP addresses application-level LLM risks. ATLAS provides the adversary threat model. NIST AI RMF structures the governance program. SANS provides implementation controls. The EU AI Act defines legal obligations. Your CISO, CRO, DPO, and auditors each get the framework that answers their specific question.

Section 1.4 provides a structured evaluation framework for selecting AI tools with a worked comparison of Claude vs Copilot for Security on the same investigation task from your environment.

Unlock the Full Course See Full Course Agenda

Get weekly detection and investigation techniques

KQL queries, detection rules, and investigation methods — the same depth as this course, delivered every Tuesday.

No spam. Unsubscribe anytime. ~2,000 security practitioners.

← Previous Next →