Microsoft AzureOverview
AI services should have guardrails appropriate to their use case. Missing content filters, responsible AI policies, safety classifiers, or guardrail configurations increase the chance of unsafe output, policy bypass, and unreviewed data disclosure.
Remediation guidance
Remediation
Configure provider-supported content safety, responsible AI, and guardrail settings for each production AI service. For services where guardrails are external to the provider resource, document the compensating control and link it to the service owner.
Rollout guidance
- Identify production AI services and their intended risk profile.
- Enable content safety, prompt/output filters, groundedness checks, or provider guardrails where supported.
- Add monitoring for guardrail bypass and unsafe-response events.
- Re-scan and track any service-specific exception with expiry.
Query logic
These are the stored checks tied to this control.
AI guardrails should be configured
Connectors
Microsoft Azure
Covered asset types
AI Foundry ProjectAI ServicesAzure OpenAI Deployment
Expected check: eq []
{
azureAIServiceAccounts(where: { guardrailConfigured: { eq: false } }) { ...AssetFragment }
azureAIFoundryProjects(where: { guardrailConfigured: { eq: false } }) { ...AssetFragment }
azureOpenAIDeployments(where: { guardrailConfigured: { eq: false } }) { ...AssetFragment }
azureMachineLearningEndpoints(where: { guardrailConfigured: { eq: false } }) { ...AssetFragment }
azureBotServices(where: { guardrailConfigured: { eq: false } }) { ...AssetFragment }
}
