Skip to content

Appendix E: Implementation Reference

Purpose: Operational artifacts for teams implementing MLSecOps in production. This appendix is not production code or vendor-specific IaC. It complements the reference chapters with architecture cards, decision matrices, fill-in templates, playbooks, and a master control matrix.

Relationship to other appendices: Appendix A/B summarize threat and ATLAS mappings; Appendix D covers managed AI checklists. This appendix ties them to your architecture choice.

References / Source mapping

Implementation guidance (this guide) - Traceability convention (Chapter 15) - Master control matrix maps to lifecycle control points (Chapter 6)

Author practical guidance - Architecture cards, templates, and matrices are operational aids—not normative standard text.


E.1 Architecture Cards

Each card lists minimum security boundaries, primary control points (Chapter 6), and deep-dive chapters. Adapt names and namespaces to your environment.

E.1.1 Enterprise RAG (internal knowledge base)

When to use: Organization-owned documents retrieved at query time; model may be managed API or self-hosted.

Area Minimum controls Control points Guide
Ingest Allowlist sources, PII scan, hash per document version 2, 3, 4 Ch.7 ingest
Retrieval Tenant ACL at query time, no cross-tenant index 7, 10 Ch.7 three-layer
Runtime Gateway, output gate, prompt-injection tests 7, 10 Ch.7, Ch.10
Re-index Playbook on source change or poison suspicion 4, 5 Ch.7 Reindex

E.1.2 Managed AI API (Azure OpenAI, Amazon Bedrock, Google Vertex AI)

When to use: Provider hosts base model weights; customer controls prompts, RAG, gateway, keys, and logging.

Area Minimum controls Control points Guide
Identity No long-lived keys in code; RBAC per deployment 1, 3, 8 Ch.2 managed AI, Appendix D
Configuration Approved model/deployment ID, region, API version snapshot 5, 8, 9 Appendix D Evidence fields
Data boundary DLP on prompt/response; RAG ACL 4, 7, 10 Ch.4, Ch.7
Evidence Cannot sign weights → config snapshot + test report 9 Ch.11 Evidence Pack

Vendor notes (informative):

Provider Customer records in Evidence Pack
Azure OpenAI Resource name, deployment name, API version, content-filter config hash
Amazon Bedrock Model ID, guardrail ID/version, region, inference profile ARN
Google Vertex AI Model resource path, region, safety settings snapshot

E.1.3 Self-hosted LLM (vLLM / KServe on Kubernetes)

When to use: Organization controls model weights, inference stack, and cluster.

Area Minimum controls Control points Guide
Supply chain ModelScan, signing, verify before serve 2, 3, 9 Ch.5, Ch.16
Cluster Namespace isolation, NetworkPolicy, signed images 3, 9, 10 Ch.16
Runtime API key on inference, rate limits, egress allowlist 10 Ch.16 vLLM pattern
CT / retrain Same lifecycle as initial release 4, 7, 8, 9 Ch.6 CT cycle

E.1.4 Agent with tools (MCP / APIs)

When to use: LLM can invoke tools, read files, or perform multi-step actions.

Area Minimum controls Control points Guide
Tools Least privilege, allowlist, schema pin 7, 10 Ch.8, Ch.7 MCP
High-risk actions HITL for financial/destructive operations 7, 8 Ch.8 Intent Gate
Memory Sanitize on write, TTL, tenant isolation 7, 10 Ch.8 Memory Poisoning
MCP Gateway, mcps-audit / Agent Scan, no shadow MCP 3, 7 Ch.7 MCP hardening

E.1.5 Multi-agent system

When to use: Multiple agents delegate tasks, share memory, or call each other.

Area Minimum controls Control points Guide
Delegation Sub-agent cannot exceed parent tool scope 7, 10 Ch.8 Multi-Agent
Trust Treat inter-agent messages as untrusted input 7 Ch.8 MAESTRO
Observability Trace ID across agent chain 10 Ch.10 telemetry

E.1.6 Classic ML (tabular / vision — no LLM)

When to use: Traditional training pipeline; no prompt/RAG/agent surface.

Area Minimum controls Control points Guide
Data Lineage, PII, poison checks 2, 4 Ch.4
Model ModelScan, adversarial test for modality 3, 7 Ch.5
Release Sign artifacts, Evidence Pack 8, 9 Ch.6, Ch.11

References / Source mapping

Frameworks and standards - NIST AI RMF: Map (architecture-dependent controls); OWASP LLM Top 10 / ASI / MCP themes per card

Implementation guidance (this guide) - Architecture cards E.1.1–E.1.6 cross-link Chapters 2, 4–8, 10–11, 16, and Appendix D

Author practical guidance - Cards are fill-in operational patterns—not normative standard text.

E.2 Decision Matrix

Use this matrix to select mandatory control themes by architecture. Map each row to control points in Chapter 6 and evidence in E.4.

If your primary architecture is… You must prioritize… Blocking release decisions at… Integrity evidence at… Start chapters
Managed AI API only Gateway, DLP, config snapshot, Shadow AI policy 4 (data in prompts/RAG), 7 (injection/leak tests), 8 9 (deployment ID, region, config hash—not weight signature) Ch.2, 7, Appendix D
Enterprise RAG Ingest ACL, retrieval ACL, reindex playbook, output gate 4 (poisoned corpus), 7 (RAG leakage tests), 8 9 (index version hash + model/config evidence) Ch.4, 7
Self-hosted LLM Model scan, signing, K8s isolation, admission verify 4, 7, 8 9 (signature + attestation) Ch.5, 6, 16
Agent + MCP Intent Gate, tool allowlist, MCP scan, HITL 7 (tool misuse tests), 8 9 (agent config + tool manifest hash) Ch.7, 8
Multi-agent Delegation policy, session trace, bus isolation 7, 8 9 + inter-agent policy version Ch.8, 10
Classic ML Data validation, adversarial test, signing 4, 7, 8 9 (model signature) Ch.4, 5, 6

Reference implementation flow (implementation-neutral):

Organizations often implement the lifecycle through existing delivery tooling. A typical pattern (not a mandated stack):

Stage Example capabilities (informative) Control points
Change trigger GitLab/GitHub merge, ticket, scheduled CT 1
Scan layer Gitleaks, Trivy, ModelScan 2, 3
Security validation Garak, Promptfoo, ART (by modality) 7
Policy decision OPA/Conftest, GRC workflow 4, 8
Evidence Pack JSON bundle, GRC record, registry metadata 8, 9, 10
Deploy Canary, signed image verify, gateway policy version 9, 10

This guide does not ship CI/CD templates. Implement and test flows in your environment. Tool examples: Chapter 12 appendix.


References / Source mapping

Frameworks and standards - OpenSSF MLSecOps whitepaper (2025): lifecycle stage mapping (informative)

Implementation guidance (this guide) - Lifecycle control points (Chapter 6); Release decision model (Chapter 6)

Author practical guidance - Decision matrix rows and example CI/CD stages are illustrative—mandatory themes vary by threat model.

E.3 Threat Model Template

Copy this table per system or architecture card. Replace placeholders. Output should feed control point criteria and Evidence Pack requirements (Chapter 2).

System: ____ Architecture card: ____ Date / version: ___

Asset Threat (STRIDE / OWASP / ATLAS ref) Control (prevent / detect / respond) Lifecycle control point(s) Residual risk (accept / mitigate / transfer) Evidence required
Training dataset e.g. Data Poisoning, ML01 Validation, lineage, PII mask 2, 3, 4 Scan report, lineage ID
Model weights e.g. backdoor, unsigned swap ModelScan, signing 3, 7, 9 Hash, signature verify log
RAG index e.g. Retrieval Poisoning Ingest ACL, reindex playbook 4, 5, 7 Index version hash
Prompt / system instructions e.g. LLM01 injection Gateway, guardrails, red team 7, 10 Test report URI
Agent tools / MCP e.g. ASI02, MCP09 Intent Gate, allowlist, scan 3, 7, 10 Tool manifest hash, scan PDF
API keys / secrets e.g. exposure in agent trace Vault, proxy, rotation 3, 10 Secret scan clean, rotation log
Inference endpoint e.g. model theft, GPU abuse AuthN/Z, rate limit, Falco 10 Access log sample
Managed API config e.g. wrong region/model ID Config review, snapshot 5, 8, 9 config_snapshot_hash

Release blockers (define explicitly):

  • [ ] Unmasked PII in training or RAG ingest → block at control point 4
  • [ ] Security validation below threat-model threshold → block at 7
  • [ ] Policy/compliance review failed → block at 8
  • [ ] Missing signature or config snapshot → block at 9

References / Source mapping

Frameworks and standards - OWASP LLM Top 10 (LLM01); OWASP ML Top 10 (ML01, ML02); MITRE ATLAS technique IDs in table placeholders; STRIDE (informative)

Implementation guidance (this guide) - Expected output of threat modeling (Chapter 2); Lifecycle control points (Chapter 6)

Author practical guidance - Template table and release blockers are fill-in worksheets—not a certified threat-modeling method.

E.4 Evidence Pack Template

An Evidence Pack is an audit evidence pattern (Chapter 11). Use the structure below as a fill-in template (JSON, YAML, or GRC form). Field names are illustrative.

# Evidence Pack — template (informative; validate in your GRC/tooling)
evidence_pack:
  id: "ep-YYYY-MM-DD-<release-id>"
  system_name: ""
  architecture_card: ""  # e.g. enterprise-rag, managed-api, self-hosted-vllm
  release_version: ""
  control_point_8_approval:
    approver: ""
    decision: "approve | reject | risk_accept"
    timestamp: ""
    exception_id: ""  # if risk_accept

  data:
    dataset_version: ""
    lineage_uri: ""
    pii_scan_result: "pass | fail"
    sensitivity_class: ""

  model:
    model_id: ""
    artifact_hash: ""
    signature_verify: "pass | n/a-managed-api"
    ai_bom_uri: ""

  managed_api:  # omit if self-hosted
    provider: "azure-openai | bedrock | vertex"
    deployment_id: ""
    region: ""
    api_version: ""
    config_snapshot_hash: ""

  rag:  # omit if not applicable
    index_version_hash: ""
    source_allowlist_version: ""
    reindex_playbook_run: "yes | no"

  agent_mcp:  # omit if not applicable
    agent_config_hash: ""
    tool_allowlist_version: ""
    mcp_scan_report_uri: ""

  security_validation:
    report_uri: ""
    test_suite_hash: ""
    control_point_7_result: "pass | fail"

  supply_chain:
    sbom_uri: ""
    vulnerability_summary: ""

  policy:
    opa_bundle_version: ""
    gate_decisions: []

  deployment:
    environment: ""
    canary_result: ""
    rollback_plan_uri: ""

  runtime:
    gateway_policy_version: ""
    siem_feed_active: "yes | no"

Minimum sections for Level 1 maturity: data, security_validation, policy, release approval, and either model.signature_verify or managed_api.config_snapshot_hash.


References / Source mapping

Frameworks and standards - CycloneDX AI/ML BOM themes; NIST AI RMF: Measure (evidence and documentation)

Implementation guidance (this guide) - What is an Evidence Pack? (Chapter 11); Recommended Evidence Pack contents (Chapter 11); Appendix D Evidence fields (Chapter 15)

Author practical guidance - YAML field names and minimum sections are illustrative implementation patterns.

E.5 Operational Playbooks

Short runbooks for SOC and platform teams. Expand with your tooling, contacts, and SLAs (Chapter 10).

E.5.1 Runtime prompt injection (direct or indirect)

Phase Actions Owner Evidence
Detect SIEM alert: guardrail block spike, jailbreak pattern, or user report SOC Alert ID, Prompt Trace
Contain Tighten gateway rules; disable high-risk tools if agent involved; rate-limit source IP/session Platform / SOC Change ticket, policy version
Preserve Snapshot prompt, response, model version, session/trace ID, retrieved context hash SOC Ch.10 first 30 min
Eradicate If RAG indirect: remove/quarantine document, re-index; if model-specific: rollback to last signed release ML / Platform Reindex log, rollback record
Recover Restore service with updated tests at control point 7; monitor false positive rate ML / SOC Updated test report in Evidence Pack
Lessons learned Update threat model, detection rules, ingest allowlist; postmortem within SLA Security Postmortem URI in governance record

E.5.2 RAG corpus contamination / retrieval poisoning

Phase Actions Owner Evidence
Detect Abnormal answers citing unknown doc IDs; ingest anomaly; user report SOC / ML Retrieval log, document hash
Contain Disable affected collection or tenant; stop ingest pipeline Platform Index isolation record
Preserve Export poisoned document metadata, ingest audit trail, query logs SOC Evidence Pack runtime section
Eradicate Delete poisoned objects; run Reindex Playbook; ACL review ML Engineer New index_version_hash
Recover Regression prompt suite at control point 7; canary traffic ML / Platform Validation report
Lessons learned Tighten ingest scan; update source allowlist Security / Data Updated threat model row

E.5.3 Agent tool abuse / unauthorized action

Phase Actions Owner Evidence
Detect Spike in sensitive tool calls; DLP hit; anomalous API egress SOC Tool Invocation Logs, trace ID
Contain Disable tool or agent; invoke kill switch on API keys Platform Disable timestamp
Preserve Full session trace, agent config version, tool argument logs SOC Ch.10 evidence table
Eradicate Review Intent Gate policy; rotate secrets; patch tool scope AppSec Policy diff, rotation log
Recover Re-enable with HITL for high-risk tools; red-team agent scenarios ML / AppSec Control point 7 agent tests
Lessons learned Update tool allowlist; add SOC correlation rule Security Updated E.3 threat model

References / Source mapping

Frameworks and standards - NIST AI RMF: Manage (incident response and recovery)

Implementation guidance (this guide) - Incident response (Chapter 10); First 30 minutes of an incident (Chapter 10); Reindex Playbook (Chapter 7)

Author practical guidance - Playbook phases and owners are starter runbooks—expand with your SLAs and tooling.

E.6 Master Control Matrix

Unified view: threat → prevent / detect / respond → lifecycle layer → control point → evidence. Detailed tool names: Chapter 12.

Threat / attack Prevent Detect Respond Layer Control point(s) Evidence
Data Poisoning Validation, lineage, ingest ACL Drift, quality anomalies Stop CT, quarantine dataset Data 2, 3, 4 Scan report, lineage ID
PII leakage Masking, DLP ingress/egress DLP alerts, retrieval audit Block output path, purge logs Data / Runtime 4, 10 DLP log, mask proof
Poisoned model / pickle RCE ModelScan, safe formats Artifact scan in CI Block promote, quarantine artifact Model / Supply chain 3, 7, 9 ModelScan JSON, hash
Unsigned / swapped artifact Signing, admission verify Verify fail at deploy Deny deploy, rollback Supply chain 9 Signature log
Prompt Injection Gateway, input limits Guardrail blocks, SIEM rules Contain session, tighten policy Runtime 7, 10 Prompt trace, test report
RAG / retrieval poisoning Ingest scan, ACL Bad citation patterns Reindex, isolate collection RAG 4, 5, 7 Index hash, reindex log
Tool Abuse / ASI02 Intent Gate, scoped IAM Tool rate anomalies Disable tool, HITL Agent 7, 10 Tool logs, policy version
MCP tool poisoning / MCP09 Allowlist, gateway, static scan Schema rug-pull detection Revoke server, re-consent MCP 3, 7 mcps-audit report
Memory poisoning Sanitize on write, TTL Conversation drift Clear memory store Agent 7, 10 Memory purge record
Shadow AI AI-AUP, CASB Egress to consumer LLM Block, user outreach Governance 1, 11 AUP version, CASB alert
K8s / infra exposure NetworkPolicy, RBAC Falco, unsigned image deny Isolate namespace Infrastructure 3, 10 Admission denial log
Adversarial drift Baseline prompts, canary Session anomaly vs baseline Stop auto-CT, manual review Runtime 7, 10 Drift playbook ref

References / Source mapping

Frameworks and standards - OWASP LLM Top 10, OWASP ML Top 10, OWASP ASI (ASI02), OWASP MCP Top 10 (MCP09); MITRE ATLAS techniques referenced in Chapter 12

Implementation guidance (this guide) - Primary Mapping (Chapter 12); Lifecycle control points (Chapter 6)

Author practical guidance - Matrix consolidates guide guidance for gap analysis—it does not add new normative requirements.

Practical summary

  1. Pick an architecture card (E.1) and confirm rows in the decision matrix (E.2).
  2. Complete the threat model template (E.3) and define release blockers at control points 4, 7, 8, 9.
  3. Instantiate the Evidence Pack template (E.4) in your GRC or registry workflow.
  4. Wire playbooks (E.5) into SOC runbooks and on-call.
  5. Use the master control matrix (E.6) for design review and gap analysis against Chapter 12.

This appendix does not add new normative requirements beyond the lifecycle model in Chapter 6. It packages existing guidance for production implementation.