Day 1: AI Security Foundations & Data Protection
Focus: Understanding the threat landscape, the six-layer security blueprint, and securing the data layer — RAG pipelines, context boundaries, and prompt defenses.
Session 1: The AI Security Landscape & Blueprint Framework
Presentation Topics:
- Why AI security is fundamentally different from traditional application security
- Real-world AI security incidents and the architectural failures behind them
- The current state: 97% of breached organizations had no proper AI controls
- Investment vs. governance reality — the implementation gap
- OWASP Top 10 for LLM Applications (2025 Edition)
- Guardrails and policy enforcement: what fails vs. what works
- Introduction to the six-layer Enterprise AI Security Blueprint
- Policy-driven AI: how the policy engine decides (ALLOW, TRANSFORM, ESCALATE, DENY)
- The core principle: prompts guide behavior, platforms enforce behavior
Hands-On Labs:
- Lab 1: AI Threat Modeling with OWASP Top 10 — Map a realistic enterprise AI scenario to OWASP LLM risk categories and identify missing controls
- Lab 2: Policy Engine Decision Making — Build and test a policy engine that routes AI requests through ALLOW/TRANSFORM/ESCALATE/DENY decisions
Session 2: RAG Security Deep Dive
Presentation Topics:
- How RAG systems work and why they expand the attack surface
- The document poisoning threat: data poisoning, social engineering, prompt injection via documents
- Anatomy of a poisoned document — three attack techniques
- How the attack works: from poisoned chunk to compromised answer
- Defense architecture: defense in depth with two security checkpoints
- Key defenses: source allowlists, injection pattern detection, relevance filtering
- Output scanning as a safety net
- RAG-specific attack vectors: poisoned indices, retrieval manipulation, citation spoofing
- Database tampering detection with cryptographic integrity verification
- RAG corpus governance: corpus tiers and sanitization
Hands-On Labs:
- Lab 3: RAG Attack — Exploiting a Vulnerable System — Build a poisoned vector database and observe how a vulnerable RAG system serves phishing URLs and social engineering attacks to users
- Lab 4: RAG Defense — Building Security Hardening — Implement a SecurityGuard class with source allowlists, injection detection, relevance filtering, and output scanning, then verify attacks are blocked
Session 3: Context Isolation & Data Boundaries
Presentation Topics:
- Context as a tool and risk — what the AI model sees and why it matters
- Layer 2 deep dive: context isolation and data boundaries
- The three data boundary rules: minimum context, justified PII, absolute tenant boundaries
- Data classification and sensitivity tag propagation
- PII tokenization — replacing sensitive fields with reversible tokens
- DLP for AI — filtering and redacting sensitive patterns
- The data redaction pipeline: masking, tokenization, hashing
- Multi-tenant isolation — the anti-pattern and the correct architecture
- Retrieval security as a five-step chain
- The transformation: unguarded vs. blueprint-aligned
Hands-On Labs:
- Lab 5: PII Detection & Tokenization Pipeline — Build a pipeline that detects PII (SSNs, credit cards, emails, phone numbers) in AI context and replaces them with reversible tokens
- Lab 6: Multi-Tenant Context Isolation — Demonstrate cross-tenant data leakage in a vulnerable system, then implement tenant-scoped retrieval with boundary enforcement
Session 4: Prompt Injection Defenses
Presentation Topics:
- Layer 3 deep dive: prompt injection — #1 on OWASP Top 10 for LLMs
- Direct injection: user-crafted malicious prompts
- Indirect injection: hidden instructions in retrieved content, emails, web pages
- The injection attack flow and defense stack
- Four defense techniques: input sanitization, canary tokens, output validation, behavioral boundaries
- Live walkthrough: indirect injection in a RAG system — attack and defense
- Reducing and mediating untrusted content before it reaches the model
- The instruction hierarchy: system > user > retrieved content
- Defense in depth — no single technique is sufficient
- Connecting Layers 1–3: how identity, context isolation, and prompt defenses work together
Hands-On Labs:
- Lab 7: Direct Prompt Injection — Attack & Defense Patterns — Test various injection attack patterns against a vulnerable chatbot, then implement layered input validation with regex detection, behavioral boundaries, and output scanning
- Lab 8: End-to-End Security Pipeline — Combine all Day 1 concepts into an integrated security pipeline that enforces source validation, PII tokenization, injection detection, and output scanning on a RAG-powered application
Day 2: Agent Security, MCP, & Enterprise Operations
Focus: Securing AI agents and tool integrations, implementing governance and audit controls, building operational readiness, and creating an enterprise implementation roadmap.
Session 1: Agent Security Patterns & Defense
Presentation Topics:
- AI agent architecture: chatbots, copilots, and autonomous agents
- The supervisor multi-agent pattern — a common enterprise architecture
- Budget enforcement: per-agent turn limits and token caps
- Handoff packets vs. full transcripts — reducing token spend
- Practical cost control for agentic workflows
- Agent threat model: goal hijacking, tool misuse, privilege escalation, data exfiltration
- The four vulnerabilities: tool over-provisioning, no input validation, weak system prompts, no output validation
- Defense layers: security logging, least privilege, input validation, hardened prompts, output validation
- Why defense in depth matters for agents — no single layer is sufficient
Hands-On Labs:
- Lab 1: Supervisor Multi-Agent Pattern with Budget Enforcement — Build a three-agent supervisor workflow (Planner, Implementer, Reviewer) with per-agent turn limits and token budgets, then test how budget constraints prevent runaway coordination
- Lab 2: Securing Agents Against Manipulation — Observe data exfiltration and email impersonation attacks against a vulnerable enterprise agent, then build a five-layer defense with security logging, least privilege, input validation, hardened prompts, and output scanning
Session 2: MCP Security & Tool Integration
Presentation Topics:
- MCP (Model Context Protocol) overview and enterprise security implications
- Tool isolation and sandboxing — one of the most underappreciated AI security dimensions
- The threat model: prompt injection → tool misuse → real-world impact
- Authentication for MCP: JWT tokens, client credentials, authorization servers
- Authorization: per-tool scopes — controlling which tools each client can invoke
- Defense-in-depth for MCP: rate limiting, input validation, output sanitization, audit logging
- Six tool isolation controls: sandboxed execution, network egress, file-system scoping, secret handling, resource limits, audit
- Building a complete MCP security architecture
Hands-On Labs:
- Lab 3: MCP Authentication, Authorization & Per-Tool Scopes— Set up a JWT authorization server, configure per-tool scopes for different clients, and verify that scope enforcement blocks unauthorized tool access
- Lab 4: MCP Defense in Depth — Rate Limiting, Validation & Sanitization — Add rate limiting, input validation (SQL injection, XSS, path traversal), output sanitization (SSN/card/password redaction), and audit logging to an MCP server
Session 3: Model Governance, Audit & Compliance
Presentation Topics:
- Layer 4: Model governance pipeline — from shadow AI to governed deployments
- The shadow AI problem and triage strategies
- Six governance lifecycle stages: selection, evaluation, approval, deployment, monitoring, retirement
- Model registry: version tracking, compliance status, usage policies, expiration dates
- Model cards as documentation backbone
- Governance gates and CI/CD integration
- Supply chain and vendor risk — OWASP #3 for LLMs
- Layer 5: Audit trails and observability
- Evidence-quality logging vs. debugging logs
- Structured, privacy-safe audit log design
- Audit maturity ladder: from no trails to comprehensive observability
- Compliance landscape: EU AI Act, NIST AI RMF, ISO 42001
Hands-On Labs:
- Lab 5: Model Registry & Governance Gates — Build a model registry with approval workflows, version tracking, risk classification, and expiration enforcement, then test governance gate decisions
- Lab 6: Structured Audit Trails for AI Systems — Implement a comprehensive audit logging system that captures identity, actions, security events, tool invocations, and cost data in structured, searchable JSON format
Session 4: Operational Controls, Implementation & Capstone
Presentation Topics:
- Layer 6: Operational controls — observable, throttleable, stoppable
- Kill switches: instant shutdown for misbehaving AI agents
- Rate limiting: per-tenant, per-model limits with cost caps
- Canary deployments: AI-specific quality metrics and automatic rollback
- Human oversight patterns: four tiers from fully automated to multi-party approval
- Risk-based routing and confidence-based escalation
- Security testing and red teaming for AI systems
- Governance operating model (RACI): who owns what
- Implementation roadmap: Phase 0 through Phase 3
- The Monday morning checklist — eight steps for minimum viable AI security
- The road ahead: NIST AI Agent Standards, EU AI Act enforcement, agentic AI security
- Five questions every AI team should answer
Hands-On Labs:
- Lab 7: Operational Controls — Kill Switches & Cost Caps — Implement a runtime control plane with instant kill switch, per-tenant rate limiting, cost tracking with budget caps, and automated alerting
- Lab 8: Capstone — Enterprise AI Security Assessment — Apply the full six-layer blueprint to assess a realistic enterprise AI deployment, identify gaps, design controls, and produce a prioritized remediation plan
