Securing AI Systems
The biggest domain — 40%

• OWASP Top 10 for LLM Applications — catalogs the most critical risks specific to LLM-based apps (prompt injection, training data poisoning, supply chain, etc.).
• OWASP Machine Learning Security Top 10 — a broader ML risk catalog covering the entire pipeline (data, model, infrastructure).
• MIT AI Risk Repository — a comprehensive, categorized database of AI risks drawn from academic and industry sources.
• MITRE ATLAS — an adversarial threat-modeling framework (modeled on MITRE ATT&CK) cataloging real-world tactics and techniques used against AI systems.
• CVE AI Working Group — extends standard vulnerability tracking and disclosure practices to AI-specific vulnerabilities.

Model Controls

• Evaluation — testing model behavior/outputs before and after deployment.
• Guardrails — rules that constrain model inputs/outputs.
• Prompt templates — constrain and standardize input structure.

Gateway Controls

• Prompt firewalls — inspect and filter prompts before they reach the model.
• Rate & token limits — cap usage to prevent abuse and cost overruns.
• Input quotas by size/quantity and modality limits (restrict input/output types — text/image/audio).
• Endpoint access controls — restrict which systems/users can reach the model API.

Validation

• Guardrail testing & validation — continuously test guardrails against known jailbreak/bypass techniques.

Apply least privilege across four surfaces:

• Models — who can query, fine-tune, or modify a model.
• Data — who can access training and inference data.
• Agents — what actions an AI agent is authorized to take.
• APIs & networks — network segmentation and endpoint authentication.

Agents need particularly tight, scoped permissions — an over-permissioned agent is the root cause of "excessive agency" (see card 6).

• Encryption in transit — protects data moving between systems.
• Encryption at rest — protects stored data.
• Encryption in use — protects data while it's being actively processed; the hardest to achieve (relates to confidential computing).
• Anonymization — removing identifying information so individuals can't be re-identified.
• Labels / classification — tagging data by sensitivity (public, internal, confidential) to drive handling rules.
• Redaction / masking — hiding or replacing sensitive values (e.g., showing only the last 4 digits of an account number).
• Minimization — collecting and retaining only the data actually needed.

• Prompt/query/response monitoring — logging what users ask and what the model returns.
• Log monitoring, sanitization & protection — ensure logs don't leak sensitive data and are protected from tampering.
• Response confidence monitoring — tracking how "certain" a model is, to flag low-confidence (possibly hallucinated) outputs.
• Rate & cost monitoring — tracking prompt, storage, response, and processing costs to detect abuse or runaway spend.
• Auditing for hallucinations, accuracy, bias/fairness, and access — periodic structured reviews.

This is the longest list on the exam — study attacks and their compensating controls as pairs.