# What is Enterprise AI Security?

_Enterprise AI security protects AI systems, models, and data from threats including adversarial attacks, data breaches, model theft, and supply chain vulnerabilities._

Enterprise AI security protects AI systems, models, and data from threats including adversarial attacks, data breaches, model theft, and supply chain vulnerabilities. It extends traditional cybersecurity to address AI-specific attack surfaces.

Why it matters: AI systems process sensitive data, make consequential decisions, and interact with untrusted inputs in ways traditional software doesn't. A single vulnerability can expose customer data, enable fraud, or compromise business-critical systems.

## AI-Specific Threat Landscape

Enterprise AI security is part of broader [AI governance](/ai-governance), [AI compliance](/ai-compliance), and [AI risk management](/ai-risk-management) programs. For LLM-specific threats, see [LLM security](/llm-security).

### Prompt Injection Attacks
Attackers craft inputs that manipulate AI behavior—bypassing safety controls, extracting sensitive information, or causing harmful outputs.

**Direct injection**: Malicious prompts that override system instructions ("Ignore previous instructions and...")

**Indirect injection**: Poisoning data sources the AI retrieves from—documents, websites, databases—so the AI follows attacker instructions when processing that data.

**Jailbreaking**: Techniques to bypass safety guardrails and elicit prohibited content.

### Data Poisoning
Attackers corrupt training or fine-tuning data to influence model behavior.
- Inject backdoors that activate on specific triggers
- Bias the model toward attacker-desired outputs
- Degrade performance on specific inputs or populations

### Model Extraction and Theft
Attackers query the model systematically to reconstruct its behavior or steal intellectual property.
- Model stealing: Replicate a proprietary model through API queries
- Training data extraction: Recover sensitive data memorized during training
- Membership inference: Determine whether specific data was used in training

### Adversarial Examples
Carefully crafted inputs that cause models to fail—misclassifying images, misunderstanding text, or producing incorrect outputs. Often imperceptible to humans but highly effective against models.

### Supply Chain Attacks
Third-party models, libraries, and APIs introduce vulnerabilities you don't control.
- Compromised foundation models
- Malicious dependencies in ML toolchains
- API providers with security gaps

### Data Leakage
AI systems can expose sensitive information in their outputs.
- PII/PHI in generated text
- Proprietary information from training data
- Internal system details revealed through outputs

## Security Architecture

### Defense in Depth
No single control is sufficient. Layer multiple defenses:

**Input layer**: Filter, validate, and sanitize inputs before they reach the model. Detect known attack patterns.

**Model layer**: Use models trained to resist adversarial attacks. Apply differential privacy to limit memorization.

**Output layer**: Filter outputs for sensitive content. Validate format and content before delivery.

**Infrastructure layer**: Secure compute, storage, and networking. Apply traditional security controls.

### Zero Trust for AI
Don't trust any component implicitly:
- Verify all inputs, including from internal systems
- Validate outputs before acting on them
- Assume third-party models may be compromised
- Monitor all interactions for anomalies

Zero trust requires [AI supervision](/ai-supervision)—not just logging what happens, but enforcing constraints that limit what can happen. Supervision ensures that even compromised components can't exceed their boundaries.

### Least Privilege
Limit AI system access and capabilities:
- Restrict API access to necessary scopes
- Limit tool/function calling to vetted operations
- Apply rate limits to prevent extraction attacks
- Segment sensitive data access

## Security Controls

### [Prompt Injection](/ai-prompt-injection) Defense
- Input filtering and sanitization
- Instruction hierarchy that prioritizes system prompts
- Output validation against expected patterns
- [Adversarial testing](/ai-adversarial-testing) and red-teaming

### Access Control
- Authentication for all API access
- Role-based permissions for model operations
- Audit logging of all queries and responses
- Rate limiting to prevent extraction attacks

### Data Protection
- Encryption at rest and in transit
- Data classification and handling policies
- PII/PHI detection in inputs and outputs
- Retention policies and secure deletion

### Model Security
- Version control and integrity verification
- Secure model storage and deployment
- Change management for model updates
- Rollback capabilities for compromised models

### [Monitoring](/ai-monitoring) and Detection
- Real-time anomaly detection on queries
- Output monitoring for sensitive content
- Attack pattern detection and alerting
- Incident response playbooks

## Vendor and Third-Party Security

Most enterprises use third-party AI services. Extend security practices to vendors:

### Assessment
- Security questionnaires and certifications (SOC 2, ISO 27001)
- Review of AI-specific security practices
- Understanding of data handling and retention
- Incident response capabilities

### Contractual Protections
- Data processing agreements
- Security requirements and SLAs
- Breach notification requirements
- Liability and indemnification

### Operational Controls
- API security and authentication
- Output monitoring and validation
- Rate limiting and cost controls
- Independent testing of vendor systems

## How Swept AI Enhances AI Security

Swept AI provides security controls purpose-built for AI systems:

- **[Evaluate](/product/evaluate)**: [Red-team testing](/ai-red-teaming) that probes for prompt injection vulnerabilities, jailbreak susceptibility, and data leakage risks before production deployment.

- **[Supervise](/product/supervise)**: Real-time monitoring for attack patterns, anomalous queries, and sensitive content in outputs. Hard policy boundaries that can't be bypassed by clever prompts.

- **Security-first architecture**: Customer data stays in your environment. No training on your data. Audit trails for all system interactions.

AI security isn't an add-on—it's foundational to deploying AI systems that enterprises can trust.