AWS
Google Cloud
Kubernetes
Microsoft AzureOverview
AI Best Practices gives security, cloud, and AI platform teams a focused baseline for discovering, securing, and continuously monitoring AI services across cloud and Kubernetes environments.
The framework is designed for AI-SPM use cases: finding public AI endpoints, reducing excessive model and agent permissions, protecting training data, embeddings, vector stores, feature stores, and model artifacts, hardening AI workbenches and Kubernetes runtimes, and ensuring guardrails and telemetry are configured before AI systems are exposed to users or business workflows.
Procedures and mapped controls
1. Discovery and Exposure Management
AI services, model endpoints, agents, and AI-backed Kubernetes workloads should be inventoried and private by default. Public exposure should be deliberate, authenticated, logged, rate-limited, and approved by the service owner.
2. Identity and Model Access
AI workloads should use scoped identities and least-privilege access. Model invocation, model deployment, agent tools, datasets, vector stores, and cloud APIs should not be reachable through administrative, wildcard, owner, editor, or default runtime identities.
3. Data and Model Protection
Training datasets, feature stores, prompts, embeddings, model artifacts, and notebook storage should be protected as sensitive data. Encryption, key control, and restricted data-store access reduce the impact of model theft, prompt leakage, and unauthorized data extraction.
4. Runtime Safety and Guardrails
Production AI services should have content safety, responsible AI, abuse prevention, approval, and monitoring controls appropriate to their use case. Guardrails help reduce unsafe output, prompt-injection impact, data disclosure, and unreviewed autonomous actions.
5. Observability and Response
AI services should produce enough telemetry for security teams to investigate prompt injection, abusive usage, model access, agent actions, data extraction, and denial-of-wallet patterns. Logging and ownership are prerequisites for useful alert routing and incident response.
Mapped controls
6. AI Workbench Hardening
AI notebooks and workbench environments often bridge identities, code, secrets, datasets, and model artifacts. They should be hardened like privileged development environments, with root access and legacy metadata access disabled unless explicitly justified.
Query logic
These are the stored checks tied to this framework.
AI endpoints should not be internet exposed
Connectors
Covered asset types
Expected check: eq []
{
azureAIServiceAccounts(where: { publicEndpoint: { eq: true } }) { ...AssetFragment }
azureOpenAIDeployments(where: { publicEndpoint: { eq: true } }) { ...AssetFragment }
azureMachineLearningWorkspaces(where: { publicEndpoint: { eq: true } }) { ...AssetFragment }
azureMachineLearningEndpoints(where: { publicEndpoint: { eq: true } }) { ...AssetFragment }
azureAISearchServices(where: { publicEndpoint: { eq: true } }) { ...AssetFragment }
azureAIVideoIndexerAccounts(where: { publicEndpoint: { eq: true } }) { ...AssetFragment }
azureBotServices(where: { publicEndpoint: { eq: true } }) { ...AssetFragment }
azureSynapseWorkspaces(where: { publicEndpoint: { eq: true } }) { ...AssetFragment }
vertexAIEndpoints(where: { publicEndpoint: { eq: true } }) { ...AssetFragment }
services(where: { annotations_SOME: { key: { eq: "cyscale.com/ai-service" }, value: { eq: "true" } }, type_IN: ["LoadBalancer", "NodePort"] }) { ...AssetFragment }
ingresses(where: { annotations_SOME: { key: { eq: "cyscale.com/ai-service" }, value: { eq: "true" } } }) { ...AssetFragment }
}AI vector and search stores should not be public
Connectors
Covered asset types
Expected check: eq []
{
azureAISearchServices(where: { publicEndpoint: { eq: true } }) { ...AssetFragment }
}AI services should have owner tags
Connectors
Covered asset types
Expected check: eq []
{
sageMakerNoteBooks(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
sageMakerModels(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
sageMakerEndpoints(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
sageMakerFeatureGroups(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
azureAIServiceAccounts(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
azureAIFoundryProjects(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
azureAISearchServices(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
azureAIVideoIndexerAccounts(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
azureBotServices(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
azureOpenAIDeployments(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
azureMachineLearningWorkspaces(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
azureMachineLearningEndpoints(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
azureMachineLearningModels(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
azureSynapseWorkspaces(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
vertexAIModels(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
vertexAIEndpoints(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
vertexAIDatasets(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
vertexAIFeaturestores(where: { tags_NONE: { key_MATCHES: "(?i)^(owner|service-owner|team)$" } }) { ...AssetFragment }
}AI models should not be reachable through broad identities
Connectors
Covered asset types
Expected check: eq []
{
sageMakerModels(where: { executionRoleARN_MATCHES: ".*:role/(admin|administrator|owner|power|full).*" }) { ...AssetFragment }
vertexAIEndpoints(where: { deployedModels_SOME: { serviceAccount_MATCHES: "(?i).*(admin|owner|editor|power).*" } }) { ...AssetFragment }
azureAIServiceAccounts(where: { OR: [ { roleIDs_INCLUDES: "Owner" } { roleIDs_INCLUDES: "Contributor" } { roleIDs_INCLUDES: "User Access Administrator" } { roleIDs_INCLUDES: "Administrator" } ] }) { ...AssetFragment }
azureAIFoundryProjects(where: { OR: [ { roleIDs_INCLUDES: "Owner" } { roleIDs_INCLUDES: "Contributor" } { roleIDs_INCLUDES: "User Access Administrator" } { roleIDs_INCLUDES: "Administrator" } ] }) { ...AssetFragment }
azureOpenAIDeployments(where: { OR: [ { roleIDs_INCLUDES: "Owner" } { roleIDs_INCLUDES: "Contributor" } { roleIDs_INCLUDES: "User Access Administrator" } { roleIDs_INCLUDES: "Administrator" } ] }) { ...AssetFragment }
azureMachineLearningEndpoints(where: { OR: [ { roleIDs_INCLUDES: "Owner" } { roleIDs_INCLUDES: "Contributor" } { roleIDs_INCLUDES: "User Access Administrator" } { roleIDs_INCLUDES: "Administrator" } ] }) { ...AssetFragment }
}AI agents should not run with unrestricted tool permissions
Connectors
Covered asset types
Expected check: eq []
{
azureAIFoundryProjects(where: { toolPermissions_INCLUDES: "*" }) { ...AssetFragment }
azureMachineLearningEndpoints(where: { toolPermissions_INCLUDES: "*" }) { ...AssetFragment }
pods(where: { annotations_SOME: { key: { eq: "cyscale.com/ai-signals" }, value_MATCHES: "(?i).*agent.*" }, OR: [ { automountServiceAccountToken: { eq: true } } { isAutomountServiceAccountTokenSet: { eq: false } } ] }) { ...AssetFragment }
deployments(where: { podTemplate: { annotations_SOME: { key: { eq: "cyscale.com/ai-signals" }, value_MATCHES: "(?i).*agent.*" }, OR: [ { automountServiceAccountToken: { eq: true } } { isAutomountServiceAccountTokenSet: { eq: false } } ] } }) { ...AssetFragment }
serviceAccounts(where: { annotations_SOME: { key: { eq: "cyscale.com/ai-service" }, value: { eq: "true" } }, OR: [ { automountServiceAccountToken: { eq: true } } { isAutomountServiceAccountTokenSet: { eq: false } } ] }) { ...AssetFragment }
}AI model network isolation should be enabled
Connectors
Covered asset types
Expected check: eq []
{
sageMakerModels(where: { enableNetworkIsolation: { eq: false } }) { ...AssetFragment }
}AI training data and feature stores should be encrypted
Connectors
Covered asset types
Expected check: eq []
{
sageMakerFeatureGroups(where: { encrypted: { eq: false } }) { ...AssetFragment }
vertexAIDatasets(where: { encrypted: { eq: false } }) { ...AssetFragment }
vertexAIFeaturestores(where: { encrypted: { eq: false } }) { ...AssetFragment }
azureMachineLearningModels(where: { encrypted: { eq: false } }) { ...AssetFragment }
azureAIFoundryProjects(where: { encrypted: { eq: false } }) { ...AssetFragment }
}AI model artifacts should use private storage
Connectors
Covered asset types
Expected check: eq []
{
sageMakerModels(where: { primaryContainerModelDataURL_MATCHES: "(?i)^https?://.*" }) { ...AssetFragment }
vertexAIModels(where: { artifactURI_MATCHES: "(?i)^https?://.*" }) { ...AssetFragment }
}AI feature stores should have retention configured
Connectors
Covered asset types
Expected check: eq []
{
vertexAIFeaturestores(where: { onlineStorageTTLDays_LTE: 0 }) { ...AssetFragment }
}Get unencrypted SageMaker notebooks
Connectors
Covered asset types
Expected check: eq []
{
sageMakerNoteBooks(
where: {
kmsKey: null
}
) {...AssetFragment}
}
AI guardrails should be configured
Connectors
Covered asset types
Expected check: eq []
{
azureAIServiceAccounts(where: { guardrailConfigured: { eq: false } }) { ...AssetFragment }
azureAIFoundryProjects(where: { guardrailConfigured: { eq: false } }) { ...AssetFragment }
azureOpenAIDeployments(where: { guardrailConfigured: { eq: false } }) { ...AssetFragment }
azureMachineLearningEndpoints(where: { guardrailConfigured: { eq: false } }) { ...AssetFragment }
azureBotServices(where: { guardrailConfigured: { eq: false } }) { ...AssetFragment }
}AI Kubernetes workloads should not run with privileged runtime settings
Connectors
Covered asset types
Expected check: eq []
{
pods(where: { assetCategory: { eq: "AI Services" }, containers_SOME: { securityContext: { OR: [ { allowPrivilegeEscalation: { eq: true } } { readOnlyRootFilesystem: { eq: false } } { capabilitiesAdd_INCLUDES: "SYS_ADMIN" } { privileged: { eq: true } } ] } } }) { ...AssetFragment }
deployments(where: { assetCategory: { eq: "AI Services" }, podTemplate: { containersTemplates_SOME: { securityContext: { OR: [ { allowPrivilegeEscalation: { eq: true } } { readOnlyRootFilesystem: { eq: false } } { capabilitiesAdd_INCLUDES: "SYS_ADMIN" } { privileged: { eq: true } } ] } } } }) { ...AssetFragment }
statefulSets(where: { assetCategory: { eq: "AI Services" }, podTemplate: { containersTemplates_SOME: { securityContext: { OR: [ { allowPrivilegeEscalation: { eq: true } } { readOnlyRootFilesystem: { eq: false } } { capabilitiesAdd_INCLUDES: "SYS_ADMIN" } { privileged: { eq: true } } ] } } } }) { ...AssetFragment }
daemonSets(where: { assetCategory: { eq: "AI Services" }, podTemplate: { containersTemplates_SOME: { securityContext: { OR: [ { allowPrivilegeEscalation: { eq: true } } { readOnlyRootFilesystem: { eq: false } } { capabilitiesAdd_INCLUDES: "SYS_ADMIN" } { privileged: { eq: true } } ] } } } }) { ...AssetFragment }
jobs(where: { assetCategory: { eq: "AI Services" }, cronJobName: { eq: "" }, podTemplate: { containersTemplates_SOME: { securityContext: { OR: [ { allowPrivilegeEscalation: { eq: true } } { readOnlyRootFilesystem: { eq: false } } { capabilitiesAdd_INCLUDES: "SYS_ADMIN" } { privileged: { eq: true } } ] } } } }) { ...AssetFragment }
cronJobs(where: { assetCategory: { eq: "AI Services" }, podTemplate: { containersTemplates_SOME: { securityContext: { OR: [ { allowPrivilegeEscalation: { eq: true } } { readOnlyRootFilesystem: { eq: false } } { capabilitiesAdd_INCLUDES: "SYS_ADMIN" } { privileged: { eq: true } } ] } } } }) { ...AssetFragment }
}AI Kubernetes workloads should not use host networking
Connectors
Covered asset types
Expected check: eq []
{
pods(where: { assetCategory: { eq: "AI Services" }, hostNetwork: { eq: true } }) { ...AssetFragment }
deployments(where: { assetCategory: { eq: "AI Services" }, podTemplate: { hostNetwork: { eq: true } } }) { ...AssetFragment }
statefulSets(where: { assetCategory: { eq: "AI Services" }, podTemplate: { hostNetwork: { eq: true } } }) { ...AssetFragment }
daemonSets(where: { assetCategory: { eq: "AI Services" }, podTemplate: { hostNetwork: { eq: true } } }) { ...AssetFragment }
jobs(where: { assetCategory: { eq: "AI Services" }, cronJobName: { eq: "" }, podTemplate: { hostNetwork: { eq: true } } }) { ...AssetFragment }
cronJobs(where: { assetCategory: { eq: "AI Services" }, podTemplate: { hostNetwork: { eq: true } } }) { ...AssetFragment }
}AI endpoint access logging should be enabled
Connectors
Covered asset types
Expected check: eq []
{
vertexAIEndpoints(where: { deployedModels_SOME: { OR: [ { enableAccessLogging: { eq: false } } { disableContainerLogging: { eq: true } } ] } }) { ...AssetFragment }
}Retrieve SageMaker notebooks without IMDSv2 required
Connectors
Covered asset types
Expected check: eq []
{
sageMakerNoteBooks(
where: {
NOT: { minimumInstanceMetadataServiceVersion: { eq: "2" } }
}
) {...AssetFragment}
}
SageMaker Notebooks with root access enabled
Connectors
Covered asset types
Expected check: eq []
{
sageMakerNoteBooks(
where: {
NOT: { rootAccess: { eq: "Disabled" } }
}
) {...AssetFragment}
}
