Cloud CISO Perspectives: Practical guidance on building with SAIF

1. Data is the new perimeter

The model is only as secure as the data that feeds it. We recommend organizations shift focus from protecting the model to sanitizing the supply chain. This is where automated discovery and differential privacy can be used to ensure personally identifiable information never becomes part of the model’s memory.

The SAIF Data Controls address risks in data sourcing, management, and use for model training and user interaction, ensuring privacy, integrity, and authorized use throughout the AI lifecycle. Key data security tools on Google Cloud include: Identity and Access Management, access controls for Cloud Storage and BigQuery, Dataplex for data governance, and Vertex AI managed datasets.

2. Treat prompts like code

Once data and infrastructure have been secured, we want to secure the model itself. Models can be attacked directly through malicious inputs (prompts), and their outputs can be manipulated to cause harm. In terms of ease-of-use for threat actors, prompt injection is the new SQL injection.

The SAIF Model Controls are designed to build resilience into the model and sanitize its inputs and outputs to protect against these emerging threats. We recommend that you deploy a dedicated AI firewall (such as Model Armor) to inspect every input for malicious intent and every output for sensitive data leaks before they reach the user. Additional key tools from Google Cloud include: Using Gemini as a guard model and using Apigee as a sophisticated API gateway.

3. Agentic AI requires identity propagation

Moving from chatbots to autonomous or semi-autonomous agents increases the blast radius of a security compromise. To help mitigate the risks of rogue actions and sensitive data disclosure, we strongly advise against using service accounts that have broad access: Any actions taken by AI agents on a user’s behalf should be properly controlled and permissioned, and agents should be instructed to propagate the actual user’s identity and permissions to every backend tool they touch.

SAIF recommends application controls to secure the interface between the end user and the AI model. As described in Google’s Agent Development Kit safety and security guidelines, AI agent developers should carefully consider whether interactions with backend tools should be authorized with the agent’s own identity or with the identity of the controlling user. As we explain in the new SAIF report, it takes several steps to implement user authorization for agents: Front-end authentication, identity propagation, authorization for model context protocol (MCP) and agent-to-agent (A2A) protocol, and IAM for Google Cloud services.

Bold and responsible: Building with SAIF

The Secure AI Framework provides a roadmap for navigating the complex security landscape of artificial intelligence. These three key approaches are crucial to SAIF, but there’s more to the framework. Governance controls, assurance controls (including red teaming and vulnerability management,) and application controls are critical SAIF components — and a key part of our alignment with Google Cloud global-scale security principles and capabilities.

For more information on how your organization can operationalize SAIF, you can read the full report here.