AI Security Controls Guidelines Release
Skills:
AI Security90%
Key Takeaways
The SANS Institute releases guidelines for AI security controls at the SANS AI Cybersecurity Summit 2025, presented by Matt Bromiley, a SANS Certified Instructor, covering AI security and cybersecurity topics.
Full Transcript
All right. In this next uh thing, we're going to next presentation. Uh first want to, you know, say thanks Matt for making your flight this morning and rolling in. Absolutely. Are you kidding me? It was easy. Uh like, hey, do you want to come out to the AI summit and talk to folks about AI and the security controls paper? And I was like, yes, absolutely. Easy win. Easy win. So, the background here at SANS is that we ended up um and it's not just us when we're I'll just give you the problem statement as a a whole right now. A lot of organizations are rapidly introducing the fact that you know for example DeepSeek that was released. We have a higher performance lower cost model onetenth of the training uh cost is involved in potentially involving DeepSeek. Allegedly less less than a week. Yeah. Allegedly less than a week occurred before massive and major organizations implemented DeepSeek into their frameworks and went ahead and deployed them. Amazon, Microsoft, you know, go down this litany of the list here. So, what concerns me is like how much auditing, how much thought, how much of the, you know, business uh nature that the organizations went through and saying, "Hey, what is the risk of implementing something that has not gone through a massive audit, maybe not even mass audiary one that needs to occur to say, hey, there's a, you know, at least we're reducing risk there." On the other side, the businesses have an equal risk which is if we do not accelerate the deployment of these models. Our entire business may be at risk from a competitive landspace because they're going through and uh getting the cost continually moving forward. So SANS and it's not just SANS. One of the things that we do have done over the past vertical controls paper that was released almost 20 years ago was an effort to educate uh business leaders and technical managers on what are the key questions that they must ask when thinking about in that case cyber security is reached out to multiple people in the field to say hey listen if we create a very similar guideline for how to think about AI what would that look like so we initially started with SANS authors and we had to select a lead author And that's who we have in front of us here, Matt Bramley. And I've known Matt um for gosh 15 Yeah. a while now. 15 years now. And Matt's uh hands down one of these individuals that new technology comes out, he becomes an expert, a master of it. Um but at the same time, AI is one of these things. I'll go ahead and you know, he looked at me, I could tell he's looking at me. I was like, do not set me up as an expert. um because anyone's working in a right now have a challenge to potentially say, "Hey, listen, this is really hard for everyone to keep up and that's one of the reasons we're asking as a a collective in a community to comment on this." So, the paper has been released as of today. It's actually in your notebook uh in the back sections. We've already done one additional update to it, which is going to be released online also today. Uh, but I want to hand it over to Matt to talk about, you know, once you were assigned to help lead this paper, what was, you know, how do we organize it? What was the frustrating pieces of it? And where's it going to go from here? So awesome. Take it over. Thanks, Rob. Appreciate it. Can we get a round of applause, too, for Rob? Just session after session after session. Awesome. So, I actually started this out with a little bit of what I think everyone started out with AI or at least the way that everyone got started with AI, which is when when Rob first reached out about wanting to do this. I think it was a little bit of an reflection of last September. We actually had the first version of this summit in Vegas right near SNS Netseek. I'm going to make everyone here involved. Can I get a hands up if you were there? Awesome. Okay. So, some folks remember what it was like. For the rest of you, thank you for joining us. number one, but I wanted to start out a little bit like how I think a lot of us started at AI, started utilizing AI. And one of the very first things that really came about when chat GPT hit was this idea of just designing advanced prompts. So, I made one for myself. Um, I have a little bit more time than 15 minutes, so we have some leniency in there, but this is a lot of what it started out with when we all first started to get used to AI. It was uh you are a thing. Here's the parameters. here's the settings, go ahead and give me some output. And I think the most joy that everyone had in the beginning was just how quick the output actually was generated and how fast it came out. And that was the starting point I think for a lot of us to get familiar with AI. So that's our starting point for for here right now and today. However, I'm happy to report that as we brought this paper to fruition, there was a whole lot of things that were involved here. So, one, I think the very first call in bringing this together occurred back in November. Yeah, it did. It was early November and I remember this because as usual, I was at an airport and we had this call with Rob and some few folks over on the SANS analyst team and it was like, "Hey, I have this idea. I want to do this thing, this paper." And for anyone who may have read a SANS white paper or seen one of our webcasts before, they are usually not as involved as this one was. And it's a blessing that we were able to get this one as involved as it was. months and months and months of review, the very first draft of this paper looks nothing like what it does now. And as Rob mentioned, uh we were furiously getting in a subversion update. So the paper is now at version 1.1 as of today. We were getting a sub version in uh Thursday, Friday, last week. And that's really got to be the precursor for anyone who says, "Oh, I'm uh I'm I'm studying AI. I'm becoming an expert. I'm figuring out how to use." as we were writing this paper. So I want you to all to think in just this space just this world we were starting this in November of last year. Since then uh let's see deepseat came out as Rob mentioned number one. Number two uh the current US administration has decided to talk about making investments in AI. Every other country out there has decided they want to also make some moves in it. The landscape has been so fast and changing so quickly that for us to say we're going to write this thing and try to even pretend that it is a point in time assessment means we're writing on yesterday's knowledge knowing that tomorrow it's going to be outdated. So that was one of the first challenges. Second, this was a multiple round feedback paper. We usually don't go through this much. More than 20 contributing authors. They're all listed on the front page. And a huge thanks to everyone who was involved. But what that means is yes folks in here that were contributing to this. Uh if you contributed introduced us to someone to help review it, can you please stand uh up in the room uh for the folks? That's you too, Helen. You introduced us to a lot of people. All right. So we have Rob, Helen, there's others here. Uh they're just not in the room right now. Um, but I just want to highlight that a lot of the folks out there that have contributed to this uh are in the room and we're also looking for additional contributors. More on that in a little bit. Yeah. And it doesn't stop. That's the thing is we're going to continue to get updated because to pretend that we're done or that it's written is going to be uh is just too much. And the other interesting thing about this topic, too, is we can't update this once a year. We can't pick a time frame to say, "Oh, we're only going to update this annually." Because if I were to pick annually as an update period, by the time we get to next year's update, we just start all over again. So that introduces the version 1.1 critical Gen AI security control. So a huge huge huge thanks to everyone who brought this together. I wanted to spend just a little bit of time talking about some of the key findings, key takeaways, and then some of the key sections. So one of the issues when you're bringing together any sort of knowledge content on Gen AI usage or AI security controls is how do I bucket and group this thing? Am I talking about the backend folks who are building and training LLM? Am I talking about the front end who are using it? Am I focus specifically on customer usage? There's a lot of different pieces. Everyone is using Gen AI, but the real thing we wanted to focus on was are they properly securing it? And that's a very very big question because when I say using Gen AI, you all probably have different ideas of what it means to actually use it. I was talking with someone right before this who I know is using AI for Gen AI, I should say, for advanced code development. I know someone else who's using it to deal with level zero, level one support tickets. I know another person who's using it to not eliminate augment their tier one sock. It's really hard to say, oh, you're doing it with this thing. So, we came up with a few different categories to help bring together and help group some of the different suggestions that we've got in here. First one is going to be access. And again, when I say we brought together categories, this doesn't apply to any one business model. It's more about ways to consider how would I control how would I put controls on access towards my genai usage. Second one is the data itself. Third, we get into the deployment of it. Fourth is the inference. Fifth being monitoring. This is where we get more of our security hat on where we're monitoring and keeping track of access and what's happening to it. And then last but not least, we got to a point where we had to include governance. we had to. And you may be hearing all of these thinking like really at the end of all this governance is the one that we had to deal with. I'll tell you all I just got back from a multi-week stint over in Europe and if you think we're concerned about it here, they're doubly concerned about it there. I'm going to talk about GRC in a couple slides here, but I'll just mention and say not only do we have to face this kind of domestically, but we have this equally shared curiosity and equally shared responsibility abroad. And I'm being very specific about that one primarily because a lot of times, and I'll happily toot this horn, a lot of times we're like trailblazing technology here and then the rest of the world's kind of keeping up. Unfortunately and fortunately, not in this case. So our contributors not only came to us from overseas but we also had to deal with the regulatory impact of overseas as well. So key takeaway number one from the paper. Now this is not every takeaway. I just zoomed in on I think six of them and I wanted to kind of bring these up as highlevel points for you to take back either to your organization for you to consider or things that you can take away from the paper and again some things to focus on in the future. So the first one is understanding that your Genai model, however you're utilizing it, is a control inside of your organization. Treat it like you would production level code. Secure it, lock it, make uh monitor access to it. Control what users can and can't do. Just because it feels a little bit like a free-for-all space that's out there, we don't want to unfortunately leave it either unsecured or say, "Oh, this thing is too new. I'm not really too sure what controls to put around it. If I take away the AI part of this and I say production level code, all of the ideas of securing it fall into place. AI should be no differently. Especially for enterprise deployments, especially if you have deployments that are customerf facing, deployments that are impacting production environments, impacting code, impacting customer experiences or underlying data. We'll talk about that one in just a second, but that's got to be the first consideration. That's all externally facing. Internally, I know a significant number of organizations out there have developed their own internal models. I was just working with someone last week who's developed their own internal LLM model for a bank. It is now up to the point where the entire organization inside of the bank can use it. Sensitive data, customerf facing data. It's a completely controlled closed system that all the employees are now allowed to use. Six months ago, it was just security. six months from just security to full production. That's a massive timeline only because they're able to lock down and and be careful about uh about how they how they prevent or sorry, how they procure access to it. Second big takeaway is understanding the augmentation layer behind all of our different systems. No matter what, the bestlaid plans can break. They're fragile and brittle if we don't protect the underlying augmentation layer to whatever our applications may be. It is very very easy, believe it or not, for adversaries to find the most creative ways to impact AI implementations. And we'll talk about more of that in just a second because key takeaway number three is that guardrails aren't magic. As we were bringing this paper, one of my favorite parts about it, and this is the security side of me stepping in, is that the newest way to break through something h to happen to continually surface. Adversaries do this. And that's not even adversaries. A lot of times it's security researchers doing this, doing that. Your AI, your LMS might be shipped, might be developed, might be built with the most well-intentioned guardrails that are out there. But believe it or not, especially as we brought this content together, attacks like prompt injection still win. Even still, I was reading something on the flight over here. There was just a hackathon. I think Google was sponsoring it. It happened a week or two ago. even with updated models and everything we know, they were still able to hack their way through the guardrails, get access to the underlying subsystem. And this is, hey, we have all the newest news. We're still seeing the same type of attacks see success. So guardrails are magic, but adversaries are creative and they have time. And the more we lean on these technologies, like with everything else, the more success they're going to find. Key takeaway number four, GRC is not optional when it comes to this. I'm just going to throw this out here for everyone. This is not a space where security can kind of tinker around for a while and then when we think we have it figured out, we let the rest of the organization know. Just like you would treat a random external file share, users out there are going to Genai systems. GRC has got to be an important part of the discussion. Takeaway number five is understanding that it's not just a chat prompt that someone might run into and that's all we're securing down. function calling and agentic AI purposes or I should say implementations are going to require new guardrails, different implementations and probably new controls. And this is an area where I know the paper's going to continue to grow, where we're going to continue to see the content develop because as we see even more agentic AI approaches, as we see new developments, more implementations, new software, new technology come out, we're going to have to continue to kind of a secure those and then b watch out for them as potentially malicious vectors. And that's one of the underlying things before I get to my last takeaway here. That's one of the underlying things that remains true for every section we put together inside of the paper. We kept this kind of tone running throughout of could this thing be abused? Could this thing be taken advantage of? And if so, how? Can we prevent it? Can we mitigate against it? Can we eliminate the risk? Is it a risk we just have to accept? Or is it something we can genuinely work towards? And of course, as a part of all that, as we went through these multiple rounds of reviews, we kept getting, "But wait, there's but wait, there's there's also this. There's also that." The moment when you think you've got a good framework in place, someone says, "But what about this brand new thing that could be abused out there?" So inference APIs and attack surfaces also oh sorry inference APIs existing as attack surfaces is yet another avenue to remind us this is a complex technological implementation and our adversaries will continue to probably find ways in that we might not have even thought about before and I'm not here to like vaguely say watch out the adversaries are coming it's more about some of the biggest takeaways as we brought this to paper together that we learned as we were authoring it was, wow, this is an extremely advanced but also immature technology. And it gave us a really cool chance to say, we're not talking about securing enterprises with 30, 40 years of experience behind us. This is something that the world's kind of harnessed really quickly. So, let's focus on ways we can secure it knowing what we know from before. So, I'm going to sum up and finish up here with about four minutes. And I didn't realize it was between me and like I'm your stop before break. So, I figure uh everyone's either feeding for caffeine or something, but we'll see. But I I wanted to also include uh a few kind of big takeaways of things we should do this quarter or like actionable takeaways. This is without a doubt more guidance, more highle things I want you to walk away and dig into a little bit deeper. But if I had to say, what can I do today or what should I be talking to my organization about or what things should I be mentioning to that GRC team you said is out there? First one is going to be inventorying how you are utilizing it. Not just models making decisions, but how AI is being used inside of your organization. Two, implement monitoring. I cannot stress this enough. This is that security hat coming in. See who's doing what. How are they accessing it? What can my data access? What can my users access? Where's the middle ground? What do I or do I not have visibility into? Control that access. as well. Control it, not again because we don't want folks to use it, but control it so that we have the ability to wrap those security controls around it. And I have to insert a little bit of a delineator here. Primarily because we're once again back to the path of least resistance. If I have an AI implementation inside of my organization, but I prevent users from using it, they're going to go the external drive route. They're going to look for I'll just upload it and then access it from home. It's nothing for me to go to chat.openai.com and take advantage of my own chatgpt instance when I might be unfortunately violating corporate policy or again the intended use of it. That leads us to educating employees. This is going to be the big step for all of us. I know it feels like we're talking about like spear fishing now, doesn't it? But that was like the root that we came back to was we had to continually get to this point of what's one of the best mitigations we have. It's educating and working with employees to let them know here's how this thing that you keep hearing about is being used at our company. Here's how you can use it. Here's how you can't use it. Implement guard rails to support the kens and implement detections and implement monitoring to help bolster those cannotss. So that way when something does happen, we're not caught off guard. Because the last thing I want anyone here to do is implement some brand new technology that makes everyone's life easier. And then all of us in security fall into the exact same route. No visibility, didn't know they could do that, wasn't aware how the technology worked, no detection mechanisms, no way to investigate. And now here we are not knowing what's next. And that's going to lead to my like next and not final, but my next point of aligning with GRC. I know this one's tough. I see maybe not so much anymore. It is 2025, but I remember a day where if I told some of the security folks I work with who align with GRC, I'd be met with eye rolls and groans like I don't talk to those folks. It's like those days are gone. Those days are gone. And unfortunately, you do need to align with the folks who are the ones in charge of implementing governance inside of your organization. And the last one is don't be afraid. I know it's personal and it's emotional at this point now because one of my favorite quotes that came about bringing this particular piece of content together was this right here. The biggest risk in AI is not using it inside of your organization. And this is where we get to a real I should say a self-realization of just what this technology can do here for us. So, in my final 30 seconds or so, I'm going to actually go back one and just say it was a ball putting this together. Number one, number two, you'll continue to see updates as time goes on. Three, folks, we are sitting at both one of the most amazing crossroads you'll ever see and also one of the scariest. You might notice during this whole time I didn't spend any time talking about adversaries using AI. It's not really where we're at right now. I want us to make sure we can lock it down and secure it. But with that said, Rob, we'll close out and I think it's break almost.
Original Description
SANS AI Cybersecurity Summit 2025
AI Security Controls Guidelines Release
Matt Bromiley, SANS Certified Instructor
View upcoming Summits: http://www.sans.org/u/DuS
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from SANS Institute · SANS Institute · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
SANS NetWars
SANS Institute
SANS DFIR NetWars
SANS Institute
Hack The Drone - SANS Cyber Academy UK
SANS Institute
SANS VetSuccess Immersion Academy
SANS Institute
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
The 2015 SANS Holiday Hack Challenge
SANS Institute
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
SANS VetSuccess Academy Overview
SANS Institute
SANS ICS Security Summit & Training 2017
SANS Institute
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
WannaCry recap, patches, and analysis
SANS Institute
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
SANS Data Breach Summit & Training 2017
SANS Institute
SANS Secure DevOps Summit & Training 2017
SANS Institute
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
SANS Institute
SANS Institute
ICS515: ICS Active Defense and Incident Response
SANS Institute
SANS Institute
SANS Institute
Introducing the NEW SANS Pen Test Poster
SANS Institute
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
SANS ICS Security Training, Munich, Germany
SANS Institute
SANS Automotive Summit Webcast
SANS Institute
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
SANS Security Operations Summit & Training 2018
SANS Institute
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
A Sneak Peak at the New ICS410
SANS Institute
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
Introduction to Linux
SANS Institute
Introduction to Malware Analysis
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
SANS Webcast - Zero Trust Architecture
SANS Institute
SANS STX Cyber Range
SANS Institute
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
Is Palki71 BD Real or Fake? How to Identify the Official Website
Medium · Cybersecurity
4 Trends Hackers Are Weaponizing AI: What It Means for Crypto Trading Security
Medium · Cybersecurity
Hammer | TryHackMe Walkthrough by Gyaneshchand
Medium · Cybersecurity
The Paywall Worked. The API Did Not, So Is My Brain
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI