Chapter 15: Conclusion and Appendices¶
Conclusion¶
MLSecOps is a response to the reality that AI systems are not merely classic software. They work with data, models, Artifacts, prompts, RAG, memory, tools, agents, and probabilistic behavior. Therefore, their security must be distributed across the entire lifecycle.
In this guide, security began at the data layer, extended to the model and supply chain, was managed through lifecycle control points and release decisions, continued at Runtime with guardrails and telemetry, and ultimately became auditable through the Evidence Pack and governance.
References / Source mapping¶
Frameworks and standards - OpenSSF MLSecOps whitepaper (2025); NIST AI RMF 1.0
Implementation guidance (this guide) - Lifecycle Overview (Chapter 1); Lifecycle control points (Chapter 6); What is an Evidence Pack? (Chapter 11)
Key Principles¶
| Principle | Explanation |
|---|---|
| Security is continuous | A single test before release is not enough. |
| Data is a security asset | Poisoned or sensitive data can make a model insecure. |
| Models must be traceable | Without provenance and signature, a model is not trustworthy. |
| Runtime is critical | Many LLM and Agent attacks occur at runtime. |
| Evidence must be automated | Manual audit after an incident is not reliable. |
Last reviewed: June 2026. This guide was developed based on frameworks and published knowledge through the end of 2025. Given the pace of change in LLM and Agentic AI, readers should periodically review new versions of
OWASP LLM Top 10,MITRE ATLAS, and CycloneDX standards.
References / Source mapping¶
Frameworks and standards - OWASP LLM Top 10 (2025); MITRE ATLAS; CycloneDX AI/ML extensions
Implementation guidance (this guide) - MLSecOps Principles (Chapter 1)
Author practical guidance - Principle table is author synthesis of lifecycle themes across this guide—not verbatim standard text.
Compact Checklist¶
| Domain | Question |
|---|---|
| Data | Are data origin, version, owner, and sensitivity defined? |
| Model | Has the model been scanned, tested, and signed? |
| Supply chain | Has SBOM/AI-BOM been produced? |
| Lifecycle controls | Do required decision points block or escalate release when critical criteria fail? |
| RAG | Is ACL applied at retrieval time? |
| Agent | Does every tool call pass through an Intent Gate? |
| MCP | Are MCP servers allowlisted, scanned, and routed through a gateway? |
| Shadow AI | Is unsanctioned LLM use covered in threat model and AI-AUP? |
| K8s / infra | Are inference namespaces isolated with NetworkPolicy and signed-image admission? |
| Runtime | Are prompt, response, retrieval, and tool call logged? |
| SOC | Do AI incidents enter the SIEM? |
| Governance | Does an auditable evidence pack exist? |
References / Source mapping¶
Frameworks and standards - NIST AI RMF: Map / Govern (control coverage checklist)
Implementation guidance (this guide) - Minimum security baseline (Chapter 6); Production Operational Checklist (this chapter)
Production Operational Checklist¶
This checklist completes the minimum baseline and Day-2 operations. If time is limited, close MUST lifecycle controls and Runtime/SOC controls first. Each control must have a defined owner, frequency, and evidence.
Minimum RACI¶
| Activity | R Responsible | A Accountable | C Consulted | I Informed |
|---|---|---|---|---|
| Threat Model | Product Security | CISO / Head of AI | Legal, Data Governance | Engineering Lead |
| Lifecycle Decision Controls | MLOps | Platform Engineering Manager | Security | Model Owner |
| Runtime Guardrails | Platform / AppSec | Model Owner | SOC | Privacy |
| SOC Alert / IR | SOC Analyst | SOC Manager | Security, MLOps | Legal in case of leakage |
| Evidence Pack / Audit | MLOps | Compliance | Security | Internal Audit |
Data and Privacy¶
| Control | Owner | Frequency | Evidence |
|---|---|---|---|
Data Contract and Schema Validation |
Data Engineer | Each new dataset | Validation report in MLflow/DVC |
PII Detection & Masking |
Data Governance | Each ingest | Mask log and audit sample |
Membership Inference assessment |
Security + ML | Annually or after high-risk model | Privacy test report |
Differential Privacy audit |
Privacy Officer | Annually | DP configuration document |
Model and Supply Chain¶
| Control | Owner | Frequency | Evidence |
|---|---|---|---|
ModelScan at load |
MLOps | Every build | ModelScan report |
SBOM/AI-BOM |
MLOps | Every build | CycloneDX file or equivalent |
| Signing and verify | MLOps | Every deploy | Cosign Attestation |
ART / Adversarial Test and ASR acceptance |
Security | Each new model | ART report and ASR vs. baseline |
Secret in Vault/KMS |
Platform | Each key cycle | Access audit log |
Lifecycle Controls, CT, RAG, and Agent¶
| Control | Owner | Frequency | Evidence |
|---|---|---|---|
| Versioned Threat Model | Product Security | Each new AI service and annually | Threat model document |
| Release decision without undocumented exception | MLOps | Every release | Decision log |
| Security validation for LLM | Security | Every LLM release | Red team report and metrics vs. baseline |
| CT with canary and security regression | MLOps | Each retrain | Canary log and baseline comparison |
| RAG allowlist and reindex playbook | ML Engineer | Each new source | Index hash and regression test |
| Agent intent gate, HITL, and kill switch | AppSec | Each agent release | Policy test and runbook |
| Tool output gate | AppSec | Each agent release | Malicious JSON/Markdown test |
| Multi-agent depth and PEP per hop | Architect | Each new graph | Diagram and escalation test |
MCP server static scan (mcps-audit) |
Security | Each MCP server release | mcp-audit.json in Evidence Pack |
| MCP gateway and schema pin | Platform | Each MCP server change | Gateway config + hash log |
| Shadow AI AI-AUP and discovery | Governance | Quarterly + on hire | CASB report, exception register |
Runtime, Cloud-native, and SOC¶
| Control | Owner | Frequency | Evidence |
|---|---|---|---|
Inference Gateway and guardrails |
Platform | Continuous | Block/allow metrics |
K8s RBAC and NetworkPolicy |
Platform | Each cluster change | Manifest in Git — Ch.16 |
| Kyverno signed-image admission | Platform | Each cluster change | ClusterPolicy in Git |
| MCP workstation audit (Agent Scan) | Security | Monthly / on IDE policy change | Scan report |
| Shadow AI CASB/DLP rules | Security | Continuous | Alert samples + AI-AUP exceptions |
Service Mesh mTLS/AuthZ |
Platform | Each service change | Mesh policies |
| Multi-tenant isolation | Architect | Each new tenant | Diagram and penetration test |
| Telemetry to SIEM and ATLAS rules | SOC | Continuous | Sample alert and playbook |
| Separate playbook for data drift and adversarial drift | SOC | Seasonal | Updated runbook |
| Rule tuning and FP review | SOC | Monthly | False positive rate report |
| P1/P2 incident SLA | SOC Manager | Each incident | Ticket with acknowledge and contain times |
Governance and Evidence Pack¶
| Control | Owner | Frequency | Evidence |
|---|---|---|---|
| Complete evidence pack for each deploy | MLOps | Every deploy | Signed bundle |
| Security suite in Git and regression baseline | Product Security | Each control or guardrail change | Suite hash and score vs. baseline |
| Tamper-evident storage | Security | Seasonal audit | Object lock and signature verify |
| Prompt trace and snapshot on incident | SOC | Each incident | Ticket and artifact |
| Mandatory postmortem for high severity | Engineering Manager | Each incident | Postmortem document |
References / Source mapping¶
Frameworks and standards - ISO/IEC 42001: operational control and accountability themes - NIST AI RMF: Govern / Manage
Implementation guidance (this guide) - Responsibilities (Chapter 11); Incident response (Chapter 10); Kubernetes deployment reference (Chapter 16)
Author practical guidance - RACI, frequencies, and evidence columns are illustrative operational patterns—adapt to your org model.
Short Glossary¶
Frequently used terms in this guide:
| Term | Meaning |
|---|---|
MLSecOps |
Applying security across the lifecycle of ML and AI systems |
RAG |
Retrieving relevant documents and injecting them into model context |
Prompt Injection |
Attempt to change model behavior through a malicious instruction |
Artifact |
Storable output such as model, dataset, image, or manifest |
Provenance |
Origin and build path of an asset; includes data, code, dependencies, and build process |
Evidence Pack |
Auditable collection of evidence about model build, test, release, and runtime |
Guardrail |
Control of model input, output, or behavior at runtime |
Intent Gate |
Authorization control before agent action or tool invocation |
Output Gate |
Review and validation of model or tool output before delivery to downstream |
Tool Abuse / Tool Misuse |
One concept with two names; identified as ASI02 in OWASP ASI |
ASR |
Attack Success Rate — adversarial attack success rate relative to baseline |
Security Decision Point |
Decision point where a release is blocked, escalated, or accepted with documented risk |
Fail-closed |
If a control or gate is undefined or faulty, the system blocks rather than passes |
Baseline |
Signed reference version or metric for comparing models and regression tests |
Attestation |
Digital document proving an artifact was built with a specified process and policy |
SBOM |
Inventory of software components (package, version, dependency) |
AI-BOM / ML-BOM |
Inventory of AI components including data, base model, metrics, and training evidence |
Policy-as-Code |
Converting security policy into executable rules in release workflows or runtime |
Tamper-evident |
Storage or signature where any unauthorized change is detectable |
HITL |
Human-in-the-Loop — human approval for high-risk actions |
Canary Deployment |
Gradual release of a new model on a small portion of real traffic |
Data Drift |
Change in data or embedding distribution relative to training baseline |
Adversarial Drift |
Change in attack behavior at runtime; usually accompanied by suspicious prompt or tool call patterns |
Schema Validation |
Checking JSON structure or typed fields and key allowlist |
Content-policy Enforcement |
Applying allow/block/redact on prompt or output |
Content Safety Check |
Detecting malicious instructions in text, such as ignore previous |
Action-policy Verification |
Matching planned tool with policy engine such as OPA/Cedar |
Constrained Decoding |
Output restriction at tokenizer level, such as JSON mode or grammar |
Semantic Consistency Check |
Matching response with retrieved context in RAG |
References / Source mapping¶
Implementation guidance (this guide) - Terminology aligned with Chapter 1, Chapter 6, Chapter 9, and Chapter 11
Author practical guidance - Glossary definitions are guide-local usage for consistency—not normative standard definitions.
Appendix A: Threat, Control, and Tool Reference Card¶
This card is the consolidated and complete version of the Chapter 12 table and is repeated here for use as a standalone quick reference. Detailed description of each control and layered tool mapping appears in Chapter 12.
| Threat | Framework | Surface | Lifecycle | Phase | Risk | Primary Control | Tool/Stage |
|---|---|---|---|---|---|---|---|
Prompt Injection |
LLM01 |
Prompt | Deploy/Monitor | Execution | Critical | Gateway and sanitization | Runtime |
Sensitive Data Leak |
LLM02 |
Prompt/Model | Monitor | Execution | High | Output moderation | Gateway |
Supply Chain Attack |
LLM03 |
Model/Infra | Train/Deploy | Staging | Critical | Sign and scan | Load |
Data Poisoning |
ML02 |
Data | Train | Staging | High | Dataset validation | Control point 4 |
Model Poisoning / Backdoor |
ML10 |
Model | Train | Staging | Critical | Backdoor test | ART |
Adversarial Evasion |
ML01 |
Model | Deploy | Execution | High | Robustness and ASR validation | Security validation |
Model Artifact RCE |
— | Model/Infra | Deploy | Staging | Critical | ModelScan |
Load |
Retrieval Poisoning |
LLM04 (RAG corpus poisoning) |
Data/Prompt | Deploy | Execution | High | Allowlist ingest | RAG |
Embedding Poisoning |
LLM08 |
Data | Train/Deploy | Staging | High | Source hygiene | RAG |
Cross-tenant Leakage |
Arch/Infra (related to LLM08) |
Infra | Deploy | Execution | Critical | Physical isolation | Multi-tenant |
System Prompt Leakage |
LLM07 |
Prompt | Deploy/Monitor | Execution | Critical | Output gate | Gateway |
Unbounded Consumption |
LLM10 |
API | Monitor | Execution | Medium | Rate limit | Gateway |
Gradient Leakage |
— | Data | Train | Staging | High | Secure aggregation | Federated |
Tool Misuse |
ASI02 |
Tool | Monitor | Execution | High | Intent Gate |
Agent |
Model Collapse |
— | Model | Train | Staging | Medium | Diversity evaluation | Security validation |
Overrefusal |
LLM | Prompt | Monitor | Execution | Medium | Threshold tuning | Gateway |
Agent Memory Poisoning |
ASI | Tool/Prompt | Monitor | Execution | High | Sanitize and TTL | Memory |
Tool Output Injection |
ASI/LLM01 |
Tool | Monitor | Execution | High | Output Gate |
Agent |
Multi-Agent Escalation |
ASI | Tool | Monitor | Execution | High | PEP per hop | Multi-agent |
MCP Tool Poisoning |
MCP03/MCP09 |
Tool | Deploy/Monitor | Execution | Critical | Gateway + schema pin | mcps-audit, gateway |
Shadow MCP Server |
MCP09 | Tool/IDE | Monitor | Execution | High | Allowlist + Agent Scan | Workstation audit |
Shadow AI Data Exfil |
Governance | Prompt | Monitor | Execution | Critical | AI-AUP + enterprise gateway | CASB/DLP |
K8s Inference Exposure |
Infra | Infra | Deploy | Staging | Critical | RBAC + NetworkPolicy | Ch.16 manifests |
References / Source mapping¶
Frameworks and standards
- OWASP LLM Top 10 (2025); OWASP ML Top 10; OWASP Agentic (ASI02); OWASP MCP Top 10 (MCP03, MCP09)
Implementation guidance (this guide) - Primary Mapping (Chapter 12); duplicate card for standalone use in this appendix
Appendix B: MITRE ATLAS Mapping¶
More detailed MITRE ATLAS mapping for SOC analysis in Chapter 10 and control-oriented mapping in Chapter 12 is provided there; this table is a summary reference.
| Threat | Technique | ID |
|---|---|---|
Prompt Injection |
LLM Prompt Injection |
AML.T0051 |
Jailbreak |
LLM Jailbreak |
AML.T0054 |
Data Poisoning |
Poison Training Data |
AML.T0020 |
Model Extraction |
Exfiltration via AI Inference API |
AML.T0024 |
Adversarial Evasion |
Evade AI Model |
AML.T0015 |
Supply Chain |
Publish Poisoned Models |
AML.T0058 |
RAG Poisoning |
RAG Poisoning |
AML.T0070 |
Retrieval Content Crafting |
Retrieval Content Crafting |
AML.T0066 |
Memory Poisoning |
AI Agent Context Poisoning |
AML.T0080 |
Tool Abuse |
AI Agent Tool Invocation |
AML.T0053 |
AI Reconnaissance |
Discover AI Agent Configuration |
AML.T0084 |
LLM Data Leakage |
LLM Data Leakage |
AML.T0057 |
Agent-tool Exfiltration |
Exfiltration via AI Agent Tool Invocation |
AML.T0086 |
| AI Worm Propagation (emerging) | Related techniques: AML.T0070 (RAG Poisoning), AML.T0080 (context poisoning)—no dedicated ATLAS worm ID; prioritize ingest and agent boundaries |
|
| Model Resource Abuse | Cost Harvesting |
AML.T0034 |
Appendix numbering: Appendix C was reserved in earlier drafts and removed in v0.1.2. Numbering skips to Appendix D to avoid renumbering existing cross-references. Appendix E (Implementation Reference) is a separate chapter: 17-appendix-e-implementation-reference.md.
References / Source mapping¶
Frameworks and standards
- MITRE ATLAS: techniques cited in table (e.g. AML.T0051, AML.T0020, AML.T0066, AML.T0070, AML.T0034)
Implementation guidance (this guide) - MITRE ATLAS Mapping (Chapter 12); Threat analysis with MITRE ATLAS (Chapter 10)
Appendix D: Managed AI Services Security Reference¶
Use this checklist when the organization consumes provider-hosted models (Azure OpenAI, Amazon Bedrock, Google Vertex AI, or similar) and does not control base model weights.
Shared responsibility¶
| Provider typically manages | Customer must manage |
|---|---|
| Base model, platform patching, provider safety features | Prompt/RAG data boundary, tenant authz, gateway, DLP, keys, logging, IR |
| Platform SLA and regional deployment options | Configuration review, enabled safety settings, evidence at control points 8–9 |
Pre-production checklist¶
- [ ] Shared-responsibility boundary documented in threat model (Ch.2)
- [ ] Approved model/deployment ID, region, and API version recorded (control point 9)
- [ ] Enterprise gateway or API proxy; no long-lived keys in application code
- [ ] DLP on prompt ingress and response egress
- [ ] RAG ingest allowlist and retrieval-time ACL
- [ ] Prompt-injection and leakage test suite at control point 7 (Ch.7 verification)
- [ ] Runtime logging to SIEM with retention and access control
- [ ] If agents/tools enabled: Ch.8 controls (Intent Gate, scoped tools, HITL)
- [ ] Shadow AI policy blocks unsanctioned consumer tools for same data class (Ch.11)
Evidence Pack fields (managed API)¶
| Field | Example |
|---|---|
provider |
azure-openai, bedrock, vertex |
model_deployment_id |
deployment or endpoint name |
region |
eastus, eu-west-1 |
api_version |
provider API version string |
config_snapshot_hash |
hash of safety/content-filter settings |
gateway_policy_version |
internal gateway rule set version |
security_validation_report |
control point 7 test report URI |
release_decision |
control point 8 approval record |
OWASP v1 publication readiness (community guide)¶
This guide is a community reference, not an OWASP publication. Before external submission or major release, reviewers should confirm:
- Terminology aligned across Ch.1, 6, 9, 11 (lifecycle control points and release decisions)
- OWASP relationship stated in Ch.1; no implied OWASP endorsement
- Tool examples marked informative; commands in Ch.12 appendix only
- Case studies labeled documented vs illustrative (Ch.13)
- Managed AI and agent paths documented for non-training audiences
CHANGELOG.mdand version in README updated
References / Source mapping¶
Frameworks and standards - OWASP LLM Top 10 (2025); cloud provider shared-responsibility models (Azure, AWS, Google — vendor docs)
Implementation guidance (this guide) - Managed AI services security reference (Chapter 2); LLM verification approach (Chapter 7); Evidence Pack fields (this appendix)
Author practical guidance - Publication readiness checklist is for community guide maintainers—not an OWASP submission requirement.
Traceability and source mapping convention¶
This guide distinguishes four types of security content. Per-section References / Source mapping blocks (from v1.1.0) make that distinction explicit for audit, governance, and peer review—addressing community feedback on traceability (GitHub Issue #1).
| Type | Meaning | How it appears |
|---|---|---|
| Frameworks and standards | Controls or threats defined by OWASP, MITRE ATLAS, NIST AI RMF, ISO/IEC 42001, OpenSSF, CSA MAESTRO, EU AI Act, or OWASP AI Exchange | Cited with ID or permalink |
| Framework interpretation | Practical reading of a standard for MLSecOps lifecycle (e.g., mapping to control points) | Cited framework + pointer to this guide's lifecycle model |
| Implementation guidance (this guide) | Operational patterns: control points, Evidence Pack fields, playbooks, tool examples | Labeled this guide; not normative standard text |
| Emerging / research | Research-stage or plausible threats not yet standardized | Paper/preprint citation or emerging — not standardized note |
Reference block template¶
Each major section may end with:
### References / Source mapping
**Frameworks and standards**
- OWASP LLM Top 10 (2025): LLM01
- MITRE ATLAS: AML.T0051
- NIST AI RMF: Map / Measure
- ISO/IEC 42001: (relevant clause, when applicable)
**Implementation guidance (this guide)**
- [Lifecycle control points](06-pipeline.md#lifecycle-control-points) (Chapter 6)
**Emerging / research** *(if applicable)*
- Author et al. (year). *Title*. venue/URL — *emerging / not standardized*
**Author practical guidance** *(if applicable)*
- *Evidence Pack field names and release thresholds are illustrative implementation patterns.*
Rollout status (v1.1.0): All guide chapters (1–17) include per-section References / Source mapping blocks on every major ## section, using the template above. The chapter-level References section below is the master bibliography and does not repeat a self-referential mapping block.
References¶
Frameworks and Standards¶
- OpenSSF (2025). Visualizing Secure MLOps (MLSecOps) Whitepaper. https://openssf.org/blog/2025/01/22/visualizing-secure-mlops/
- NIST (2023). AI Risk Management Framework (AI RMF 1.0). https://www.nist.gov/itl/ai-risk-management-framework
- NIST (2024). Generative AI Profile (NIST-AI-600-1).
- ISO/IEC 42001:2023. Artificial Intelligence — Management System.
- ISO/IEC 23894:2023. Artificial Intelligence — Guidance on Risk Management.
- European Union (2024). EU AI Act. https://artificialintelligenceact.eu/
- Cloud Security Alliance (2025). MAESTRO — Multi-Agent Environment Security Framework.
Threat Taxonomy and Security Guides¶
- OWASP (2024–2025). AI Exchange — comprehensive AI security and privacy framework. https://owaspai.org/
- OWASP (2025). Top 10 for LLM Applications (2025). https://owasp.org/www-project-top-10-for-large-language-model-applications/
- OWASP. Top 10 for Agentic Applications / Agentic Security Initiative.
- OWASP. Machine Learning Security Top 10 (
draftstatus). - OWASP. LLM Verification Standard (LLMSVS).
- OWASP. MCP Top 10 (2025). https://owasp.org/www-project-mcp-top-10/
- OWASP Cheat Sheet Series. MCP Security. https://cheatsheetseries.owasp.org/cheatsheets/MCP_Security_Cheat_Sheet.html
- Hou et al. (2025). Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions. arXiv:2503.23278
- Radosevich, B. & Halloran, J. T. (2025). MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits. arXiv:2504.03767
- Narajala, V. S. & Habler, I. (2025). Enterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies. arXiv:2504.08623
- e2b-dev. awesome-mcp-gateways. https://github.com/e2b-dev/awesome-mcp-gateways
- AIM-Intelligence. awesome-mcp-security. https://github.com/AIM-Intelligence/awesome-mcp-security
- Puliczek. awesome-mcp-security (community). https://github.com/Puliczek/awesome-mcp-security
- SlowMist. MCP Security Checklist. https://github.com/slowmist/MCP-Security-Checklist
- razashariff. mcps-audit. https://github.com/razashariff/mcps-audit
- invariantlabs-ai. mcp-scan (Snyk Agent Scan). https://github.com/invariantlabs-ai/mcp-scan
- riseandignite. MCP-Shield. https://github.com/riseandignite/mcp-shield
- eqtylab. MCP Guardian. https://github.com/eqtylab/mcp-guardian
- StacklokLabs. ToolHive. https://github.com/StacklokLabs/toolhive
- harishsg993010. Damn Vulnerable MCP Server. https://github.com/harishsg993010/damn-vulnerable-MCP-server
- MITRE. ATLAS — Adversarial Threat Landscape for AI Systems. https://atlas.mitre.org/
- AI Vulnerability Database (AVID). https://avidml.org/
- AI Incident Database. https://incidentdatabase.ai/
Open-Source Tools and Projects¶
Adversarial Robustness Toolbox (ART)— classic model adversarial testingMicrosoft PyRIT— multi-stage LLM red teamModelScan(Protect AI) — model artifact scanGarak(NVIDIA) — LLM vulnerability scannerVigil,Promptfoo,Giskard— LLM/RAG test and red teamNeMo Guardrails,Lakera Guard,Patronus AI— guardrail and gatewaylintML(NVIDIA),NB Defense(Protect AI) — linter and notebook/ML code scanGitleaks,Trivy,Syft,Grype— secret/SCA/SBOMCheckov,tfsec,OPA/Conftest,Kyverno— IaC and policy-as-codeSigstore / Cosign / Rekor,sigstore/model-transparency(model-signing),SLSA— model signing and provenanceCycloneDX 1.7 (ECMA-424),cdxgen(aibom),OWASP AIBOM Generator— SBOM and ML-BOM/AI-BOMAI-exploits(Protect AI),AI-Infra-Guard(Tencent),Agentic Security,PurpleLlama(Meta),Mindgard CLI— MLOps infrastructure and agent testingPrivacyRaven(Trail of Bits),ML Privacy Meter,TensorFlow Privacy,OpenDP— privacy audit and differential privacyhuntr.com— dedicated AI/ML bug bounty platformawesome-MLSecOps,Awesome-LM-SSP,awesome-llm-security,awesome-llm-supply-chain-security— MLSecOps reference lists
Reference Papers and Reports¶
- Shumailov, I. et al. (2023). The Curse of Recursion: Training on Generated Data Makes Models Forget (Model Collapse).
- Greshake, K. et al. (2023). Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection.
- Zou, W. et al. (2024). PoisonedRAG: Knowledge Poisoning Attacks to RAG.
- Goodfellow, I. et al. (2015). Explaining and Harnessing Adversarial Examples (FGSM).
- Carlini, N. & Wagner, D. (2017). Towards Evaluating the Robustness of Neural Networks.
- Trail of Bits (2024). LeftoverLocals (CVE-2023-4969). https://blog.trailofbits.com/2024/01/16/leftoverlocals-local-llm-data-leakage/
- HiddenLayer. SILENT SABOTAGE — abuse of Pickle-to-SafeTensors conversion bot. https://hiddenlayer.com/research/silent-sabotage/
- HiddenLayer. NOT SO CLEAR: How MLOps Solutions Can Muddy the Waters of Your Supply Chain (ClearML). https://hiddenlayer.com/research/not-so-clear/
- Mithril Security (2023). PoisonGPT. https://blog.mithrilsecurity.io/poisongpt-how-we-hid-a-malicious-model-on-hugging-face/
- Röttger, P. et al. (2024). Safety-Tuned LLMs Are Not Safer (Overrefusal and safety trade-offs).
- Sigstore Blog (2025). Practical Model Signing with Sigstore — model-transparency v1.0.
- Cohen, S. et al. (2024). Here Comes the AI Worm (Morris II): Zero-click Worms Targeting GenAI-Powered Applications.
- Spracklen, J. et al. (2024). We Have a Package for You: Package Hallucinations by Code-Generating LLMs (Slopsquatting).
- ZJU-SEC. TensorAbuse — Transforming AI Models into Malware by Abusing TensorFlow APIs.
- Li, Y. et al. (2024). BadEdit: Backdooring Large Language Models by Model Editing.
- Xiang, Z. et al. (2024). BadChain: Backdoor Chain-of-Thought Prompting for LLMs.
- Morris, J. X. et al. (2023). Text Embeddings Reveal (Almost) As Much As Text (Embedding Inversion).
- Rando, J. & Tramèr, F. (2024). Universal Jailbreak Backdoors from Poisoned Human Feedback.
Note on AISecOps: The term
AISecOps(e.g., in NSFOCUS (2023), AISecOps Whitepaper) refers to "using AI in security operations/SOC" and is a separate domain from this guide; this source is cited only for conceptual distinction in Chapter 1.
Appendix: Claims & Evidence¶
This appendix maps key claims in the guide to verifiable references:
| Topic / Claim | Suggested Reference |
|---|---|
Model Collapse |
Shumailov et al., The Curse of Recursion (2023) |
Indirect / Tool-mediated Injection |
Greshake et al., Not what you've signed up for (2023) |
RAG / Retrieval Poisoning |
Zou et al., PoisonedRAG (2024); OWASP LLM04 (RAG corpus poisoning) |
Adversarial Evasion |
Goodfellow et al. (2015); Carlini & Wagner (2017); MITRE ATLAS AML.T0015 |
Overrefusal |
Röttger et al., Safety-Tuned LLMs Are Not Safer (2024); operational threshold tuning (not an OWASP Top 10 category) |
Agentic Threats / Tool Misuse |
OWASP Top 10 for Agentic Applications; CSA MAESTRO |
System Prompt Leakage / LLM07 |
OWASP Top 10 for LLM Applications (2025) |
Vector & Embedding Weaknesses / LLM08 |
OWASP Top 10 for LLM Applications (2025) |
LeftoverLocals (GPU memory leakage) |
Trail of Bits, CVE-2023-4969 (2024); https://blog.trailofbits.com/2024/01/16/leftoverlocals-local-llm-data-leakage/ |
| Unsafe HuggingFace models (Pickle RCE) | ReversingLabs / Protect AI ModelScan (2025); https://www.reversinglabs.com/blog/unsafe-machine-learning-models-on-hugging-face |
AI Worm / Zero-click |
Cohen et al., Here Comes the AI Worm (Morris II) (2024) |
Models-as-Malware |
ZJU-SEC, TensorAbuse |
Package Hallucination |
Spracklen et al., We Have a Package for You (2024) |
Embedding Inversion |
Morris et al., Text Embeddings Reveal (Almost) As Much As Text (2023) |
Advanced Backdoors (RLHF/CoT/Edit) |
Rando & Tramèr (2024), Xiang et al. (2024), Li et al. (2024) |
SILENT SABOTAGE / ClearML |
HiddenLayer Research; https://hiddenlayer.com/research/silent-sabotage/ ; https://hiddenlayer.com/research/not-so-clear/ |
PoisonGPT supply-chain demo |
Mithril Security, PoisonGPT (2023); https://blog.mithrilsecurity.io/poisongpt-how-we-hid-a-malicious-model-on-hugging-face/ |
| Agent API key exposure pattern | Design anti-pattern (illustrative); see Chapter 13 |
| 22 MLOps security controls | OpenSSF MLSecOps Whitepaper (2025) |
| Shadow AI (Samsung pattern) | Ch.13 case study; CTAIO / Proofpoint shadow-AI references in Ch.11 |
| MCP security lab | Ch.13 MCP red team lab; OWASP MCP Top 10 v0.1; mcps-audit, Agent Scan |
| BentoML / LangChain deserialization RCE | CVE-2025-27520 (BentoML, GHSA-33xw-247w-6hmc); CVE-2025-68664 (LangChain core, GHSA-c67j-w6g6-q2cm) |
| Kubernetes MLSecOps baseline | Ch.16 (patterns + upstream refs; no bundled manifests) |
References / Source mapping¶
Frameworks and standards - Primary sources cited in References (this chapter); CVE/NVD and vendor research URLs in table rows
Implementation guidance (this guide) - Case studies (Chapter 13) for incident labels; per-chapter claims map to lifecycle controls in Chapters 5–11
Mermaid Diagram Guide¶
Diagrams in chapters-en/ are PNG images (assets/diagrams/). Mermaid source for regeneration lives in assets/diagrams/source/*.mmd (edit there, then re-export PNG for Word/PDF).
GitHub's built-in Mermaid viewer is unreliable for complex flowcharts (layout errors, old parser); PNG avoids the loading spinner and Unable to render rich display errors.
References / Source mapping¶
Implementation guidance (this guide)
- Diagram assets: assets/diagrams/; Mermaid source: assets/diagrams/source/*.mmd
Author practical guidance - PNG-first publishing choice is a maintainer workflow decision—not a security standard.
GitHub Version¶
Current release: v1.1.0 (2026-07-11). See CHANGELOG.md and GitHub Releases.
This guide is maintained as Markdown in the MLSecOps repository. Technical terms use inline code formatting where helpful for scanability.
References / Source mapping¶
Implementation guidance (this guide)
- GitHub Version (this section); repository README and CHANGELOG.md for release metadata
Final Conclusion¶
AI security is not solved by a single tool, a secure prompt, or a simple test. Security is defensible only when data, model, supply chain, lifecycle decisions, runtime, and security operations are viewed as a single, auditable flow.
What this guide contributes¶
Beyond compiling OWASP, OpenSSF, NIST, and related sources, this Practical Reference Guide adds four operational constructs:
- Ten lifecycle control points from change initiation through monitoring—not only a threat list.
- Explicit separation of evidence-producing steps from blocking release decisions (control points 4, 7, 8) and integrity verification (9).
Evidence Packas the auditable output bundle per release.- A single lifecycle thread linking threat modeling, runtime, SOC, and governance.
Teams implementing in production should use Appendix E: Implementation Reference (architecture cards, decision matrix, templates, playbooks, master control matrix).
By separating Risk Management from Threat Modeling, lifecycle control points, measurable assurance, runtime controls, and the Evidence Pack, organizations can deploy models in production with security and auditable defensibility.
Organizations that adopt the practices in this guide—risk management, threat modeling, lifecycle release decisions, runtime controls, and the Evidence Pack—can improve the auditability and defensibility of production AI deployments. This guide is one input among many (OpenSSF, OWASP, NIST, ISO, legal counsel); it is not a certified standard or a sole prerequisite for trustworthy AI.
References / Source mapping¶
Frameworks and standards - OpenSSF MLSecOps whitepaper (2025); NIST AI RMF; OWASP LLM Top 10 (2025); ISO/IEC 42001
Implementation guidance (this guide) - What this guide contributes (this section); Appendix E: Implementation Reference (Chapter 17)
Author practical guidance - Four operational constructs (control points, release decisions, Evidence Pack, lifecycle thread) are author additions beyond cited frameworks.