AI SECURITY ENGINEERING HANDBOOK · 2026
The study companion for AI Security Engineering.
A structured reference for learning the fourteen-domain discipline: inventory, architecture, threat modeling, prompt injection, RAG authorization, agent controls, data exposure, provider risk, supply chain, telemetry, detection, incident response, evaluation, and governance evidence.
Study Path
14 chapters mapped to 14 AIPSA diagnostic domains, plus a field-kit appendix.
The Handbook supports training, diagnostic preparation, scorecards, interviews, and role-readiness evaluation. It does not guarantee credential outcomes.
How to use it
Study the discipline before you apply the playbook.
01
Read sequentially if you are new to AI security.
02
Use chapters 3-7 for application, context, retrieval, agent, and data-risk preparation.
03
Use chapters 8-12 for provider, supply-chain, telemetry, detection, and incident-response preparation.
04
Use the appendix for templates and field-kit references.
05
Pair with the Field Guide when you need practitioner actions and checklists.
Handbook vs Field Guide
The Handbook teaches the model. The Field Guide applies it.
Handbook
- teaches concepts
- defines vocabulary
- explains roles
- supports training and assessment
- gives a study path
- organizes the discipline
Field Guide
- applies the concepts
- gives practitioner checklists
- supports engagement delivery
- maps controls and artifacts
- helps execute work in real systems
Chapter Spine
Fourteen chapters organized as curriculum and readiness preparation.
Chapter 01
AI System Inventory
What you learn
How to define AI systems, enumerate model and provider dependencies, assign ownership, tier risk, and keep inventory current.
Why it matters
Every control, review, incident response action, and governance claim depends on knowing which AI systems exist and who owns them.
Study outcomes
- Explain what belongs in an AI system inventory.
- Describe risk tiering criteria for AI-enabled systems.
- Connect inventory records to release gates and evidence.
Domains: AI Security Foundations
Field Guide: Field Guide foundations
Workbench: Threat Canvas, Surface Scanner
Services: Enterprise AI Security Readiness
Chapter 02
Architecture and Trust Boundaries
What you learn
How to read AI architecture maps, identify trust zones, classify components, and distinguish data, authority, and evidence flows.
Why it matters
Teams cannot reason about AI risk until they know where trust changes and which boundary enforces the decision.
Study outcomes
- Map model, app, retrieval, tool, identity, provider, and telemetry boundaries.
- Explain how AI trust boundaries differ from ordinary application diagrams.
- Identify which evidence belongs to each boundary.
Domains: LLM Application Security, Secure AI Architecture Design
Field Guide: LLM application security
Workbench: Threat Canvas
Services: AI Product Security Assessment
Chapter 03
Threat Modeling
What you learn
How to adapt threat modeling to AI systems, including context, retrieval, tools, providers, telemetry, and governance evidence.
Why it matters
AI threat modeling is how abstract risk becomes system-layer questions and evidence-backed decisions.
Study outcomes
- Identify AI-specific assets, attackers, abuse paths, and trust changes.
- Translate threat model findings into controls and release decisions.
- Use careful evidence language for uncertain AI behavior.
Domains: Prompt Injection and Context Security, AI-Aware Secure SDLC
Field Guide: Prompt injection and context security
Workbench: Threat Canvas, Authority Graph
Services: AI Product Security Assessment
Chapter 04
Prompt Injection
What you learn
Direct and indirect prompt injection, context authority tiers, orchestrator enforcement, regression suites, and prompt boundary evidence.
Why it matters
Prompt injection matters when untrusted content can influence model behavior, tool use, retrieved context, or user-facing decisions.
Study outcomes
- Explain context as an attack surface.
- Distinguish model-level refusal from application-level enforcement.
- Describe regression coverage for prompt, model, and retrieval changes.
Domains: Prompt Injection and Context Security
Field Guide: Prompt injection and context security
Workbench: Adversarial Range, RAG Test Harness
Services: AI Product Security Assessment
Chapter 05
RAG Authorization
What you learn
Retrieval authorization, tenant filtering, chunk metadata, permission propagation, citation integrity, and retrieval evidence.
Why it matters
RAG systems fail when retrieval is treated as search rather than an authorization and provenance boundary.
Study outcomes
- Explain why authorization must happen before context assembly.
- Reason about stale permissions, poisoning, tenant isolation, and citations.
- Identify retrieval evidence needed for assurance and incident response.
Domains: RAG Security
Field Guide: RAG security
Workbench: RAG Test Harness, Runtime Proxy
Services: AI Product Security Assessment
Chapter 06
Agentic Permissions
What you learn
Delegated action security: tool scope, runtime authorization, approvals, action logs, rollback, and blast radius.
Why it matters
Agent security begins when model-mediated output can trigger actions in real systems.
Study outcomes
- Classify tool permissions and side effects.
- Explain why approvals require context and runtime enforcement.
- Reason about action chains, identity, auditability, and rollback.
Domains: Agent Security
Field Guide: Agent security
Workbench: Authority Graph, Adversarial Range
Services: AI Product Security Assessment
Chapter 07
Data Exposure and Privacy
What you learn
Prompt, embedding, log, memory, output, and vendor data flows, with privacy controls and evidence expectations.
Why it matters
AI features can move sensitive data into new contexts faster than privacy and security processes detect.
Study outcomes
- Identify sensitive data paths in AI workflows.
- Explain minimization, retention, logging, and deletion evidence.
- Connect privacy obligations to engineering controls.
Domains: Privacy and Data Protection in AI Systems
Field Guide: Privacy and data protection
Workbench: Runtime Proxy, AI Control Crosswalk
Services: AI Product Security Assessment
Chapter 08
Model and Provider Risk
What you learn
Hosted model API risk, vendor assessment scope, provider-side updates, retention terms, incident obligations, and dependency evidence.
Why it matters
A managed model dependency can change behavior, data handling, availability, and assurance posture outside the application team's release process.
Study outcomes
- Separate model behavior risk from provider security risk.
- Identify vendor evidence needed for hosted AI dependencies.
- Explain why model updates require monitoring and change review.
Domains: Vendor Risk and AI Procurement, Model Supply Chain Security
Field Guide: Red teaming and adversarial evaluations
Workbench: Trust Scanner, AI Control Crosswalk
Services: Product Security Baseline
Chapter 09
AI Supply Chain
What you learn
Model artifact integrity, dataset provenance, fine-tuning pipeline security, registry controls, adapters, and promotion gates.
Why it matters
AI supply chain risk spans code, packages, datasets, model weights, registries, providers, and serving platforms.
Study outcomes
- Trace model artifacts from source to production use.
- Identify intake, integrity, license, registry, and rollback evidence.
- Reason about unsafe formats, public hubs, and adapter risk.
Domains: Model Supply Chain Security
Field Guide: Model supply chain security
Workbench: Artifact Analyzer
Services: AI Product Security Assessment
Chapter 10
Logging and Telemetry
What you learn
Prompt context logs, retrieval traces, tool-call records, model versions, output logs, evidence retention, and telemetry completeness.
Why it matters
AI incidents, eval findings, and governance claims collapse when teams cannot reconstruct what happened.
Study outcomes
- Name the telemetry required for AI detection, forensics, and evidence.
- Explain log minimization and sensitive-data handling tradeoffs.
- Connect telemetry fields to investigations and control proof.
Domains: Incident Response and AI Observability
Field Guide: AI governance, risk, and compliance
Workbench: Runtime Proxy, Scorecard diagnostic
Services: AI Security Operating Model
Chapter 11
Detection Engineering
What you learn
Control-failure mapping, behavioral baselines, prompt injection signals, retrieval anomalies, agent action outliers, and alert feedback loops.
Why it matters
Detection work must start from the AI control that can fail, not from generic security logs.
Study outcomes
- Map AI failure modes to observable signals.
- Explain coverage, alert quality, and false-positive tradeoffs.
- Connect detection findings to incident response and regression testing.
Domains: Incident Response and AI Observability, Red Teaming and Adversarial Evaluations
Field Guide: Red teaming and adversarial evaluations, Incident response and observability
Workbench: Runtime Proxy, Adversarial Range
Services: AI Red Team & Adversarial Testing
Chapter 12
Incident Response
What you learn
AI incident classification, context-chain reconstruction, containment actions, forensic evidence, and post-incident control improvement.
Why it matters
AI incidents often involve prompt, retrieval, tool, model, provider, and telemetry layers at the same time.
Study outcomes
- Classify AI incidents by failure class and affected boundary.
- Explain containment options for retrieval, agents, providers, and prompts.
- Describe the evidence needed to reconstruct an AI incident.
Domains: Incident Response and AI Observability
Field Guide: Incident response and observability
Workbench: Runtime Proxy, Threat Canvas
Services: AI Security Operating Model
Chapter 13
Evaluation and Regression Testing
What you learn
Eval suite design, severity rubrics, red-team scope, regression conversion, release gates, and closure evidence.
Why it matters
Evals become security evidence only when they map to misuse cases, controls, and release decisions.
Study outcomes
- Describe the difference between demos, evals, red teaming, and regression tests.
- Explain how findings become closure and release evidence.
- Use severity and coverage language without overclaiming.
Domains: Red Teaming and Adversarial Evaluations
Field Guide: Vendor risk and procurement
Workbench: Adversarial Range, Training path
Services: AI Red Team & Adversarial Testing
Chapter 14
Governance Evidence and Customer Trust
What you learn
Governance-to-engineering translation, control ownership, evidence taxonomy, framework mapping, release gates, and claim-readiness.
Why it matters
AI governance without engineering evidence is not an operating model and cannot support buyer-facing assurance.
Study outcomes
- Translate governance expectations into engineering artifacts.
- Explain evidence freshness, owner accountability, and claim-readiness.
- Separate policy language from controls that operate.
Domains: AI Governance, Risk, and Compliance, Vendor Risk and AI Procurement
Field Guide: AI governance, risk, and compliance
Workbench: Trust Scanner, AI Control Crosswalk
Services: Enterprise AI Security Readiness, AI Security Operating Model
Chapter 15
Field Kit and Templates
What you learn
Reusable templates for scope, control maps, threat models, RAG review, agent blast radius, model intake, evals, and evidence.
Why it matters
Templates give learners a way to practice the vocabulary and artifacts before applying the Field Guide in real systems.
Study outcomes
- Recognize the purpose of each field-kit artifact.
- Choose the right template for a study or readiness scenario.
- Pair templates with the Field Guide when execution detail is needed.
Domains: All 14 AIPSA diagnostic domains
Field Guide: Field Guide 2026
Workbench: Program Blueprint Kit, Training path
Services: AI Product Security Assessment, AI Security Operating Model
14-domain alignment
Mapped to AIPSA domains without replacing the Field Guide.
| Handbook chapter | Related domain(s) | Learner outcome | Applied next step |
|---|---|---|---|
| Chapter 1: AI System Inventory | AI Security Foundations | Build the system record that anchors later control, testing, evidence, and incident work. | Field Guide foundations |
| Chapter 2: Architecture and Trust Boundaries | LLM Application Security, Secure AI Architecture Design | Read and critique an AI architecture map as a security artifact. | LLM application security |
| Chapter 3: Threat Modeling | Prompt Injection and Context Security, AI-Aware Secure SDLC | Turn an AI architecture into a threat model with controls, assumptions, and evidence needs. | Prompt injection and context security |
| Chapter 4: Prompt Injection | Prompt Injection and Context Security | Explain how prompt injection becomes a product security failure and how controls should be evidenced. | Prompt injection and context security |
| Chapter 5: RAG Authorization | RAG Security | Evaluate whether retrieval boundaries preserve authorization, provenance, and auditability. | RAG security |
| Chapter 6: Agentic Permissions | Agent Security | Explain delegated authority and identify the controls required before agentic workflows act. | Agent security |
| Chapter 7: Data Exposure and Privacy | Privacy and Data Protection in AI Systems | Trace AI data exposure and name the controls that produce privacy evidence. | Privacy and data protection |
| Chapter 8: Model and Provider Risk | Vendor Risk and AI Procurement, Model Supply Chain Security | Evaluate model-provider dependency risk without treating vendor assurances as operating controls. | Red teaming and adversarial evaluations |
| Chapter 9: AI Supply Chain | Model Supply Chain Security | Reason about artifact provenance, promotion, and rollback before deployment. | Model supply chain security |
| Chapter 10: Logging and Telemetry | Incident Response and AI Observability | Design logs that support security decisions without creating uncontrolled data exposure. | AI governance, risk, and compliance |
| Chapter 11: Detection Engineering | Incident Response and AI Observability, Red Teaming and Adversarial Evaluations | Explain how AI control failures become detection logic and response evidence. | Red teaming and adversarial evaluations, Incident response and observability |
| Chapter 12: Incident Response | Incident Response and AI Observability | Reconstruct an AI incident from traces and convert lessons into control improvements. | Incident response and observability |
| Chapter 13: Evaluation and Regression Testing | Red Teaming and Adversarial Evaluations | Explain how evaluation work becomes decision-grade evidence and regression coverage. | Vendor risk and procurement |
| Chapter 14: Governance Evidence and Customer Trust | AI Governance, Risk, and Compliance, Vendor Risk and AI Procurement | Connect governance language to controls, owners, telemetry, evidence, and buyer-ready claims. | AI governance, risk, and compliance |
| Chapter 15: Field Kit and Templates | All 14 AIPSA diagnostic domains | Use the field kit as a study aid and artifact reference, not as a substitute for applied review. | Field Guide 2026 |
Study outcomes
By the end, readers should be able to explain and evaluate the discipline.
Define the fourteen AIPSA-aligned AI security engineering domains.
Map AI systems, trust boundaries, context paths, retrieval paths, tool authority, providers, telemetry, and evidence.
Explain prompt injection, RAG authorization, agentic permissions, data exposure, and model supply-chain risk as product-security concerns.
Connect detection, incident response, evaluation, and regression testing to operating controls.
Translate governance and buyer-facing claims into owners, controls, artifacts, and evidence without overclaiming.
Access
Download the Handbook
Ready
PDF Version
Full handbook
Size: 5.9 MB
Sponsorship
Own a measured market gap
Sponsor support is separated from methodology, scoring, findings, chart outputs, and editorial conclusions.