We know artificial intelligence (AI) services from their models. But AI services also include pipelines, APIs, and cloud-native apps. And those systems need to be secured, even while allowing models to do what they do best — giving and taking data from users. Elsewhere, we’ve looked into Dark AI (using AI to break down systems’ security controls) and AI threat detection (using AI to detect cyberthreats).
Today, we’re going deeper into securing services that run on artificial intelligence, no matter how teams go about securing them. Does it take AI to protect AI? What does it take? Let’s find out.
What are AI Services and What are Their Risks?
First, AI services include cloud-based and on-premises systems that deliver AI capabilities: apps, APIs, or platforms. That could consist of AI-powered search, enterprise tools with embedded AI, or those that manage AI workflows, or public model APIs for natural language generation.
AI services all stem from data, not only for training, but to automate inference, fine-tuning, context injection, and embeddings. Securing the entire data pipeline is therefore the basis for AI security operations and a core component of any data protection strategy. And it needs attention from multiple angles:
- Ingestion Security: Who is feeding the model?
- Embedding and Context Security: What does the model see at inference?
- Dataset Integrity: How can datasets at fine-tuning be safeguarded?
- Auditing and Lineage Tracking: How does data go into the model, and how is it handled once there?
So, How Do You Secure AI Services?
The large attack surface represented by all those data streams is a key issue in securing AI. And AI services represent everything from project management to communications, data modeling, reporting, and customer service — use cases that embed AI technology across organizational workflows and ecosystems. Both issues make security a unique and massive undertaking.
According to one global business consultancy in 2024, 78% of companies used AI in some way, up 23% from 2023, with IT representing the largest jump, from 27 to 36%.
It’s also a new undertaking. But while AI is suddenly everywhere, securing AI is still an under-the-radar topic.
Today, protecting AI assets is often just a matter of hoping AI models stay secure under the shelter of existing company cloud security measures. But AI comes with its own risks. So let’s break down each of the risks for artificial intelligence assets. We’ll address AI in general, but specifically GenAI system protection for the specifics of LLMs and other generative models.
Runtime and Container Scanning with Upwind
Upwind offers runtime-powered container scanning features so you get real-time threat detection, contextualized analysis, remediation, and root cause analysis that’s 10X faster than traditional methods.
Ingestion Security
AI services depend on ingestion pipelines that accept input from APIs, user queries, or third-party sources.
That means multiple high-risk entry points where attackers can submit malicious inputs that leak sensitive information or manipulate downstream behavior. For instance, payloads might inadvertently include internal fields like email addresses or API keys, which get passed to inference engines. This risk is especially pronounced in multi-tenant systems where shared infrastructure increases the risk of data exposure and unauthorized access.
How can teams secure it?
- Apply strict input validation at ingestion
- Sanitize or mask sensitive fields at the API edge
- Use allowlists for structured inputs into pipelines
Tooling that can help includes API gateways with inspection and throttling, data validation libraries or schema-enforcement middleware, and open-source data loss prevention filters.
Embedding and Context Security
AI services often retrieve and embed documents or data into runtime context, including client records, help center articles, or internal PDFs. Without inspection and filtering, sensitive data can be passed into the model. It can also be exposed in outputs. In multi-user systems, embeddings may also leak data across tenants.
Secure it by:
- Scanning and sanitizing content before embedding
- Restricting source documents by user or system role
- Logging embedding operations with identity and document sources
Use vector databases with access control and query audit logs, document pre-processing pipelines well, and employ prompt sanitation or context filtering frameworks.
Dataset Integrity
Training and fine-tuning often rely on collected logs, user feedback, third-party files, and developer-uploaded files. Any one of those datasets may not be adequately verified, scanned, and versioned, which means bias, corrupted data, or even data poisoning through adversarial payloads. And model poisoning doesn’t always look like an attack; it often enters through behaviors that appear normal.
Secure datasets by:
- Tracking their provenance: origins, versions, and contributor metadata
- Scanning all datasets for personally identifiable information (PII), bias, and malicious patterns.
- Requiring signed datasets or version checks before training.
Teams can also implement dataset version control systems, pipeline-integrated dataset scanners, and build-time data provenance validation tools.
[Screenshot] Even though CNAPPs don’t deeply understand datasets, they can protect parts of the environment and the process around training, monitoring the runtime environment where training happens, and spotting misconfigurations, lateral movement risks, and secrets exposure. Is a training container running with root access or talking to an unapproved data store? A CNAPP can help.
Auditing and Lineage
Many AI pipelines operate without end-to-end traceability. That’s a liability for teams that need to prove compliance or respond to incidents. Lineage visibility also improves trust, both internally and externally, by showing the data that guides model decisions.
Protect it by:
- Tracking every transformation step from preprocessing to model input
- Maintain logs for data and model operations
- Link dataset versions to model versions and deployments
Audit logging and SIEM tools can be valuable here, along with model metadata tracking and tamper-resistant artifact storage.
Where GenAI Adds to the Risk
It’s worth noting that generative AI brings new types of challenges, like prompt injection and output misuse, that don’t apply to traditional classifiers or regressors. But it builds on the same foundational risks:
- More unpredictable outputs mean context control is even more important
- Open-ended interfaces like chatbots increase the need for monitoring and rate limiting
- Embedded GenAI in apps makes permissions and access controls critical
Though protecting AI services involves some care about what models can leak, security best practices are primarily concentrated on protecting what goes into the model. On the other hand, GenAI security adds another attack surface and must contend more concretely with what comes out. That’s not an issue for many traditional resources that need protection.
Runtime Security for AI Services: Observability, Access, and Containment
What comes out? Sometimes it’s private data used in training but not meant to be identified. That’s why securing AI services isn’t solely about inputs or training pipelines, but about what happens after deployment, too.
Once an LLM or generative model is integrated into customer-facing systems, it acts like other production workloads: it has access to cloud resources, live data, and external systems. And whether running in containers or managed endpoints, it will need observability, identity controls, and network containment.
Why Does Runtime Security for AI Services Matter?
Runtime security is the best lens for seeing into misuse, especially when traditional model monitoring can’t catch complicated behavioral exploits. Here’s why AI and runtime security mesh so well:
- Live interaction with production data: AI handles real user data in real time. That means customer questions, telemetry from IoT devices, or sensitive internal metadata being fed into the model is input. And that means there’s opportunity for both accidental leaks and intentional misuse.
- It’s exposed to the outside world: Many AI services are built as APIs, often with broad access permissions. They’re more vulnerable to overuse, abuse, and misconfigurations.
- It behaves dynamically: AI can trigger external calls to tools or the internet based on input. That flexibility must be monitored.
- It runs alongside other services: In container clusters or shared virtual machines (VMs), AI workloads may share infrastructure with other tenants. One model could access files, tokens, or memory that wasn’t meant for it.
The bottom line? AI requires visibility at runtime. Because by the time a prompt triggers suspicious behavior, it’s already left the guardrails of training and entered an organization’s live infrastructure. Here are the critical areas to watch during runtime and the mitigations that can help reduce risks.
| Category | Example: What Can Go Wrong | What to Watch For | How to Secure It |
| Identity and Access | The model’s API is running with admin-level cloud permissions. | Who’s using which roles, and any unexpected elevation | Enforce least privilege. Use scoped service tokens. |
| Network Behavior | The model starts making outbound calls to domains it’s never contacted before. | DNS activity and egress traffic from the service | Block unknown destinations. Alert on first-time connections. |
| File Access | The service reads or writes to sensitive volumes it shouldn’t be touching. | File access logs and unexpected volume usage | Mount only what’s needed. Restrict with read-only access. |
| Package Integrity | A rogue dependency is loaded at runtime, like a malicious Python library. | Libraries loaded at runtime and unverified downloads | Use signed packages. Prevent runtime installs |
| Execution Behavior | A prompt causes the model to spawn a shell command or trigger a subprocess. | System calls, child processes, and abnormal activity | Use eBPF monitoring. Sandbox or restrict executable paths. |
A runtime-powered CNAPP with an eBPF sensor can handle most of these issues. It maps service behavior, like identity, egress, and file access, in real-time. It captures low-level execution behavior like syscalls, file reads, and spawned processes. It can also enforce image integrity and runtime immutability for better container security. Identity features can audit identity usage, over-privilege, and role assignment. And finally, look for a CNAPP with network security tools that discern which resources have the most traffic — and where it’s coming from.
What’s left? SIEM or XDR tools are complementary, correlating logs, alerts, and runtime signals across environments. And EDR tools focus on endpoints, while CNAPP tools are focused on cloud-native workloads.
The Future of Protecting AI Assets
Right now, most AI cybersecurity conversations revolve around model outputs like jailbreaks, prompt injections, and hallucinated leaks. But that’s just one slide of the risk surface. Organizations today are building decision engines, classifiers, recommendation models, and optimization tools that are deeply embedded into business logic, and while they don’t generate text, they still expose exploitable surfaces. Their protection needs will only get thornier as attackers harness AI and machine learning to penetrate these systems.
So, what can teams look forward to?
- AI Behavior Firewalls: This approach is still emerging, but will eventually set explicit safeguards on how AI systems can respond to certain inputs with mechanisms like policy-enforced limits on behavior.
For instance, a customer support bot can be prevented from making decisions that trigger unintended business outcomes, like issuing refunds or approving access.
- Inference Rate Limiting and Context Tracking: Organizations will employ per-user throttles and memory of recent input behavior to detect or limit abuse.
Current implementations focus on controlling the volume of requests. For instance, companies can put a lid on thousands of applications flooding systems at once. In the future, they’ll also incorporate user behavioral context.
- Model Registry Integrity: Making sure only signed, approved, version-tracked models can be deployed. That minimizes the chances of a shadow or rogue model running in production environments.
You can absolutely enforce model integrity today, including with CNAPPs to enforce runtime integrity. But AI model registries are still nascent, and tooling for CI/CD pipelines is fragmented. Further, unlike code, model signing isn’t yet standardized.
- Explainability-as-a-Control: Explainability methods can help flag unusual decisions and model behavior that deviates from normal. It’s an emerging need, but real-time explainability-driven enforcement is still in the future.
Instant insights into model transparency are at the heart of problems with AI models, which could be made to purposefully give incorrect answers or take on erroneous decision-making behaviors like incorporating patient zip codes into diagnoses.
- Model-Pipeline Isolation: Today, it’s possible to segment and restrict model-triggered workflows to prevent the cascading impacts of model misuse. But its complex architecture, including within AI pipelines, is still far from mainstream.
In the future, expect AI models with built-in workflows, like a fraud detection model that flags suspicious financial transactions in real time, but instead of blocking or reversing transactions, the output is routed to a human risk analyst.
Upwind is the Foundation of Runtime AI Service Protection
Why? It’s watching more than just runtime behavior, with advanced behavioral analysis to detect abnormal patterns. It’s also watching network traffic by ports and protocols, watching what resources have the most traffic, and where it’s coming from. So if an AI resource starts reaching out to a new domain, assumes an unexpected identity, or triggers unexpected file access, the team will know it in real time.
With visibility into how AI services behave at runtime, teams will be able to catch misuse, misconfigurations, and lateral movement before it spreads. And that means you’ll get the real-time guardrails that traditional ML monitoring tools just don’t cover. To see how Upwind covers AI assets, schedule a demo.
FAQ
What are AI security risks in production?
Once AI models are deployed, they behave like other services, consuming input, processing logic, and interacting with organizational infrastructure. The attack surface of AI shifts from protecting training data to securing the runtime environment, looking at how the model actually behaves with users. The primary risks during this phase are:
- Sensitive data exposure
- Privilege misuse
- Network egress abuse
- Logic abuse
- Shadow deployments
- Drift and corruption
Can AI be monitored?
Yes. Monitoring AI means tracking how the system behaves, what it accesses, and whether it deviates from expected patterns. Monitoring includes:
- Behavioral monitoring
- Access visibility
- Inference monitoring
- Output validation
- Anomaly detection
These aren’t always handled by a single tool today. A full picture usually requires a combination of runtime and security tools (like CNAPPs), but also API gateways, model performance monitors, and logging tools.
How can I secure the entire lifecycle of AI applications?
There’s data ingestion, deployed models, and everything in between. Let’s look at what teams need to do at each step:
- Data ingestion: Validate and sanitize training data.
- Model development: Use signed and versioned model registries.
- Pre-deployment validation: Run security reviews, bias checks, and performance tests.
- Deployment gating: Apply CI/CD-style approval workflows, enforce signature checks, and restrict who can promote models.
- Runtime protection: Monitor for identity misuse, unauthorized network access, anomalous inference behavior, and process spawning.
- Post-deployment protection: Log inputs, track outputs, and watch for drift.
How is securing AI different from securing an API?
An AI model can look like any other service endpoint. But its behavior can be much more dynamic and unpredictable than a traditional API, so it requires deeper inspection into logic, execution, and the environment. Here’s why:
- AI is probabilistic: It doesn’t return fixed responses like APIs.
- Inputs can be adversarial: Attackers can use prompts or payloads that exploit model behavior.
- Outputs carry business logic: AI responses can directly influence decisions, not just return static data.
- Models can drift silently: Unlike APIs, models change performance over time without changes to their code.
- Models interact with infrastructure: AI systems often have access to data stores, tools, or networks, making for a larger blast radius.
Does non-GenAI still need protection?
Yes, even non-generative AI needs protection. Models like classifiers, forecasters, and recommenders can still be manipulated or misconfigured. They also have the power to influence real business decisions, so they’re high-value targets for cyberattackers through decision manipulation, data leakage, shadow model deployments, inference abuse, and workflow triggering.
Non-generative AI models need protection at the infrastructure level for better security posture. But they also need protection across other layers, like identity and logic, to prevent them from becoming security blind spots.
