Most enterprises shipping AI today are protected by traditional application security — which was never designed for systems that can be manipulated through the text they read. Before an AI application faces real users and real data, it should pass the twelve controls below.
Print it, assign owners, and treat every unchecked box as a launch blocker.
Layer 1 — Input defense
☐ 1. Prompt injection screening
Every input the model processes — user messages and retrieved content — is scanned for injection patterns before it reaches the model. Keyword filters aren't enough; screening must be semantic. (Full primer: Prompt Injection Attacks: How They Work and How to Stop Them.)
☐ 2. Jailbreak detection
Adversarial prompts designed to bypass model guardrails are detected and blocked, with attempts logged and rate-limited. Attackers iterate; your defenses should see the iteration happening.
☐ 3. Content isolation
Untrusted content (documents, web pages, emails) is clearly demarcated in context, stripped of active instructions, and never concatenated into privileged prompt sections.
Layer 2 — Data protection
☐ 4. Sensitive data redaction
PII, credentials, and confidential records are detected and redacted from prompts before they leave your perimeter for a model provider — and from outputs before they reach users who shouldn't see them.
☐ 5. Data-flow policy
You can state, in writing, which data categories may be sent to which model providers, in which regions — and something in the request path enforces it. A policy PDF nobody can enforce is not a control.
☐ 6. Secrets hygiene
API keys and connection strings never appear in prompts, and model outputs are screened so leaked secrets can't transit through responses. Keys are scoped, rotated, and never shared across teams.
Layer 3 — Access control
☐ 7. User authentication
Every AI interaction is tied to an authenticated user — with enterprise SSO where applicable — so access can be revoked and behavior attributed.
☐ 8. Agent identity
AI agents have their own scoped, revocable identities. An agent that books appointments cannot read financial records. Shared god-mode service keys are this decade's default critical misconfiguration. (Net3 Identity exists for exactly this.)
☐ 9. Least-privilege tool access
Agents get the minimum tools and data each task requires. Blast radius is a design input: assume an injection eventually succeeds and ask what it could reach.
Layer 4 — Output governance
☐ 10. Output moderation
Model responses are screened before delivery: unsafe content, system-prompt leakage, off-policy claims, and sensitive data are caught at the output boundary.
☐ 11. Audit logging
Every prompt, response, policy decision, and blocked event is logged immutably, with retention matching your regulatory requirements. When an auditor asks "what did your AI do and how do you know?", this is the answer. Net3 Monitor treats these trails as first-class.
☐ 12. Continuous scanning
Your AI endpoints are probed regularly for injectable surfaces, exposed model APIs, and permission gaps — by you, before attackers do it for you. Net3 Scan automates this for websites, APIs, cloud infrastructure, and AI deployments.
The architectural shortcut
You can implement all twelve controls app by app — and watch consistency decay with every sprint. Or you can enforce them at the platform layer: one gateway all AI traffic crosses, one policy engine, every application protected by default.
That's the design behind Net3 Shield: injection screening, data redaction, policy enforcement, and moderation applied to every request on the platform, with nothing for individual teams to remember.
The bottom line
AI security isn't a future problem — the attacks are current, cheap, and mostly automated. The twelve controls above are achievable in weeks with the right architecture, and each one you skip is the one that ends up in the incident report. Check the boxes before your users, your data, and your regulator check them for you.