Artificial Intelligence (AI) holds tremendous potential to improve cyber defense and make the lives of security professionals easier. This can help teams overcome alert fatigue, identify patterns faster, and bring a level of scale that human analysts alone cannot match. But realizing that potential depends on securing the systems that make it possible.
Every organization experimenting with AI in security operations is, intentionally or not, expanding its attack surface. Without clear governance, strong identity controls, and visibility into how AI makes its decisions, even well-intentioned deployments can create risks faster than they can be mitigated. To truly benefit from AI, defenders need to secure it with the same rigor they apply to any other critical system. This means establishing trust in the data it learns from, accountability for the actions it takes, and monitoring the results it produces. When properly secured, AI can augment human capacity to help physicians work better, respond faster, and rescue more effectively.
Establishing Trust for Agentic AI Systems
As organizations begin to integrate AI into defensive workflows, identity security becomes the foundation of trust. Every model, script or autonomous agent operating in a production environment now represents a new identity – capable of accessing data, issuing commands and influencing defensive outcomes. If those identities aren’t properly controlled, tools meant to strengthen security can quietly become a source of risk.
The emergence of agentic AI systems makes this particularly important. These systems don’t just perform analysis; They can function without human intervention. They test alerts, enrich context, or trigger response playbooks under delegated authority from human operators. Every action is, in fact, a transaction of faith. That trust must be tied to identity, authenticated through policy, and auditable from end to end.
The same principles that protect people and services should now apply to AI agents:
- Scoped Credentials and Minimum Privileges To ensure that each model or agent can only access the data and functions necessary for its task.
- Strong authentication and key rotation To prevent impersonation or credential leaks.
- Activity provenance and audit logging So that every action initiated by AI can be traced, verified and if necessary, reversed.
- division and separation To prevent cross-agent access, ensuring that one compromised process cannot affect others.
In practice, this means treating each agentic AI system as a first-class identity within its IAM framework. Like any user or service account, each should have a defined owner, lifecycle policy, and monitoring scope. Defensive teams must continually verify what those agents can do, not just what they were intended to do, as capability often degrades faster than designed. Once identity is established as a foundation, defenders can focus their attention on securing the broader system.
Securing AI: Best Practices for Success
Securing AI starts with securing the systems that make it possible – the models, data pipelines, and integrations that are now woven into everyday security operations. Just as
As we secure networks and endpoints, AI systems should be treated as mission-critical infrastructure that requires layered and persistent defense.
- admission control: Enforce least privilege and strong authentication on every model, dataset, and API. Continually log and review access to prevent unauthorized access.
- Data Control: Validate, clean, and classify all data used for training, enhancement, or inference. Secure storage and lineage tracking minimizes the risk of model poisoning or data leakage.
- Deployment Strategies: Harden AI pipelines and environments with sandboxing, CI/CD gating, and red-teaming before release. Treat deployment as a controlled, auditable event, not an experiment.
- Estimate Security: Protect models from rapid injection and abuse by implementing input/output validation, guardrails, and escalation paths for high-impact actions.
- Supervision: Continually observe model behavior and outputs for signs of drift, inconsistencies, and compromise. Effective telemetry allows defenders to detect manipulation before it spreads.
- Model Security: Version, mark, and integrity-check throughout the model’s lifecycle to ensure authenticity and prevent unauthorized swaps or retraining.
These controls are directly aligned NIST’s AI Risk Management Framework and this OWASP Top 10 for LLMWhich highlights the most common and consequential vulnerabilities in AI systems – from quick injection and unsafe plugin integration to model poisoning and data exposure. Applying mitigations from those frameworks within these six domains helps translate the guidance into operational defense. Once these foundations are established, teams can focus on using AI responsibly by knowing when to trust automation and when to keep humans in the loop.
Balancing enhancements and automation
AI systems are able to assist human practitioners like an apprentice who never sleeps. However, it is important for security teams to differentiate between what to automate and what to enhance. Some tasks benefit from full automation, especially those that are repeatable, measurable, and low-risk if error occurs. However, others demand direct human inspection because context, intuition or ethics matter more than speed.
Threat enrichment, log parsing, and alert deduplication are prime candidates for automation. These are data-heavy, pattern-driven processes where consistency outperforms creativity. In contrast, incident scope, attribution, and response decisions depend on context that AI cannot fully understand. Here, AI should help surface indicators, suggest next steps or summarize findings, while retaining decision-making authority for physicians.
Finding that balance requires maturity in process design. Security teams should categorize workflows based on their tolerance for error and the cost of automation failure. Keep humans informed wherever the risk of false positives or missed nuances is high. Wherever accuracy can be objectively measured, let AI get the job done.
Join us at SANS Surge 2026!
I will delve into this topic during my keynote address Sans Surge 2026 (February 23-28, 2026), Where we’ll explore how security teams can ensure AI systems are safe to rely on. If your organization is moving rapidly on AI adoption, this program will help you move forward more securely. Join us to connect with peers, learn from experts, and see what safe AI really looks like in practice.
Register for SANS Surge 2026 here.
Comment: This article was contributed by Sans Institute Fellow Frank Kim.
