Contextual Layer: Business View

Business drivers include safe adoption of AI at scale, protection of sensitive data, regulatory compliance with the EU AI Act and GDPR, and maintaining trust in AI-driven decisions. SABSA attributes: Confidentiality prevents data leakage via prompts. Integrity ensures model outputs are not manipulated. Availability ensures AI services remain resilient. Accountability provides traceability of AI decisions.

Conceptual Layer: Architecture Strategy

Security concepts for AI include Zero Trust for AI interactions where every prompt is untrusted input, data-centric security protecting data across training and inference, model governance controlling behaviour and auditability, and secure AI supply chain covering models, datasets, and dependencies. Control objectives: prevent unauthorised access to AI services, detect and mitigate adversarial AI attacks, ensure responsible and compliant AI usage, and enable secure integration with enterprise systems.

Logical Layer: Security Services and Controls

Identity and access control: fine-grained IAM and RBAC for AI services, managed identities for AI workloads, and just-in-time access for model operations. Data security: encryption at rest and in transit using KMS and Key Vault, data classification and tagging, and tokenisation for sensitive inputs. Application and model security: prompt validation and filtering, output guardrails and moderation, and isolation of system prompts and context. Monitoring and detection: AI-specific logging of prompts, responses, and decisions, anomaly detection for prompt abuse and exfiltration patterns, and SIEM integration.

Physical Layer: Technology and Platform Mapping

AWS implementation: Identity via IAM roles and SCPs. AI services via Bedrock and SageMaker. Network via VPC, PrivateLink, and API Gateway. Data via S3 with KMS encryption. Monitoring via CloudTrail, GuardDuty, and Security Hub. Azure implementation: Identity via Entra ID and Managed Identities. AI services via Azure OpenAI and Azure ML. Network via VNet and Private Endpoints. Monitoring via Defender for Cloud, Azure Monitor, and Sentinel.

Component Layer: Secure AI Design Patterns

Private AI Access Pattern routes all traffic via API Gateway or APIM with private endpoints enforced. Prompt Isolation Pattern separates user input, system prompts, and retrieved knowledge to prevent injection escalation. Secure RAG Pattern controls access to vector databases and logs all retrieval queries. AI Guardrails Pattern applies input sanitisation, output moderation, and policy enforcement.

Operational Layer: Run and Monitor

Continuous monitoring of AI usage patterns, threat detection for prompt anomalies and abuse indicators, and integration with SOC workflows. Key operational controls include drift detection for model and behaviour changes, logging of all inference interactions, and incident response playbooks for prompt injection attacks, data leakage incidents, and model compromise events.

Applying SABSA to AI security ensures that every control from prompt validation to cloud configuration is directly traceable to business risk and organisational trust.
SABSA-Aligned AI Security Architecture Framework Six SABSA layers applied to AI/ML systems · Contextual to component · Business risk to technical control CONTEXTUAL Business risk view AI/ML systems present novel business risks: IP theft via model inversion · Regulatory exposure (EU AI Act, DORA) · Reputational harm from bias Decision: AI use case risk classification required before deployment · Board-level AI risk appetite statement CONCEPTUAL Architecture principles Principles: Data minimisation · Purpose limitation · Human oversight · Explainability requirement · Fail-safe defaults AI governance policy · Model risk register · Use case approval process · Ethical AI review board LOGICAL Security services design Access control to training data · Model versioning and rollback · Inference API authentication · Prompt injection detection Output classification · PII redaction in responses · Audit logging of all queries and outputs · RBAC on model endpoints PHYSICAL Platform and infrastructure Private LLM deployment (Azure OpenAI / AWS Bedrock) · VPC isolation · Private endpoints · No public model APIs Encryption at rest (AES-256) · TLS 1.3 in transit · Key management via KMS/Key Vault · GPU isolation for training COMPONENT Technical controls Guardrails API · Content safety filters · Azure AI Content Safety · AWS Bedrock Guardrails · Lakera Guard Prompt injection regex + ML classifiers · Output PII scanning (Presidio) · OWASP LLM Top 10 mitigations OPERATIONAL Running and monitoring Model drift monitoring · Bias detection · Performance SLAs · Incident response for AI failures · Model retraining cadence SIEM integration for AI API logs · SOAR playbooks for AI abuse · Red team AI models quarterly · Responsible AI reporting SABSA ensures AI security is designed from business risk down to technical control — not retrofitted · EU AI Act compliance · saleemyousaf.co.uk
// SABSA-aligned AI security architecture framework
Back to all articlesSecure Cloud Landing Zone: Private APIs