# The AI Defense Matrix is a structured framework for defending AI systems, aligned with NIST CSF 2.0 and extending the Cyber Defense Matrix. # Source: https://aidefensematrix.com # © 2026 by Lenny Zeltser and Sounil Yu, licensed under CC BY-SA 4.0. # https://creativecommons.org/licenses/by-sa/4.0/ - id: ai-workload-platforms label: AI-Workload Platforms theme: devices govern: { category: "AI-platform standards", coverageType: hybrid } identify: { category: "AI security posture management", coverageType: tooling } protect: { category: "AI-workload hardening; model-loading supply-chain verification", coverageType: tooling } detect: { category: "AI-workload runtime detection", coverageType: tooling } respond: { category: "Generic container IR", coverageType: cdm-rollup } recover: { category: "Generic platform restore", coverageType: cdm-rollup } - id: ai-orchestration-tools label: AI Orchestration Tools theme: devices govern: { category: "AI application governance", coverageType: process } identify: { category: "AIBOM for applications; agent-framework discovery", coverageType: tooling } protect: { category: "System-prompt hardening; plugin allowlisting", coverageType: tooling } detect: { category: "Prompt-injection testing; agent anomaly detection", coverageType: tooling } respond: { category: "Agent runtime IR; plugin disable", coverageType: hybrid } recover: { category: "Framework config; prompt rollback", coverageType: hybrid } - id: ai-generated-code label: AI-Generated Code theme: apps govern: { category: "AI coding standards, code-review policy, license; provenance policy", coverageType: process } identify: { category: "AI-code provenance; origin tracking", coverageType: tooling } protect: { category: "AI-aware SAST", coverageType: tooling } detect: { category: "Hallucinated dependency; insecure-pattern detection", coverageType: tooling } respond: { category: "PR block; revert of AI-generated commits", coverageType: hybrid } recover: { category: "Code rewrite; replacement of flagged artifacts", coverageType: hybrid } - id: ai-gateways-routers label: AI Gateways and Routers theme: networks govern: { category: "AI egress policy; approved-service registry", coverageType: hybrid } identify: { category: "AI traffic discovery", coverageType: tooling } protect: { category: "AI gateways for egress; MCP gateways for tool gating", coverageType: tooling } detect: { category: "Anomalous AI traffic; RAG-leakage egress detection", coverageType: tooling } respond: { category: "AI traffic blocking; shadow AI takedown", coverageType: hybrid } recover: { category: "Generic network failover", coverageType: cdm-rollup } - id: ai-model label: AI Model theme: data govern: { category: "Model selection; provider evaluation", coverageType: process } identify: { category: "Model inventory; AIBOM", coverageType: tooling } protect: { category: "Model firewalls; weight protection", coverageType: tooling } detect: { category: "Model drift; integrity monitoring", coverageType: tooling } respond: { category: "Model rollback; provider coordination for consumed models", coverageType: hybrid } recover: { category: "Model version restore; provider re-selection", coverageType: hybrid } - id: training-data label: Training Data theme: data govern: { category: "Dataset provenance; licensing policy", coverageType: process } identify: { category: "Dataset inventory; lineage", coverageType: tooling } protect: { category: "Data access control", coverageType: tooling } detect: { category: "Poisoning; backdoor detection", coverageType: tooling } respond: { category: "Dataset quarantine; retraining trigger", coverageType: hybrid } recover: { category: "Dataset restore from golden copies; model retraining", coverageType: hybrid } - id: runtime-ai-data label: Runtime AI Data theme: data govern: { category: "Prompt; RAG policy, memory-retention governance, interaction-history policy", coverageType: process } identify: { category: "RAG source; LLM-oversharing inventory", coverageType: hybrid } protect: { category: "Prompt-injection defense, RAG sanitization, memory-poisoning defense, AI-content DLP", coverageType: tooling } detect: { category: "Prompt anomaly, jailbreak attempts, RAG leakage, memory tampering", coverageType: tooling } respond: { category: "Session termination; RAG source isolation", coverageType: hybrid } recover: { category: "Vector DB restore; re-indexing", coverageType: hybrid } - id: ai-agent-identities label: AI Agent Identities theme: users govern: { category: "AI agent identity policy, authorization standards, OAuth for agents", coverageType: process } identify: { category: "AI agent; non-human principal inventory", coverageType: tooling } protect: { category: "Agent OAuth; capability scoping, short-lived credentials", coverageType: tooling } detect: { category: "Agent behavioral monitoring; runtime authorization drift", coverageType: tooling } respond: { category: "Credential revocation, agent quarantine, session termination", coverageType: hybrid } recover: { category: "Agent identity re-provisioning", coverageType: hybrid }