# AI Defense Matrix

The AI Defense Matrix is a structured framework for defending AI systems. Each row is an AI-specific asset class. Columns are NIST CSF 2.0 functions. Cells show the AI-specific control category, objective, or representative tooling for each intersection.

| Asset Class | Govern | Identify | Protect | Detect | Respond | Recover |
| --- | --- | --- | --- | --- | --- | --- |
| ***AI-Workload Platforms*** | AI-platform standards | AI security posture management | AI-workload hardening; model-loading supply-chain verification | AI-workload runtime detection | Generic container IR | Generic platform restore |
| ***AI Orchestration Tools*** | AI application governance | AIBOM for applications; agent-framework discovery | System-prompt hardening; plugin allowlisting | Prompt-injection testing; agent anomaly detection | Agent runtime IR; plugin disable | Framework config; prompt rollback |
| ***AI-Generated Code*** | AI coding standards, code-review policy, license; provenance policy | AI-code provenance; origin tracking | AI-aware SAST | Hallucinated dependency; insecure-pattern detection | PR block; revert of AI-generated commits | Code rewrite; replacement of flagged artifacts |
| ***AI Gateways and Routers*** | AI egress policy; approved-service registry | AI traffic discovery | AI gateways for egress; MCP gateways for tool gating | Anomalous AI traffic; RAG-leakage egress detection | AI traffic blocking; shadow AI takedown | Generic network failover |
| ***AI Model*** | Model selection; provider evaluation | Model inventory; AIBOM | Model firewalls; weight protection | Model drift; integrity monitoring | Model rollback; provider coordination for consumed models | Model version restore; provider re-selection |
| ***Training Data*** | Dataset provenance; licensing policy | Dataset inventory; lineage | Data access control | Poisoning; backdoor detection | Dataset quarantine; retraining trigger | Dataset restore from golden copies; model retraining |
| ***Runtime AI Data*** | Prompt; RAG policy, memory-retention governance, interaction-history policy | RAG source; LLM-oversharing inventory | Prompt-injection defense, RAG sanitization, memory-poisoning defense, AI-content DLP | Prompt anomaly, jailbreak attempts, RAG leakage, memory tampering | Session termination; RAG source isolation | Vector DB restore; re-indexing |
| ***AI Agent Identities*** | AI agent identity policy, authorization standards, OAuth for agents | AI agent; non-human principal inventory | Agent OAuth; capability scoping, short-lived credentials | Agent behavioral monitoring; runtime authorization drift | Credential revocation, agent quarantine, session termination | Agent identity re-provisioning |

---

**Source:** https://aidefensematrix.com

© 2026 by [Lenny Zeltser](https://zeltser.com) and [Sounil Yu](https://www.linkedin.com/in/sounil), licensed under [CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/).