AI-sikkerhed & Guardrails

AI security protects every AI system in the enterprise — predictive ML pipelines, computer-vision og NLP models, generative AI og LLMs, og agentic AI that takes actions on its own. It covers the models themselves, the data that trains og feeds them, the prompts og queries that drive them, the outputs og actions they produce, og the integrations they touch. The threat surface is unfamiliar to classical app security: model poisoning, adversarial inputs, prompt injection (OWASP LLM01), jailbreaks, sensitive-data leakage through outputs, excessive agency in tool-using agents, og drift in deployed models. It matters because AI is moving into customer-facing, decision-making, og revenue-critical workflows faster than traditional controls were built for — a single ungoverned model can expose IP, leak regulated data, or amplify insider risk at machine speed.

Prompt filters block specific inputs — keywords, regex patterns, known jailbreak strings. Guardrails are a broader policy layer that controls both inputs og outputs in context: industry-specific restrictions, department-level rules, geo-based limits, content moderation, restricted-topic enforcement, response validation against company policy, hallucination-risk reduction, og human-approval escalation for high-risk outputs. Filters are a starting point; guardrails are the operating model that lets you deploy AI defensibly.

Most programmes need to align with NIST AI RMF (the US AI risk framework, 2023), the EU AI Act (in force since 1 August 2024, with risk-tier obligations applying through 2027), ISO/IEC 42001 (the dedicated AI management system standard, 2023), ISO/IEC 27001 (information security), GDPR (personal data in prompts, training sets, og outputs), DORA where AI sits on the ICT third-party register of a financial entity, og HITRUST or HIPAA where health data is involved. Sector og state overlays add PCI DSS for cardholder data, the Colorado AI Act, NYC Local Law 144 for automated employment decisioning, og emerging national frameworks (UK ICO AI guidance, BSI AIC4 in Tyskland, CNIL AI Action Plan in Frankrig, MeitY responsible-AI advisory in India).

As a managed programme covering the full AI estate — classical ML, computer vision, NLP, generative AI, og agents. Access control, prompt og output guardrails, og data protection on every model; AI-specific threat detection (mapped to OWASP LLM Top 10 og MITRE ATLAS) wired into your SIEM og 24×7 SOC; risk scoring og behavioural analytics for AI interactions; AI incident response with forensic logging og automated containment; continuous red-teaming, VAPT, og posture monitoring; human-in-the-loop oversight for high-risk outputs; og model-lifecycle governance from training through drift detection. Compliance evidence is collected continuously against NIST AI RMF, ISO 42001, EU AI Act, ISO 27001, GDPR, DORA, og HITRUST so audits og board reporting are evidence-led rather than ad-hoc.