Update: Secure AI/ML Model Ops Cheat Sheet

[maheshkukreja]

What is missing or needs to be updated?

Quite a few suggestions, need inputs on how to best handle things - should we break it into multiple cheatsheets or maintain a single cheatsheet?

• RAG infrastructure security not covered (vector DB isolation, retrieval pipeline hardening, index integrity)
• Vector/Embedding weaknesses missing (inversion, poisoning, cross-tenant leakage in vector DBs)
• Unbounded consumption / denial-of-wallet not addressed (runaway chains, token floods, recursion)
• Model supply-chain gaps (unsafe deserialization/pickle, model-malware scanning, provenance)
• Privacy/extraction testing absent (training-data extraction, embedding inversion; unlearning playbooks)
• Compliance mapping outdated (NIST GenAI Profile, ISO/IEC 42001, EU AI Act timelines)
• Hardware/runtime isolation absent (GPU tenancy, device-memory scrubbing, sandboxing)

How should this be resolved?

• Add "RAG Infrastructure Security": vector DB tenant isolation, retrieval pipeline hardening, index integrity controls, trust boundary enforcement
• Add "Vector & Embedding Security": treat embeddings as sensitive; tenant-scoped namespaces; RBAC/MAC; encryption in transit/at rest; bulk-export limits; outlier/poison detection; hybrid retrieval & diversity controls
• Expand "Inference API Security" with Unbounded Consumption: per-tenant budgets; token/output caps; recursion/chain-depth limits; kill-switches; real-time cost telemetry & alerts
• Strengthen "Model Storage & Artifacts": prefer safetensors; block unsafe deserialization; pre-ingest malware scanning; signature & hash pinning; registry provenance
• Enhance "Monitoring & Logging": security telemetry (tokens, tool calls, outbound domains, IPI indicators); privacy-first logging/redaction; retention & purge workflows
• Expand "Incident Response & Governance": periodic extraction/inversion tests; unlearning/rollback procedures; map controls to NIST AI-600-1 & ISO/IEC 42001; note EU AI Act milestones
• Add "Hardware & Runtime Isolation": avoid cross-tenant GPU sharing on affected devices; device-memory scrubbing; microVM/gVisor sandboxing; confidential compute where available

[kwwall]

I'm personally leaning towards multiple cheat sheets, with perhaps a master AI/ML cheat sheet providing a topical overview and then linking to all the others.

[Prasad-JB]

I agree with @kwwall — splitting into multiple cheat sheets seems more maintainable in the long term, especially since the scope here (RAG infra, embeddings, supply-chain, runtime, compliance, etc.) is expanding very quickly.

Maybe we could structure it like this:

• Master AI/ML Security Cheat Sheet → high-level overview + links to others
• RAG Infrastructure Security → vector DB isolation, retrieval pipeline hardening, poisoning/index integrity
• Embedding & Vector Security → inversion/poisoning, tenant scoping, RBAC/MAC, encryption, diversity controls
• Model Ops & Supply Chain Security → storage, artifact provenance, deserialization, safetensors, malware scanning
• Inference API & Resource Management → denial-of-wallet, runaway chains, recursion limits, telemetry, budget caps
• Privacy, Extraction & Compliance → unlearning, extraction testing, compliance mapping (NIST, ISO, EU AI Act)
• Hardware & Runtime Isolation → GPU tenancy, memory scrubbing, sandboxing, confidential compute

This way, contributors can work in parallel on focused sections without the risk of one mega-cheatsheet becoming unmanageable.

Happy to help draft a first cut of the "RAG Infrastructure Security" and "Embedding Security" sections if we move forward with this structure.

[jmanico]

In order to keep these "cheats" I'd prefer several small cheatsheets vs one large one or a group of large ones. Smaller cheatsheets are much easier to maintain and keep up to date!

[imaPheven]

As someone who would be more on the consumer side of AI and cheatsheet's, I am wondering if anyone has considered topics related to Agentic AI. For example, OpenAI's codex and in particular the Local shell tool brings some powerful potential capabilities into the developer environment. However, over time more agentic tools will be coming along that could be more general purpose focused. I have done some searching but haven't found much in OWASP referencing these types of tools.

[jmanico]

We are just starting to work on AI cheetsheets. I hope to see a dozen or more next by next year. We are open to your proposals!

[Prasad-JB]

Thanks everyone for the input.

Since there seems to be agreement on splitting this into smaller cheat sheets, I can take a first stab at drafting a couple of them. starting with RAG Infrastructure Security and Embedding & Vector Security. That should help us see if the split format works well before expanding into the other areas.

would you prefer I open separate issues for each of these, or just keep working under this one until we settle on the structure?