Cyscale

Back to controls

AI model network isolation should be enabled

Network-isolated model containers reduce model exfiltration, supply-chain callback, prompt-injection pivot, and unapproved data egress risk. AI model runtimes should not have arbitrary outbound network reachability unless the use case requires it and the egress path is explicitly controlled.

Category

Controls

High

Applies to

AWS

Coverage

1 queries

Asset types

2 covered

Overview

Network-isolated model containers reduce model exfiltration, supply-chain callback, prompt-injection pivot, and unapproved data egress risk. AI model runtimes should not have arbitrary outbound network reachability unless the use case requires it and the egress path is explicitly controlled.

Remediation guidance

Remediation

Enable network isolation for SageMaker models where supported. If the model needs controlled egress, route traffic through approved private endpoints, proxies, or VPC controls with logging and allowlists.

Identify model containers without network isolation.
Validate whether external network access is required.
Enable network isolation or document a time-bound exception with compensating egress controls.

Query logic

These are the stored checks tied to this control.

AI model network isolation should be enabled

Connectors

AWS

Covered asset types

AI ServicesModel

Expected check: eq []

{
  sageMakerModels(where: { enableNetworkIsolation: { eq: false } }) { ...AssetFragment }
}

Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

Platform

Cloud Native Application Protection (CNAPP)Cloud Security Posture Management (CSPM)Cloud Infrastructure Entitlement Management (CIEM)Kubernetes Security Posture Management (KSPM)Cloud Compliance Cloud Security for MSSPs Cloud Vulnerability Management ASPM + Code Scanning Secrets + Outdated Software AI-SPM Platform Book a Demo Start a Trial Pricing

Use Cases

Cloud Misconfigurations Vulnerability Management Code Vulnerability Scanning AI Security Operational Security IAM Cloud Security Cloud Data Security Cloud Compliance NIS 2 Compliance DORA Compliance Kubernetes Security Microsoft Entra ID Security Google Workspace Security

Industries

Managed Security (MSSPs)FinTech Banks HealthTech Telecom Legal Tech HRTech M&A Due Diligence Mobile Apps

Compare

Cyscale vs Wiz Cyscale vs Lacework Cyscale vs Zscaler Cyscale vs Orca Security Cyscale vs AWS Cyscale vs Google Cloud Cyscale vs Microsoft Azure

Resources

Blog Security Wiki Product Tours Case Studies Documentation Data Sheet FAQ + Support Cloud Security Buyer’s Guide SaaS CTO Cloud Security Handbook Top 10 Cloud Security Challenges

Company

About Us Cloud Security Made in Europe Careers Contact Us

+44 7401 208466

[email protected]

ISO 27001Compliant

SOC 2In progress

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of use Security Policy Privacy Policy Status Sitemap

Terms of use Security Policy Privacy Policy

crunch base icon