Table of Contents¶
MLSecOps Practical Reference Guide v1.1.0 — Securing AI Systems Across the Lifecycle
Chapter 1: Abstract and Introduction¶
- Abstract
- Guide at a glance
- Introduction
- Why this guide matters
- What this guide adds beyond OWASP, OpenSSF, and NIST
- How to use this guide
- Why DevSecOps Is Insufficient
- AI Threat Surface (Executive Overview)
- MLSecOps Principles
- Relationship between MLSecOps and DevSecOps
- AI supply chain evidence (
AI-BOM) - Lifecycle Overview
- Relationship to OWASP projects
- Relationship to OWASP AI Exchange
- Focus of this guide and distinction from AISecOps
Chapter 2: Scope, Audience, and Threat Model¶
- Scope of the article
- Scenarios covered
- Managed AI service scope
- Managed AI services security reference
- Primary audiences
- AI system inventory
- Selecting controls based on threat model
- Risk management
- MLSecOps risk analysis workflow
- Attack surface matrix
- Expected output of threat modeling
Chapter 3: Autonomous AI Threats and Offensive AI Operations¶
- Reading priority
- Overview
- Agent Tool Abuse
- Memory Poisoning
- AI-driven Reconnaissance
- AI-driven Lateral Movement
- AI Compute Hijacking
- Autonomous Data Exfiltration
- Runtime Behavioral Threats
- Emerging and research-stage threats (summary)
- MLSecOps Threat Modeling Considerations
- Relationship to Existing Frameworks
- Chapter Summary
Chapter 4: Data Security and Privacy¶
- Importance of data security
- Basic data controls
- Privacy
- Sensitive data classification for scanning
- Differential Privacy
- Information leakage from Embedding
- Privacy audit tools
- Experimentation environment security
- Supplementary controls for experimental environments
- Data security in RAG
- Practical principle
Chapter 5: Model, Artifact, and Supply Chain Security¶
- Model as a security asset
- Model security controls
- Minimum Adversarial Robustness requirements
- Defining threat model before testing
- Minimum security tests
- Risk of unsafe formats
- AI supply chain
- Poisoning taxonomy across the lifecycle
- Model theft and extraction paths
- MLOps infrastructure vulnerabilities
- Infrastructure-as-Code security for ML
- SBOM and AI-BOM
- Security acceptance criteria
- Provenance and signing
- Security evaluation output
- Federated Learning
- Key and secret management
- Practical principle
Chapter 6: MLSecOps Lifecycle Control Model¶
- Control model objective
- Control model overview
- Prerequisite: Planning and Threat Modeling
- Lifecycle control points
- Practical notes for each control point
- Release decision model
- Continuous Training cycle
- CT cycle risks
- Control points in CT cycle
- Secure deployment methods for retrained models
- Difference between Data Drift and Adversarial Drift
- Alignment with MLOps lifecycle
- Common implementation challenges
- Minimum security baseline
- Lifecycle control prioritization
- Stage 7 test acceptance conditions
- Three categories of security testing
- Red Team program and security test cadence
- Implementation note
- Golden rule
- Operational summary
Chapter 7: LLM and RAG Security¶
- How LLM security differs from classic ML
- Primary LLM threats
- Security controls for LLM
- Augmentation data (runtime behavior assets)
- Secure architecture for RAG
- Ingest security in RAG
- Three-layer controls in RAG
- Retrieval Poisoning
- Embedding Poisoning
- Reindex Playbook
- Cloud Native and Multi-Tenant deployment
- Model Context Protocol (MCP) security
- Advanced Multi-Tenant hardening
- Fine-tuning risks
- System Prompt Leakage (LLM07)
- Advanced Prompt Injection techniques
- Direct and indirect Prompt Injection
- Guardrails
- Guardrail limitations
- Downstream conventional injection
- LoRA, PEFT, and adapter supply chain
- Chatbot vs AI agent
- Agent reference architecture
- Agent think–act cycle and control points
- MAESTRO framework (CSA)
- Agent attack surface
- Six attack domains
- Internal components
- Tool trust boundary
- Intent Gate
- Intent Gate implementation components
- OPA vs Cedar comparison
- Tool Output Injection
- Chain exploitation scenario
- Memory Poisoning
- Memory contamination path
- Real-world context poisoning example
- Vendor and payment approval poisoning example
- Conversation manipulation
- Data exfiltration model
- Multi-Agent
- Multi-Agent principles
- Agent defense layers
- Secure agent lifecycle
- Runtime controls for Agent
- Three critical controls
- Agent control prioritization
- Agent security metrics
- Agent security DO's and DON'Ts
- Practical principle
- MCP tool connections
Chapter 9: Anti-patterns in MLSecOps¶
- Why anti-patterns matter
- Common anti-patterns
- Model without provenance
- RAG without security boundary
- Agent without tool control
- One-time security testing
- Practical principle
Chapter 10: Monitoring, SOC, and Incident Response¶
- Monitoring in AI systems
- Data required for telemetry
- SOC integration
- Detection Engineering
- Threat analysis with MITRE ATLAS
- Sample SIEM scenarios
- Sample attack chain
- Incident response
- False positive management
- Incident response SLA
- Evidence required for incident analysis
- First 30 minutes of an incident
- Day-2 operations
- Security metrics
- SOC control prioritization
- If only three SOC/Runtime controls can be implemented
- Practical principle
- Practical summary
Chapter 11: Governance, Compliance, and Evidence Pack¶
- Governance in MLSecOps
- Shadow AI governance
- OpenSSF MLSecOps Mapping (Whitepaper 2025)
- Optional assurance tiering
- STRIDE and FMEA applied to ML assets
- Reference frameworks
- What is an Evidence Pack?
- Recommended Evidence Pack contents
- Evidence Pack components
- Relationship to compliance
- Practical mapping of EU AI Act requirements (High-Risk systems) to controls
- Mapping EU AI Act requirements to Evidence Pack components
- Policy-as-Code
- Responsibilities
- Personas and shared responsibility
- Tamper-evident storage
- Security validation and assurance
- Assurance metrics
- Optional regression scoring pattern
- Governance Benchmark Suite
- Verification vs. validation
- Vulnerability disclosure and external intelligence sources
- Practical principle
Chapter 12: Threat, Control, and Tool Mapping¶
- Purpose of Mapping
- Primary Mapping
- Tool Layers
- Capabilities by lifecycle area
- Layered Tool Architecture
- Appendix: Informative tool command reference
- OWASP ML Top 10 Mapping to MLOps Stages
- Threat, Control, and Tool Reference Card
- MITRE ATLAS Mapping
- Commercial Tool Market Map
- Tool Selection Criteria
- Emerging AI-native Threats
- Practical Principle
Chapter 13: Case Studies and Lessons Learned¶
- Chapter objective
- LeftoverLocals (CVE-2023-4969)
- MLflow and MLOps platform vulnerabilities
- ClearML and Confused Learning
- SILENT SABOTAGE (HuggingFace Conversion Bot)
- BentoML and LangChain deserialization RCE
- HuggingFace: unsafe models at scale
- Agent API key exposure pattern (illustrative)
- Pickle-based RCE in model repositories
- PoisonGPT and the AI supply chain
- Prompt injection in public systems
- Shadow LLM usage and data boundary
- Indirect prompt injection in Copilot and RAG
- AI tools inside DevOps
- RAG in organizational knowledge base
- MCP red team lab — Illustrative pattern
- Summary of lessons
- Practical principle
Chapter 14: MLSecOps Maturity Roadmap¶
- Why Phased Maturity Matters
- Maturity Levels
- Level 1: Foundational
- Level 2: Operational
- Level 3: Mature
- Minimum Starting Controls
- Recommended 90-Day Path
- Maturity Metrics
- Common Mistakes on the Maturity Path
- Practical Principle
Chapter 15: Conclusion and Appendices¶
- Conclusion
- Key Principles
- Compact Checklist
- Production Operational Checklist
- Minimum RACI
- Data and Privacy
- Model and Supply Chain
- Lifecycle Controls, CT, RAG, and Agent
- Runtime, Cloud-native, and SOC
- Governance and Evidence Pack
- Short Glossary
- Appendix A: Threat, Control, and Tool Reference Card
- Appendix B: MITRE ATLAS Mapping
- Appendix D: Managed AI Services Security Reference
- References
- Frameworks and Standards
- Threat Taxonomy and Security Guides
- Open-Source Tools and Projects
- Reference Papers and Reports
- Appendix: Claims & Evidence
- Traceability and source mapping convention
- References
- Mermaid Diagram Guide
- GitHub Version
- Final Conclusion
Chapter 16: Kubernetes Deployment Reference¶
- Purpose
- Reference architecture
- Namespace isolation and RBAC
- Network policy — default deny
- Admission control — verify signed images
- vLLM on Kubernetes — secure deployment pattern
- KServe and generic model serving
- GPU isolation and shared inference
- Runtime security on the cluster
- Egress control for agentic workloads
- MCP servers on Kubernetes
- Mapping to lifecycle control points
- Tool and reference index
- Minimum baseline checklist (Level 2 production)
- Practical summary
Appendix E: Implementation Reference¶
- E.1 Architecture Cards
- Enterprise RAG
- Managed AI API
- Self-hosted LLM
- Agent with tools
- Multi-agent
- Classic ML
- E.2 Decision Matrix
- E.3 Threat Model Template
- E.4 Evidence Pack Template
- E.5 Operational Playbooks
- E.6 Master Control Matrix
- Practical summary
Reading Paths¶
| Goal | Start here |
|---|---|
| Executive overview | Ch. 1 → Ch. 2 → Ch. 14 |
| Threat understanding | Ch. 3 (demonstrated first) → Ch. 2 (attack surface) → Ch. 13 |
| Implementation | Ch. 6 → Ch. 12 (mapping; CLI appendix optional) → Ch. 15 (checklists) |
| LLM / RAG / Agent | Ch. 7 → Ch. 8 → Ch. 9 |
| Managed AI API only | Ch. 2 (managed AI) → Ch. 7 → Appendix D |
| Shadow AI / governance | Ch. 2 → Ch. 11 → Ch. 13 (Samsung) → Ch. 9 (anti-patterns) |
| MCP security | Ch. 7 → Ch. 8 (MCP tools) → Ch. 12 (scan tools) → Ch. 13 (lab) |
| Operations & SOC | Ch. 10 → Ch. 11 |
| Implementation in production | Appendix E → Ch. 6 → Ch. 12 |
| Kubernetes deployment | Ch. 16 (architecture patterns; test IaC in your cluster) |