Chapter 6: MLSecOps Lifecycle Control Model¶
Filename note: This chapter is stored as
06-pipeline.mdfor link stability. The content describes the lifecycle control model, not a reference CI/CD pipeline implementation.
Control model objective¶
The MLSecOps lifecycle control model defines where security decisions, evidence collection, and review activities should occur across an AI system lifecycle. The goal is that no model, data, prompt template, RAG index, agent configuration, or other AI Artifact enters an operational environment without appropriate risk-based controls and auditable evidence.
This chapter is not a reference CI/CD implementation. It describes implementation-neutral control points that organizations may apply through MLOps platforms, CI/CD, manual approval workflows, managed AI service governance, or a combination of these mechanisms.
References / Source mapping¶
Frameworks and standards - NIST AI RMF: lifecycle governance across Map / Measure / Manage - ISO/IEC 42001: AI management system lifecycle controls
Implementation guidance (this guide) - Lifecycle control points; Golden rule
Control model overview¶
The model begins with prerequisite Planning and Threat Modeling, then defines ten lifecycle control points from change initiation to storage and monitoring. Not every control point is a blocking gate. Some points produce evidence; others are explicit release decisions. The exact automation level depends on organizational maturity and architecture.
References / Source mapping¶
Frameworks and standards - OpenSSF Secure MLOps whitepaper (2025): lifecycle visualization baseline - NIST AI RMF: integrated risk management across lifecycle stages
Implementation guidance (this guide) - Prerequisite: Planning and Threat Modeling; Lifecycle control points
Prerequisite: Planning and Threat Modeling¶
Before a release, retrain, index change, managed-model configuration change, or agent/tool change is approved, several activities must be completed; otherwise later decision points will lack precise criteria:
- Precise definition of system scope including data, model, API,
RAG, agent, MCP servers, and Shadow AI usage (see Ch.2 attack surface) - Threat modeling with
OWASP ML/LLM Top 10andMITRE ATLAS - Selection of mandatory controls and acceptable risk level
- Versioned recording of threat model output in
Evidence Pack
References / Source mapping¶
Frameworks and standards - OWASP ML Top 10 (draft) and OWASP LLM Top 10 (2025): threat identification baseline - MITRE ATLAS: technique mapping for AI-specific attacks - NIST AI RMF: Map function (context, actors, and risks)
Implementation guidance (this guide) - Attack surface matrix (Chapter 2); Threat landscape (Chapter 3) - Release decision model

Lifecycle control points¶
| # | Control point | Security objective | Evidence / output |
|---|---|---|---|
| 1 | Initiate Change |
Reliable and authorized start of a release, retrain, index update, or managed-service configuration change | Change record and scope |
| 2 | Load Artifacts |
Secure loading of data, base model, and dependencies | Manifest and hashes |
| 3 | Security & Quality Review |
Review code, data, model, dependencies, infrastructure, and managed-service configuration | Vulnerability and quality report |
| 4 | Data / Artifact Decision Point |
Stop or escalate before training/configuration if high risk | Go/No-Go or exception decision |
| 5 | Train or Configure |
Training, fine-tuning, RAG index update, or managed-model configuration in a traceable environment | Trained model, configuration record, or experiment log |
| 6 | Evaluate Model |
Performance, fairness, and baseline evaluation | Evaluation report |
| 7 | Security Validation |
Attack, backdoor, prompt injection, RAG leakage, and agent/tool misuse validation | Security validation report |
| 8 | Release Decision |
Final security, business, and compliance review | Release approval, rejection, or risk acceptance |
| 9 | Integrity and Provenance |
Model/artifact signing where applicable, managed-service configuration snapshot, provenance recording | Signature, attestation, or configuration evidence |
| 10 | Store & Monitor |
Secure storage and monitoring activation | Evidence Pack and telemetry |
References / Source mapping¶
Frameworks and standards - OpenSSF MLSecOps whitepaper (2025): lifecycle visualization - NIST AI RMF: Map / Measure / Manage across lifecycle
Implementation guidance (this guide) - Appendix E.6 — Master control matrix
Practical notes for each control point¶
| Control point | Practical note |
|---|---|
1. Initiate Change |
Changes should originate from trusted events such as approved merge request, authorized commit, scheduled review, managed-service configuration change, RAG source update, or manual approval. |
2. Load Artifacts |
Dataset, base model, notebook, and dependencies must be loaded from authorized sources; ModelScan, pickle check, and manifest generation including hashes must be done before training. |
3. Security & Quality Review |
Review secrets, dependencies, notebooks, containers, IaC, model artifacts, and managed-service configuration using organization-approved tooling. Tool examples are informative only; validate behavior in your environment. |
4. Data / Artifact Decision Point |
This decision point should block or escalate unmasked sensitive data, critical vulnerabilities, unauthorized data sources, or poisoned artifacts. |
5. Train or Configure |
Training or configuration changes must run with least privilege; parameters, prompts, RAG source versions, and managed-service settings must be recorded. |
6. Evaluate Model |
In addition to accuracy, check metrics such as F1, fairness, initial robustness, and baseline alignment. |
7. Security Validation |
Classic models, LLM/RAG systems, agents, and MCP-enabled systems need different validation methods. Use a versioned test suite and acceptance criteria defined in the threat model. |
8. Release Decision |
Security policies, compliance requirements, and business risk criteria must be reviewed before release. |
9. Integrity and Provenance |
Models and controlled artifacts should be signed where possible; managed AI services should instead record approved service/model identifier, region, API version, configuration snapshot, and access policy. |
10. Store & Monitor |
Final artifact stored in secure repository with object lock; telemetry including prompt, tool call, response, and model version sent to SIEM/SOC. |
References / Source mapping¶
Frameworks and standards - OpenSSF MLSecOps whitepaper: stage-by-stage security measures - NIST SSDF: artifact review and integrity themes at build/load time
Implementation guidance (this guide) - Lifecycle control points; Release decision model - Model and artifact controls (Chapter 5)
Author practical guidance - Tool examples cited in the control-point table are informative; validate scanners and policy engines in your environment before gating releases.
Release decision model¶
The model distinguishes between evidence-producing control points and blocking release decisions. Blocking decisions should be explicit, documented, and risk-based. If sensitive data is unmasked, a critical vulnerability exists, security validation fails, or policy review fails, release should be stopped unless an explicit, time-bound, approved exception is recorded.
| Type | Stage | Name | Role |
|---|---|---|---|
| Release decision | 4 | Data / Artifact Decision Point |
Block or escalate on poisoned data, critical vulns, unauthorized sources, or unmasked PII |
| Security validation decision | 7 | Security Validation |
Block release when adversarial, red-team, RAG leakage, or agent/tool acceptance criteria fail |
| Final release decision | 8 | Release Decision |
Block release when compliance, business, or operational policy fails |
| Integrity checkpoint | 9 | Integrity and Provenance |
Block storage/deploy when signature, attestation, verification, or managed-service configuration evidence is missing |
| Evidence-producing control point | 1–3, 5–6, 10 | Scan/review, train/configure, evaluate, monitor | Produce evidence; findings may affect decisions at 4, 7, or 8 |
Minimum baseline (Level 1): decision points at 4 and 8 must be explicit and documented; stage 7 security validation runs on every release and results are recorded. Stage 7 becomes a blocking decision at Level 2+ when acceptance thresholds are defined. Integrity/provenance evidence at 9 is mandatory at all levels, using signatures where the organization controls the artifact and configuration evidence where it consumes a managed AI service.
Full production baseline (Level 2+): all three decision points (4, 7, 8) are blocking on every release and CT cycle unless a formal, audited exception exists.
References / Source mapping¶
Frameworks and standards - ISO/IEC 42001: change and release governance themes - EU AI Act: technical documentation and logging (high-risk adjacency)
Implementation guidance (this guide) - Maturity Level 2 criteria (Chapter 14)
Continuous Training cycle¶
After deployment, the model may need retraining due to Data Drift, new data, or performance decline. The Continuous Training cycle must not have security shortcuts. Retrained models must go through the same controls as the initial model.
In every CT cycle, release decision points 4, 7, and 8 and integrity verification at control point 9 must not be bypassed. Stages 1–3, 5–6, and 10 still run in full; their outputs feed the decision points above.
References / Source mapping¶
Frameworks and standards - NIST AI RMF: Manage (monitoring and update of AI systems) - ISO/IEC 42001: change and continual improvement for AI systems
Implementation guidance (this guide) - Control points in CT cycle; Release decision model - Continuous monitoring (Chapter 10)

CT cycle risks¶
| Risk | Recommended control |
|---|---|
Catastrophic Forgetting |
Run regression security test on fixed set |
Data Drift |
Statistical monitoring with defined threshold |
Adversarial Drift |
SOC analysis and manual review of suspicious data |
Model Collapse |
Limit synthetic data and monitor output diversity |
| Excessive retraining | Cap frequency and require human approval in sensitive cases |
References / Source mapping¶
Frameworks and standards
- OWASP AI Exchange: Continuous validation
- MITRE ATLAS: AML.T0020 Poison Training Data; drift and retraining adjacency
Implementation guidance (this guide) - Difference between Data Drift and Adversarial Drift - Three categories of security testing
Control points in CT cycle¶
| Step | Control point | Status | Description |
|---|---|---|---|
| 1 | Initiate Change |
Automatic or manual activation | By drift monitoring system, new data arrival, or approved change request |
| 2 | Load Artifacts |
Full execution | Load new data, base model, and dependencies |
| 3 | Security & Quality Scan |
Full execution | Scan new data, PII detection, and dependency review |
| 4 | Data / Artifact Decision Point |
Mandatory decision | Data validation before training/configuration; no pass means stop or escalate |
| 5 | Train or Configure |
Full execution | Retrain or reconfigure on new data with same constraints |
| 6 | Evaluate Model |
Full execution | Evaluate performance and fairness of retrained model |
| 7 | Security Validation |
Mandatory security decision (blocking at Level 2+) | Adversarial, prompt injection, backdoor, and ASR acceptance tests |
| 8 | Release Decision |
Mandatory release decision | Approve compliance policies and acceptance criteria |
| 9 | Integrity and Provenance |
Mandatory integrity checkpoint | Digital signing where applicable, managed-service configuration snapshot, and verify before promote |
| 10 | Store & Monitor |
Full execution | Store new version and activate monitoring |
Basic CT cycle controls include validation of new data origin and quality, rescanning artifacts and dependencies, execution of the required decision points, integrity/provenance recording, and recording results in the Evidence Pack.
References / Source mapping¶
Frameworks and standards - OpenSSF MLSecOps whitepaper: continuous training and monitoring stages - NIST AI RMF: Manage (post-deployment updates)
Implementation guidance (this guide) - Continuous Training cycle; Secure deployment methods for retrained models - Provenance and signing (Chapter 5)
Secure deployment methods for retrained models¶
| Method | Description |
|---|---|
Canary Deployment |
Only 1 to 5 percent of real traffic routed to new model; security and performance metrics compared with previous version. |
Shadow Mode |
New model runs alongside current model but its response is not delivered to user; used only to observe behavior. |
Automated Rollback |
If Prompt Injection rate, policy error, or performance decline exceeds threshold, system reverts to previous signed model. |
References / Source mapping¶
Frameworks and standards
- OWASP LLM Top 10 (2025): LLM01 Prompt Injection (rollback trigger)
- MITRE ATLAS: AML.T0051 LLM Prompt Injection
- NIST AI RMF: Manage (deployment and rollback of AI system changes)
- OpenSSF MLSecOps: safe promotion patterns for model updates
Implementation guidance (this guide) - Kubernetes deployment reference — canary and rollback (Chapter 16) - Monitoring and SOC integration (Chapter 10)
Author practical guidance - Canary traffic percentages (1–5%) and rollback thresholds are examples; calibrate with SLOs and incident playbooks.
Difference between Data Drift and Adversarial Drift¶
Data Drift is usually seen as change in feature distribution, Embedding Drift, or schema changes. In contrast, Adversarial Drift is often accompanied by spikes in suspicious prompts, abnormal tool calls, or suspicious session patterns. These two phenomena must have separate response playbooks.
References / Source mapping¶
Frameworks and standards
- OWASP AI Exchange: Continuous validation
- MITRE ATLAS: AML.T0051 LLM Prompt Injection; AML.T0053 AI Agent Tool Invocation (abnormal tool-call drift)
Implementation guidance (this guide) - CT cycle risks; Three categories of security testing - SOC detection and response (Chapter 10)
Alignment with MLOps lifecycle and OpenSSF¶
OpenSSF relationship: The OpenSSF Secure MLOps whitepaper (August 2025) defines a visual lifecycle and security measures across nine stages. This guide is not an OpenSSF publication. It is a complementary community reference that maps similar lifecycle stages to explicit release decision points (4, 7, 8), integrity/provenance evidence (9), and an
Evidence Pack. See the full OpenSSF stage-to-control mapping in Chapter 11.
Standard MLOps stage |
Equivalent control point in this guide |
|---|---|
Planning and Design |
Threat modeling and scope definition |
Data Engineering |
Artifact loading and control point 4 decision |
Experimentation |
Train or configure and experiment recording |
ML Pipeline Dev & Test |
Security and quality review and security validation |
CI |
Change recording and initial decision evidence |
CD |
Final approval, integrity/provenance evidence, and release preparation |
Continuous Training |
Retraining after monitoring |
Model Serving |
Runtime and inference infrastructure |
Continuous Monitoring |
Live monitoring and SOC integration |
References / Source mapping¶
Frameworks and standards - OpenSSF Secure MLOps whitepaper (August 2025): nine-stage lifecycle baseline
Implementation guidance (this guide) - OpenSSF stage mapping (Chapter 11); Lifecycle control points - Release decision model
Common implementation challenges¶
| Challenge | Practical recommendation |
|---|---|
Different nature of DevSecOps and MLSecOps threats |
Define dedicated threat model for data, model, and inference. |
| Complexity of continuous retraining | Mandatory decision points 4, 7, 8 and integrity/provenance evidence at 9 in every CT cycle with canary deployment. |
| Opaque behavior inside models | Combine robustness testing, runtime monitoring, and human review for high-risk cases. |
| Risk of frequent retraining | Limit CT frequency and maintain fixed security baseline for comparison. |
| Output authenticity and reproducibility | Use AI-BOM, lineage, and signing integrally. |
| Difficulty of risk assessment | Separate operational risk from technical threat and produce Evidence Pack continuously. |
References / Source mapping¶
Frameworks and standards - NIST AI RMF: organizational maturity and risk treatment - ISO/IEC 42001: continual improvement and resource planning
Implementation guidance (this guide) - Maturity roadmap (Chapter 14); Minimum security baseline - Anti-patterns (Chapter 9)
Minimum security baseline¶
| Domain | Minimum control |
|---|---|
| Supply chain | Model scan with ModelScan and basic SBOM/AI-BOM generation |
| Integrity | Digital model signing and verify before deployment |
| Data | Schema Validation and PII Detection & Masking |
| Lifecycle decisions | Minimum: explicit documented decisions at 4 and 8; stage 7 tests run every release (blocking decision at Level 2+); integrity/provenance evidence at 9 |
| Classic model | ART test and numerical ASR criterion at security validation |
LLM/RAG |
Automated Prompt Injection test and guardrail evaluation |
| Runtime | Deployment behind Inference Gateway |
| Monitoring | Send prompt, tool call, and model version to SIEM/SOC |
| Incident | Automated rollback and stable version snapshot |
References / Source mapping¶
Frameworks and standards
- OWASP ML Top 10 (draft) and OWASP LLM Top 10 (2025): minimum control themes by domain (LLM01 prompt injection)
- MITRE ATLAS: AML.T0015 Evade AI Model (classic); AML.T0051 LLM Prompt Injection; AML.T0053 AI Agent Tool Invocation (agent/tool monitoring)
- OpenSSF MLSecOps: baseline security measures across lifecycle
Implementation guidance (this guide) - Lifecycle control prioritization; Maturity Level 1 (Chapter 14) - Tool mapping (Chapter 12)
Author practical guidance
- Named tools (ModelScan, ART, Garak) are starting points; substitute organization-approved equivalents with equivalent evidence output.
Lifecycle control prioritization¶
| Level | Controls |
|---|---|
MUST (Level 1 minimum) |
Artifact review, integrity/provenance evidence at stage 9, documented decisions at 4 and 8, stage 7 security tests (recorded; blocking at Level 2+) |
MUST (Level 2 production) |
Blocking decisions at 4, 7, 8 + integrity/provenance evidence at 9 on every release and CT cycle |
SHOULD |
Automated SBOM/AI-BOM generation, canary in CT, automated Evidence Pack recording |
ADVANCED |
Full CT automation, advanced regression security test, and event mapping to MITRE ATLAS |
References / Source mapping¶
Frameworks and standards - ISO/IEC 42001: prioritized controls within an AI management system - NIST AI RMF: tiered implementation and governance
Implementation guidance (this guide) - Maturity roadmap (Chapter 14); Release decision model - Minimum security baseline
Stage 7 test acceptance conditions¶
Acceptance thresholds must be defined and versioned in the organization's threat model; values below are examples, not fixed numbers for all systems:
| System type | Test Suite | Acceptance condition |
|---|---|---|
| Classic model | ART and backdoor evaluation |
ASR and accuracy drop must be within threat model-defined thresholds. |
LLM/RAG |
Prompt Injection and retrieval leak probes |
Bypass rate less than or equal to threat model threshold. |
| Agent | Tool misuse and output injection cases | No critical fail in fixed regression set allowed. |
References / Source mapping¶
Frameworks and standards
- OWASP AI Exchange: AI security testing overview
- MITRE ATLAS: AML.T0015 Evade AI Model; AML.T0051 LLM Prompt Injection; AML.T0053 AI Agent Tool Invocation; AML.T0110 AI Agent Tool Poisoning (agent regression)
Implementation guidance (this guide) - Three categories of security testing; Security acceptance criteria (Chapter 5) - Red Team program and security test cadence
Author practical guidance - Threshold values in the table are examples; version acceptance criteria in the threat model and Evidence Pack.
Three categories of security testing¶
Do not conflate these test types—they produce different evidence and run on different cadences:
| Category | Purpose | When | Evidence destination |
|---|---|---|---|
| Conventional security testing | App, infra, API pentest (non-AI-specific) | Pre-production / periodic | Standard AppSec report; referenced at control point 3 |
| Continuous validation | Model behaves per acceptance criteria; detect drift or poisoning via regression | Every release, CT cycle, and runtime monitoring | Control point 6 evaluation + control point 10 telemetry |
| AI security testing (red team) | Simulate adversarial attacks (evasion, injection, extraction) | Control point 7; cadence below | Security validation report in Evidence Pack |
Continuous validation answers "does the model still do what we approved?" AI security testing answers "can an attacker break our controls?" Both are required for production MLSecOps; neither replaces conventional pentest of the hosting application.
References / Source mapping¶
Frameworks and standards
- OWASP AI Exchange: AI security testing overview; Continuous validation
- MITRE ATLAS: AML.T0015 Evade AI Model; AML.T0051 LLM Prompt Injection; AML.T0053 AI Agent Tool Invocation; AML.T0054 LLM Jailbreak
Implementation guidance (this guide) - Red Team program and security test cadence - Difference between Data Drift and Adversarial Drift - Verification vs. validation (Chapter 11)
Red Team program and security test cadence¶
One-time security testing is not enough (Chapter 9). Red Team program must be versioned, repeatable, and have defined cadence:
| Test type | Example tool | Recommended cadence |
|---|---|---|
| Automated prompt injection / jailbreak test | Garak, Promptfoo, PyRIT |
Every release (use a smoke subset each build; full suite on release/CT—avoid hitting production LLM APIs on every commit) |
| Classic model adversarial test | ART (FGSM, PGD, HopSkipJump—vision/tabular-appropriate attacks only; see Chapter 12) |
Every new model and every CT |
| Manual / scenario-based Red Team | Internal or external team | Quarterly or before major release |
| Security regression test | Fixed versioned suite | Every build (automated) |
| Agent logic and tool misuse test | Custom scenarios | Every agent release |
Results of each run must be recorded in Evidence Pack with test suite hash for baseline comparison (Chapter 11).
References / Source mapping¶
Frameworks and standards
- OWASP AI Exchange: AI security testing overview
- MITRE ATLAS: AML.T0015 Evade AI Model; AML.T0051 LLM Prompt Injection; AML.T0053 AI Agent Tool Invocation; AML.T0054 LLM Jailbreak
Implementation guidance (this guide) - Three categories of security testing; Stage 7 test acceptance conditions - Continuous monitoring and test cadence (Chapter 10)
Author practical guidance - Use a smoke subset on every build and reserve full LLM API suites for release/CT to control cost and rate limits.
Implementation note¶
This guide intentionally does not provide a production-ready CI/CD implementation. In a practical implementation, controls should produce structured, reviewable evidence so a human approver, policy engine, MLOps platform, or release workflow can make a documented decision. If required evidence is missing, promotion should stop unless an explicit, audited exception is recorded.
Tool examples in Chapter 12 are informative and must be validated against the organization's environment before they are used for release decisions.
References / Source mapping¶
Frameworks and standards - OpenSSF MLSecOps: implementation-neutral lifecycle guidance (not a reference pipeline)
Implementation guidance (this guide) - Tool mapping and executable examples (Chapter 12) - Release decision model; Evidence Pack (Chapter 11)
Author practical guidance - Promotion should stop when required evidence is missing unless a time-bound, audited exception is recorded.
Golden rule¶
No model, RAG index, agent configuration, or managed AI service configuration should reach Production without appropriate integrity/provenance evidence, SBOM/AI-BOM where applicable, documented release decisions, and an Evidence Pack or equivalent audit evidence bundle.
References / Source mapping¶
Frameworks and standards - OpenSSF MLSecOps: integrity, provenance, and monitoring as release prerequisites - ISO/IEC 42001: documented approval before operational use
Implementation guidance (this guide) - Practical principle (Chapter 5); What is an Evidence Pack? (Chapter 11) - Release decision model
Operational summary¶
- No deploy is allowed without documented release decisions and integrity/provenance evidence.
- Full scan of model files before training process is mandatory.
CTcycle must repeat the required lifecycle control points without shortcuts.- Retrained models must enter the real environment through canary path.
References / Source mapping¶
Frameworks and standards - NIST AI RMF: lifecycle summary — govern, map, measure, manage, and monitor - OpenSSF MLSecOps whitepaper: end-to-end secure MLOps checklist themes
Implementation guidance (this guide) - Release decision model; Continuous Training cycle - Minimum security baseline; Golden rule