AI security runbooks
| Title | Category | Version | Complexity |
|---|---|---|---|
| AI Use-case Intake and Approval Standard workflow from idea to approved build: risk tier, data classes, owners, and conditions of use for new AI features. | operational | 0.1.0 | low |
| AI Vendor Risk Review Due diligence for AI vendors: security posture, data residency, subprocessors, incident history, and contractual controls. | operational | 0.1.0 | medium |
| Compliance Evidence Collection (NIST AI RMF, ISO 42001, EU AI Act) Map operational artifacts to framework controls so audits produce structured evidence packs without last-minute archaeology. | operational | 0.1.0 | high |
| Data Classification Review for AI Workloads Align data classes with AI processing: labeling rules, residency, retention, and permitted model types per class. | operational | 0.1.0 | medium |
| Data Leakage Evaluation Evaluate whether models or pipelines can exfiltrate training, fine-tuning, or tenant data through outputs and side channels. | evaluation | 0.1.0 | high |
| Incident: AI Supply Chain Compromise Suspected compromise of packages, weights, or CI that builds models: freeze releases, verify artifacts, and rebuild from trusted baselines. | incident-response | 0.1.0 | high |
| Incident: Data Leakage from Model Output Triage and contain suspected memorization or accidental disclosure through model responses including customer notifications and forensics. | incident-response | 0.1.0 | high |
| Incident: Hallucination Causing Material Harm When false outputs drive bad decisions: preserve logs, notify stakeholders, adjust mitigations, and schedule targeted evaluation. | incident-response | 0.1.0 | high |
| Incident: Jailbreak Campaign Handle scaled attempts to bypass safety: monitoring spikes, content policy updates, temporary throttles, and model-side mitigations. | incident-response | 0.1.0 | medium |
| Incident: Model Drift Causing Failure Detect and remediate quality or safety drift after deployment using monitoring signals, rollback, and re-evaluation triggers. | incident-response | 0.1.0 | medium |
| Incident: Model Output Causing Harm Handle reports of harmful model behavior: immediate mitigation, user safety, comms, and root-cause across policy and model layers. | incident-response | 0.1.0 | high |
| Incident: Prompt Injection Campaign in Production Respond to coordinated indirect injection affecting agents or RAG: isolate components, preserve evidence, and restore safe operation. | incident-response | 0.1.0 | high |
| Incident: Training Data Poisoning Suspected Investigate suspected poisoning or backdoors in training corpora or fine-tuning pipelines with model quarantine and lineage analysis. | incident-response | 0.1.0 | high |
| Incident: Unauthorized Model Access Respond to credential theft or API abuse: key rotation, rate limits, audit review, and access path closure. | incident-response | 0.1.0 | high |
| Incident: Vendor Model Outage Operate through third-party model API failures: failover, comms, SLA evidence, and customer impact assessment. | incident-response | 0.1.0 | medium |
| Model Release Approval — Fine-tuned Models Gate for releasing a fine-tuned model to production: verify training data lineage, evaluation results, rollback plan, and owner sign-off bef … | pre-deployment | 0.1.0 | medium |
| Model Release Approval — In-house Trained Models Gate for promoting internally trained full models: training governance, evaluation gates, safety review, and rollback before production traf … | pre-deployment | 0.1.0 | high |
| Model Release Approval — Open-source Self-hosted Models Gate for deploying open-weights stacks you host: supply chain, hardening, telemetry, and capacity planning before production inference. | pre-deployment | 0.1.0 | high |
| Model Release Approval — Third-party API Integration Gate for shipping features that call external model APIs: vendor review, data handling, latency fallbacks, and contract alignment before go- … | pre-deployment | 0.1.0 | medium |
| Model Retirement and Decommission Sunset a model safely: traffic drain, artifact archival, key revocation, and evidence for auditors. | operational | 0.1.0 | medium |
| Pre-deployment Red Team Exercise Structured adversarial test pass before launch: scope, scenarios, evidence capture, and remediation tracking for AI-specific abuse cases. | evaluation | 0.1.0 | high |
| Prompt Injection Testing Repeatable test plan for indirect prompt injection across UI, tools, and retrieval so unsafe instruction paths are found before release. | evaluation | 0.1.0 | medium |
| Quarterly Model Review Periodic governance review of in-production models: performance, misuse signals, policy changes, and retirement candidates. | operational | 0.1.0 | low |
| Shadow AI Investigation Discover and govern unsanctioned AI tools: signals, interviews, risk rating, and migration to approved paths. | operational | 0.1.0 | medium |
| Third-party AI Tool Evaluation Assess SaaS AI tools employees want: privacy, retention, model training claims, SSO, and enterprise security questionnaire alignment. | operational | 0.1.0 | medium |