Enterprise AI Security Framework

AI adoption without
governance is a risk.

Organisations are adopting AI faster than they are governing it. Security architecture for AI is not an afterthought. It is a foundational requirement covering LLM security, RAG pipeline design, data governance, and model risk from the point of adoption.

// framework coverage
AI governance frameworks
LLM security architecture
RAG pipeline security
Prompt injection and jailbreak risks
Data governance and privacy
Model risk management
Shadow AI detection
Public vs private LLM security
The AI risk landscape

What makes AI different from other technology risk.

AI introduces risk categories that traditional security frameworks were not designed to address. Understanding these is the starting point for effective governance.

Prompt Injection
Attackers manipulate model behaviour through crafted inputs, bypassing guardrails, extracting system prompts, or causing unintended actions in agentic systems.
Data Leakage via LLM
Sensitive data ingested during fine-tuning or RAG retrieval can be inadvertently surfaced through model outputs, exposing PII, IP, or confidential business data.
Shadow AI
Employees using unapproved AI tools without organisational knowledge, creating uncontrolled data flows, compliance exposure, and undocumented processing of sensitive information.
Supply Chain and Model Risk
Third-party models, plugins, and APIs introduce risk that organisations may not be able to assess or audit, including poisoned training data and undisclosed model behaviours.
AI model comparison

Major platforms: features, cost, and enterprise risk.

A practical comparison of the major AI platforms from a security and governance perspective, to inform enterprise adoption decisions.

Platform Provider Data handling Enterprise controls Risk level Best suited for
GPT-4o / ChatGPT Enterprise
OpenAI Enterprise tier: no training on input data, data retention controls, SOC 2 Type II SSO, audit logs, admin controls, DLP integrations Medium General enterprise productivity, coding, content generation
Claude (Anthropic)
Anthropic API and enterprise tiers with no training on customer data, strong constitutional AI guardrails API access, AWS Bedrock integration, enterprise agreements Low-Medium Regulated environments, document analysis, nuanced reasoning
Gemini for Workspace
Google Workspace data separation, no training on Workspace data in enterprise tier Google Admin controls, DLP, Workspace security policies Medium Google Workspace integration, productivity, search augmentation
Microsoft Copilot for M365
Microsoft Grounded in tenant data, inherits M365 sensitivity labels and permissions Purview integration, sensitivity labels, conditional access Medium Organisations with mature M365 DLP and information protection
Private / Self-Hosted LLM
Various Full data residency control, no third-party data exposure, air-gapped options Full control of access, logging, monitoring, and deployment Low Classified, highly regulated, or sensitive data environments
Enterprise governance

An AI governance framework for enterprise.

Governance without security architecture is policy without enforcement. These six pillars need to work together.

AI Risk Register
Maintain a living register of AI tools in use, approved or otherwise. Record the data they process, the risks they introduce, and the controls applied. Update it when tools change.
Acceptable Use Policy
Define clearly what AI tools are approved, what data classifications can be used with them, and what use cases are prohibited. Make it operational, not just policy on paper.
Data Classification Enforcement
Apply data classification controls before AI interaction. Prevent sensitive or classified data from being submitted to external models. Enforce through DLP tooling, not just policy.
Monitoring and Observability
Log AI interactions at the API and platform level where possible. Monitor for anomalous usage patterns, unexpected data volumes, and policy violations in near real time.
AI Procurement Assessment
Before approving any AI tool, assess data residency, third-party processing agreements, model transparency, security certifications, and the vendor's incident response capability.
Ongoing Review Cycle
AI capabilities, risks, and the regulatory landscape change rapidly. Governance frameworks must include a scheduled review cycle, not just a point-in-time assessment.
LLM security architecture

Securing every layer of the LLM stack.

LLM security is not a single control. It requires security architecture across every layer from the network boundary to the model interface.

Network and Perimeter
Control network paths to AI APIs and self-hosted models. Apply private endpoints, egress filtering, and TLS inspection where appropriate.
Private endpoints Egress filtering TLS inspection
Identity and Access
Apply least-privilege access to AI services. Use service identities rather than user credentials. Audit and rotate API keys. Restrict access by role and data classification.
Least privilege Service identity Key rotation
Data and Input Controls
Sanitise and classify data before it enters any model. Apply input validation, sensitive data detection, and output filtering to prevent leakage in both directions.
Input validation DLP controls Output filtering
Prompt and System Design
Design system prompts defensively. Separate user input from trusted instructions. Test for prompt injection, jailbreak techniques, and indirect injection through retrieved content.
Prompt hardening Injection testing Instruction separation
Monitoring and Audit
Log all AI interactions at the platform and API level. Monitor for anomalous usage, policy violations, unexpected data volumes, and automated misuse patterns.
Interaction logging Anomaly detection Audit trail
RAG pipeline security

Securing retrieval-augmented generation.

RAG pipelines introduce security risks at every stage. Governing them well requires controls at ingestion, retrieval, augmentation, generation, and output.

01
Data Ingestion
Unclassified or over-privileged data enters the knowledge base, creating retrieval risk for sensitive content.
Classification gates
02
Vector Storage
Embeddings in vector databases can leak semantic content if the database is compromised or over-shared between users.
Access controls
03
Retrieval
Retrieval queries can be manipulated to surface privileged documents, or indirect injection can be embedded in retrieved content.
Query filtering
04
Augmentation
Retrieved context is combined with the user prompt. Malicious content in retrieved docs can influence model behaviour via indirect injection.
Content sanitisation
05
Output and Response
Model responses may contain sensitive retrieved data or be manipulated by injected instructions. Output filtering and logging are essential.
Output filtering
AI security maturity

Where does your organisation sit?

A practical maturity model for enterprise AI security and governance adoption.

Level 1 · Initial
Ad Hoc Adoption
No formal AI policy exists
Shadow AI use is widespread
No data classification enforcement
No visibility of AI tool usage
Level 2 · Developing
Policy Foundations
Acceptable use policy defined
Approved tool list published
Basic procurement assessment
Limited monitoring in place
Level 3 · Defined
Governed Adoption
AI risk register maintained
DLP controls enforced
LLM security architecture defined
Audit and logging active
Level 4 · Optimised
Continuous Assurance
Ongoing adversarial AI testing
RAG pipelines security-reviewed
AI embedded in SIEM monitoring
Governance reviewed quarterly
Working on an AI governance or security programme?
Connect to discuss AI security architecture, LLM governance frameworks, or secure AI adoption strategy.