# The AI Defense Matrix is a structured framework for defending AI systems, aligned with NIST CSF 2.0 and extending the Cyber Defense Matrix. # Source: https://aidefensematrix.com # © 2026 by Lenny Zeltser and Sounil Yu, licensed under CC BY-SA 4.0. # https://creativecommons.org/licenses/by-sa/4.0/ - id: ai-workload-platforms label: AI-Workload Platforms theme: devices govern: { category: "AI-platform standards" } identify: { category: "AI security posture management" } protect: { category: "AI-workload hardening; model-loading supply-chain verification" } detect: { category: "AI-workload runtime detection" } respond: { category: "Generic container IR" } recover: { category: "Generic platform restore" } - id: ai-orchestration-tools label: AI Orchestration Tools theme: devices govern: { category: "AI application governance" } identify: { category: "AIBOM for applications; agent-framework discovery" } protect: { category: "System-prompt hardening; plugin allowlisting" } detect: { category: "Prompt-injection testing; agent anomaly detection" } respond: { category: "Agent runtime IR; plugin disable" } recover: { category: "Framework config; prompt rollback" } - id: ai-generated-code label: AI-Generated Code theme: apps govern: { category: "AI coding standards, code-review policy, license; provenance policy" } identify: { category: "AI-code provenance; origin tracking" } protect: { category: "AI-aware SAST" } detect: { category: "Hallucinated dependency; insecure-pattern detection" } respond: { category: "PR block; revert of AI-generated commits" } recover: { category: "Code rewrite; replacement of flagged artifacts" } - id: ai-gateways-routers label: AI Gateways and Routers theme: networks govern: { category: "AI egress policy; approved-service registry" } identify: { category: "AI traffic discovery" } protect: { category: "AI gateways for egress; MCP gateways for tool gating" } detect: { category: "Anomalous AI traffic; RAG-leakage egress detection" } respond: { category: "AI traffic blocking; shadow AI takedown" } recover: { category: "Generic network failover" } - id: ai-model label: AI Model theme: data govern: { category: "Model selection; provider evaluation" } identify: { category: "Model inventory; AIBOM" } protect: { category: "Model firewalls; weight protection" } detect: { category: "Model drift; integrity monitoring" } respond: { category: "Model rollback; provider coordination for consumed models" } recover: { category: "Model version restore; provider re-selection" } - id: training-data label: Training Data theme: data govern: { category: "Dataset provenance; licensing policy" } identify: { category: "Dataset inventory; lineage" } protect: { category: "Data access control" } detect: { category: "Poisoning; backdoor detection" } respond: { category: "Dataset quarantine; retraining trigger" } recover: { category: "Dataset restore from golden copies; model retraining" } - id: runtime-ai-data label: Runtime AI Data theme: data govern: { category: "Prompt; RAG policy, memory-retention governance, interaction-history policy" } identify: { category: "RAG source; LLM-oversharing inventory" } protect: { category: "Prompt-injection defense, RAG sanitization, memory-poisoning defense, AI-content DLP" } detect: { category: "Prompt anomaly, jailbreak attempts, RAG leakage, memory tampering" } respond: { category: "Session termination; RAG source isolation" } recover: { category: "Vector DB restore; re-indexing" } - id: ai-agent-identities label: AI Agent Identities theme: users govern: { category: "AI agent identity policy, authorization standards, OAuth for agents" } identify: { category: "AI agent; non-human principal inventory" } protect: { category: "Agent OAuth; capability scoping, short-lived credentials" } detect: { category: "Agent behavioral monitoring; runtime authorization drift" } respond: { category: "Credential revocation, agent quarantine, session termination" } recover: { category: "Agent identity re-provisioning" }