advanced10 min read· Module 11, Lesson 6
🔐Enterprise Security Audit Guide
Security checklist and compliance review for AI deployments
Enterprise Security Audit Guide
Deploying AI systems — particularly large language models like Claude — into enterprise environments demands rigorous security auditing before, during, and after production launch. A single misconfigured API key, an unvalidated output rendered as HTML, or an unmonitored endpoint can expose your organization to data breaches, compliance violations, and reputational damage.
This lesson provides a comprehensive, actionable security audit framework covering pre-deployment checklists, risk assessment, input/output security, access control, API key lifecycle, network hardening, logging and audit trails, incident response, vendor risk management, and regulatory compliance mapping.
1. Pre-Deployment Security Checklist
Before any AI system touches production traffic, walk through every item below. Each item should be signed off by the responsible team.
1.1 Identity & Access
| # | Check Item | Owner | Status |
|---|---|---|---|
| 1 | All API keys are stored in a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault) | Platform | ☐ |
| 2 | No API keys are committed to version control | DevSecOps | ☐ |
| 3 | Service accounts follow the principle of least privilege | IAM | ☐ |
| 4 | Multi-factor authentication is enforced for all human users accessing AI dashboards | Security | ☐ |
| 5 | Role-based access control (RBAC) is configured for the AI platform | IAM | ☐ |
1.2 Network & Infrastructure
| # | Check Item | Owner | Status |
|---|---|---|---|
| 6 | All API calls are made over TLS 1.2 or higher | Network | ☐ |
| 7 | Outbound traffic to AI vendor endpoints is restricted via allowlists | Network | ☐ |
| 8 | Internal services communicate through private subnets or VPN tunnels | Infrastructure | ☐ |
| 9 | Rate limiting is configured at the gateway level | Platform | ☐ |
| 10 | DDoS protection is enabled for public-facing AI endpoints | Network | ☐ |
1.3 Data Protection
| # | Check Item | Owner | Status |
|---|---|---|---|
| 11 | PII is redacted or masked before sending to the AI provider | Data Engineering | ☐ |
| 12 | Data classification labels are applied to all AI training and inference data | Governance | ☐ |
| 13 | Data at rest is encrypted with AES-256 or equivalent | Infrastructure | ☐ |
| 14 | Data in transit is encrypted end-to-end | Network | ☐ |
| 15 | Zero Data Retention (ZDR) is enabled if required by policy | Compliance | ☐ |
1.4 Application Security
| # | Check Item | Owner | Status |
|---|---|---|---|
| 16 | Input validation and sanitization is implemented for all user prompts | Backend | ☐ |
| 17 | Output sanitization prevents XSS, injection, and code execution | Backend | ☐ |
| 18 | Prompt injection defenses are tested and documented | Security | ☐ |
| 19 | Content filtering policies are configured and active | AI/ML | ☐ |
| 20 | Error messages do not leak internal system details | Backend | ☐ |
1.5 Monitoring & Response
| # | Check Item | Owner | Status |
|---|---|---|---|
| 21 | Centralized logging captures all AI API requests and responses | Observability | ☐ |
| 22 | Alerting thresholds are configured for anomalous usage patterns | SRE | ☐ |
| 23 | An incident response runbook exists for AI-specific failures | Security | ☐ |
| 24 | Regular penetration testing includes the AI integration surface | Security | ☐ |
| 25 | A rollback plan exists to disable AI features without downtime | Platform | ☐ |
2. Risk Assessment Framework
Use a structured risk matrix to evaluate every AI-related threat.
2.1 Risk Scoring Matrix
Likelihood (L): 1 = Rare, 2 = Unlikely, 3 = Possible, 4 = Likely, 5 = Almost Certain
Impact (I): 1 = Negligible, 2 = Minor, 3 = Moderate, 4 = Major, 5 = Critical
Risk Score = L x I
1 - 5 → Low → Accept with monitoring
6 - 12 → Medium → Mitigate within 30 days
13 - 19 → High → Mitigate within 7 days
20 - 25 → Critical → Block deployment until resolved
2.2 Common AI Threat Catalog
| Threat | Likelihood | Impact | Score | Mitigation |
|---|---|---|---|---|
| API key leaked in source code | 3 | 5 | 15 | Secrets scanning in CI/CD |
| Prompt injection via user input | 4 | 4 | 16 | Input validation + guardrails |
| Model hallucination in critical path | 4 | 3 | 12 | Human-in-the-loop review |
| Excessive token spend from abuse | 3 | 3 | 9 | Rate limiting + budget alerts |
| PII exposure in logs | 3 | 5 | 15 | Log redaction pipeline |
| Vendor outage blocking core flow | 3 | 4 | 12 | Fallback and circuit breaker |
| Unauthorized model access | 2 | 5 | 10 | RBAC + audit logging |
2.3 Risk Register Template
Maintain a living risk register document. Review it monthly with stakeholders:
Risk ID: RISK-AI-001
Title: API Key Exposure
Description: API keys could be committed to public or internal repos
Category: Credential Management
Current Controls: Pre-commit hooks, CI secret scanning
Residual Risk: Medium (score 6)
Risk Owner: DevSecOps Lead
Review Date: Quarterly
3. Input / Output Security
3.1 Input Security
Every piece of data sent to the AI model is a potential attack vector.
Sanitization pipeline:
function sanitizePrompt(raw: string): string {
// 1. Strip control characters
let cleaned = raw.replace(/[�-
- ]/g, "");
// 2. Enforce maximum length
const MAX_PROMPT_LENGTH = 10_000;
cleaned = cleaned.slice(0, MAX_PROMPT_LENGTH);
// 3. Redact known PII patterns (e.g., SSN, credit card)
cleaned = cleaned.replace(/d{3}-d{2}-d{4}/g, "[REDACTED-SSN]");
cleaned = cleaned.replace(/d{4}[- ]?d{4}[- ]?d{4}[- ]?d{4}/g, "[REDACTED-CC]");
// 4. Check for prompt injection patterns
if (detectsInjection(cleaned)) {
throw new SecurityError("Potential prompt injection detected");
}
return cleaned;
}Key principles:
- Never trust user input — always validate and sanitize.
- Enforce strict character and length limits.
- Redact PII before it reaches the API.
- Log rejected inputs for security review.
3.2 Output Security
AI-generated content must be treated as untrusted by default.
function sanitizeOutput(modelResponse: string): string {
// 1. Strip any HTML/script tags to prevent XSS
let safe = modelResponse.replace(/<script[^>]*>[sS]*?</script>/gi, "");
safe = safe.replace(/<[^>]+>/g, "");
// 2. Validate structured output against schema
if (expectingJSON) {
const parsed = JSON.parse(safe);
validateSchema(parsed, expectedSchema);
}
// 3. Check for sensitive data leakage
if (containsSensitivePatterns(safe)) {
auditLog.warn("Model output contained sensitive patterns");
safe = redactSensitive(safe);
}
return safe;
}4. Access Control Architecture
4.1 RBAC Model for AI Platforms
Role Permissions
─────────────────────────────────────────────────────
AI Admin Full access: keys, models, config, logs
AI Developer Create/test prompts, view own usage
AI Reviewer Read-only: review outputs, audit logs
AI Consumer (App) Invoke model via service account only
Billing Admin View cost reports, set budgets
Security Auditor Read all logs, export compliance reports
4.2 Service Account Best Practices
- One service account per application or microservice.
- Rotate credentials every 90 days (or less).
- Bind service accounts to specific IP ranges or VPC endpoints.
- Monitor for anomalous usage patterns per account.
- Immediately revoke compromised credentials.
5. API Key Lifecycle Management
5.1 The Complete Lifecycle
Phase Actions
──────────────────────────────────────────────
Generation Create key in Anthropic dashboard or API
Storage Store in secrets manager, never in code
Distribution Inject via environment variables at runtime
Rotation Rotate every 60-90 days; automate if possible
Monitoring Track usage per key; alert on anomalies
Revocation Immediately revoke on compromise or personnel change
Destruction Remove from all systems after revocation
5.2 Automated Key Rotation
async function rotateApiKey(currentKeyId: string): Promise<void> {
// 1. Generate new key
const newKey = await anthropic.admin.apiKeys.create({
name: `production-${Date.now()}`,
workspace_id: WORKSPACE_ID,
});
// 2. Update secrets manager
await secretsManager.putSecret("ANTHROPIC_API_KEY", newKey.key);
// 3. Verify new key works
await anthropic.messages.create({
model: "claude-sonnet-4-20250514",
max_tokens: 10,
messages: [{ role: "user", content: "ping" }],
});
// 4. Revoke old key
await anthropic.admin.apiKeys.disable(currentKeyId);
// 5. Log rotation event
auditLog.info("API key rotated", { oldKeyId: currentKeyId, newKeyId: newKey.id });
}6. Network Security
6.1 Defense in Depth
Layer your network security controls:
| Layer | Control | Purpose |
|---|---|---|
| Edge | WAF + DDoS protection | Block malicious traffic before it reaches your stack |
| Gateway | API gateway with rate limiting | Throttle requests and enforce authentication |
| Transport | TLS 1.2+ with certificate pinning | Prevent man-in-the-middle attacks |
| Application | Input validation + output sanitization | Prevent injection and data leakage |
| Internal | Private subnets + security groups | Restrict lateral movement |
| Monitoring | IDS/IPS + anomaly detection | Detect and respond to threats |
6.2 Firewall Rules
# Allow outbound HTTPS to Anthropic API only
iptables -A OUTPUT -p tcp --dport 443 -d api.anthropic.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j DROP
# Allow inbound only from your application load balancer
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
7. Logging & Audit Trails
7.1 What to Log
| Event | Required Fields | Retention |
|---|---|---|
| API request sent | Timestamp, user ID, model, token count, request hash | 1 year |
| API response received | Timestamp, status code, latency, token count | 1 year |
| Authentication event | Timestamp, user/service, result, IP address | 2 years |
| Key rotation | Timestamp, old key ID, new key ID, operator | 2 years |
| Policy violation | Timestamp, type, input hash, action taken | 3 years |
| Configuration change | Timestamp, field changed, old/new value, operator | 2 years |
7.2 Structured Logging Example
const auditEntry = {
timestamp: new Date().toISOString(),
eventType: "ai.api.request",
userId: context.userId,
serviceAccount: context.serviceAccount,
model: "claude-sonnet-4-20250514",
inputTokens: usage.input_tokens,
outputTokens: usage.output_tokens,
latencyMs: endTime - startTime,
status: "success",
inputHash: sha256(prompt), // Hash, never raw content
ipAddress: context.clientIP,
traceId: context.traceId,
};
logger.info(auditEntry);Critical rule: Never log raw prompts or responses in production. Log hashes for traceability, store raw content only in encrypted, access-controlled storage with automatic expiration.
8. Incident Response
8.1 AI-Specific Incident Categories
| Category | Severity | Example |
|---|---|---|
| Credential Compromise | P1 - Critical | API key posted on public GitHub |
| Data Leakage | P1 - Critical | PII exposed in model output served to wrong user |
| Prompt Injection Attack | P2 - High | User bypasses guardrails to extract system prompt |
| Service Abuse | P2 - High | Token spend spike indicating unauthorized usage |
| Model Misbehavior | P3 - Medium | Consistent hallucinations in a critical workflow |
| Vendor Outage | P3 - Medium | Anthropic API returns 5xx for extended period |
8.2 Incident Response Runbook
STEP 1 — DETECT
→ Automated alert fires (PagerDuty, Opsgenie, etc.)
→ On-call engineer acknowledges within 15 minutes
STEP 2 — TRIAGE
→ Classify severity (P1 / P2 / P3)
→ Identify blast radius (which users, services affected)
→ Open incident channel and page relevant teams
STEP 3 — CONTAIN
→ P1: Immediately revoke compromised keys
→ P1: Enable kill switch to disable AI features
→ P2: Apply rate limiting or block offending IPs
→ P3: Route traffic to fallback logic
STEP 4 — ERADICATE
→ Root cause analysis
→ Patch vulnerability or misconfiguration
→ Rotate all potentially affected credentials
STEP 5 — RECOVER
→ Gradually re-enable AI features
→ Monitor for recurrence
→ Verify no data was exfiltrated
STEP 6 — POST-MORTEM
→ Document timeline, impact, root cause
→ Update risk register
→ Implement preventive controls
→ Share learnings with organization
9. Vendor Risk Management
9.1 Vendor Assessment Checklist
| Area | Question | Evidence Required |
|---|---|---|
| Data Handling | Does the vendor store request/response data? | Privacy policy, DPA |
| Certifications | SOC 2 Type II, ISO 27001? | Audit reports |
| Data Residency | Where is data processed and stored? | Infrastructure documentation |
| Incident Response | What is the vendor SLA for security incidents? | SLA agreement |
| Subprocessors | Who are the vendor's subprocessors? | Subprocessor list |
| Encryption | What encryption standards are used? | Technical documentation |
| Business Continuity | What is the vendor's disaster recovery plan? | BC/DR documentation |
9.2 Contractual Requirements
Ensure your vendor agreement includes:
- Data Processing Agreement (DPA) with clear data handling terms.
- Zero Data Retention clause if required by your policies.
- Breach notification requirements (e.g., within 72 hours).
- Right to audit the vendor's security controls.
- Data deletion on contract termination.
- Liability caps and indemnification for security breaches.
10. Compliance Mapping
10.1 GDPR (General Data Protection Regulation)
| GDPR Requirement | AI Implementation |
|---|---|
| Lawful basis for processing | Document legal basis for sending user data to AI provider |
| Data minimization | Send only necessary data; redact PII where possible |
| Right to erasure | Ensure vendor supports deletion; enable ZDR |
| Data portability | Export AI interaction logs in machine-readable format |
| Privacy by design | Build PII detection into the data pipeline |
| DPIA required | Conduct Data Protection Impact Assessment for AI features |
| Cross-border transfers | Use inference_geo to control processing location |
10.2 CCPA (California Consumer Privacy Act)
| CCPA Requirement | AI Implementation |
|---|---|
| Right to know | Disclose what data is sent to AI providers |
| Right to delete | Process deletion requests across AI vendor data |
| Right to opt-out | Provide opt-out mechanism for AI-processed features |
| Non-discrimination | Ensure AI features work equally for opt-out users |
| Service provider agreement | Execute CCPA-compliant DPA with AI vendor |
10.3 HIPAA (Health Insurance Portability and Accountability Act)
| HIPAA Requirement | AI Implementation |
|---|---|
| BAA required | Sign Business Associate Agreement with AI vendor |
| PHI safeguards | Never send raw PHI to AI; de-identify first |
| Access controls | RBAC for all systems handling health data + AI |
| Audit controls | Log every AI interaction involving health workflows |
| Transmission security | TLS 1.2+ for all AI API communication |
| Breach notification | Include AI systems in breach notification procedures |
10.4 Compliance Readiness Scorecard
Framework Ready? Score Notes
──────────────────────────────────────────
GDPR [ ] __/7 DPA signed, DPIA completed?
CCPA [ ] __/5 Opt-out mechanism in place?
HIPAA [ ] __/6 BAA signed, PHI de-identified?
SOC 2 [ ] __/5 Audit logs, access controls?
ISO 27001 [ ] __/4 ISMS updated for AI scope?
Summary
Enterprise AI security is not a one-time exercise — it is a continuous process of assessment, hardening, monitoring, and improvement. Use this guide as your living reference:
- Run the pre-deployment checklist before every production launch.
- Score every risk with the risk assessment framework.
- Validate input and output at every boundary.
- Enforce least-privilege access with RBAC and service accounts.
- Automate key rotation and monitor the full lifecycle.
- Harden your network with defense in depth.
- Log everything — but never log raw sensitive data.
- Prepare for incidents with documented runbooks.
- Assess your vendor regularly and maintain contractual protections.
- Map every compliance requirement and maintain audit-ready evidence.