Table of Contents

Click Here to Return To the CompTIA SecAI+ Course Page

Securing AI Systems is 40% of the CompTIA SecAI+ (CY0-001) exam, making it the most heavily weighted domain by far. This module covers how you protect models, their data, and the applications around them from a new class of adversarial attacks. Spend the bulk of your study time here. Master the threat names and the control that stops each one.

AI systems expand the attack surface. The model, the training data, the prompts, the outputs, and the agents that act on those outputs are all targets. You defend each layer with controls built for AI, not just the network controls you already know.

AI Security Frameworks

You do not invent AI risk from scratch. You map your defenses to published frameworks.

FrameworkWhat it provides
OWASP LLM Top 10The most critical security risks for LLM applications
OWASP ML Security Top 10The top risks for machine learning systems
MITRE ATLASAdversary tactics and techniques against AI systems
MIT AI Risk RepositoryA catalog of documented AI risks
CVE AI Working GroupAn effort to standardize how AI vulnerabilities are catalogued

MITRE ATLAS mirrors ATT&CK but for AI, so the tactics-and-techniques mindset you already have transfers directly.

Access Control for AI

You restrict who and what can reach each part of the system. The objective lists five distinct surfaces:

  • Endpoint access control restricts which clients can reach an AI service endpoint.
  • Model access control restricts who may query, modify, or download a model.
  • Data access control restricts who may read or change the data a model uses.
  • Agent access control restricts what actions an autonomous agent may perform.
  • API access control authenticates and restricts calls to an AI application interface.

Data Protection

You protect data in all three states and reduce how much sensitive data the model ever sees.

StateControl
In transitEncryption while data moves across a network
At restEncryption for stored data
In useEncryption while data is being processed

You also de-risk the data itself:

  • Anonymization removes identifiers so data cannot be linked to a person.
  • Redaction permanently removes sensitive content.
  • Masking hides sensitive values with substitute characters while preserving format.
  • Minimization collects and keeps only the data that is strictly needed.
  • A data classification label tags data by its sensitivity level.

Runtime Guardrails

You wrap the live model in controls that bound what it accepts and produces:

  • Model guardrails keep outputs within safe boundaries.
  • A prompt firewall inspects and filters prompts before they reach the model.
  • Rate limiting caps how many requests a client may send in a time window.
  • A token limit caps the tokens allowed per request or response.
  • An input quota limits the size or quantity of data a client may submit.
  • A modality limit restricts which input types such as text, image, or audio are accepted.

Monitoring and Cost Control

You watch the system continuously and protect the evidence it produces:

  • Prompt monitoring inspects queries and responses for abuse or policy violations.
  • Log sanitization strips sensitive data from logs before storage.
  • Log protection secures logs against tampering and unauthorized access.
  • A response confidence level reflects how certain the model is about an answer, which helps catch a hallucination, a confident but false output.
  • AI cost monitoring tracks spend on prompts, storage, processing, and responses so a model denial-of-service attack does not run up a huge bill unnoticed.
  • Bias and fairness auditing reviews outputs for unfair or discriminatory behavior.

Adversarial Attacks

This is the heart of the domain. You must recognize each attack and the layer it targets.

AttackWhat the attacker does
Prompt injectionCrafts input that overrides the model’s intended instructions
JailbreakingBypasses safety guardrails to elicit prohibited output
Data poisoningCorrupts training data to bias or sabotage the model
Model poisoningTampers with model parameters or training to corrupt behavior
Backdoor attackHides a trigger that produces attacker-chosen behavior
Trojan attackEmbeds malicious behavior inside an otherwise normal model
Model inversionReconstructs sensitive training data from model outputs
Model theftExtracts or copies a proprietary model through repeated queries
Membership inferenceDetermines whether a specific record was in the training data
AI supply chain attackCompromises third-party models, datasets, or libraries

Application-Layer Risks

The application around the model adds its own risks:

  • Insecure output handling trusts model output without validation, enabling downstream attacks such as cross-site scripting or command injection.
  • Excessive agency grants an agent more autonomy or permissions than it needs.
  • Model denial of service overloads a model with costly requests to exhaust resources.

Treat every model output as untrusted input to the next system. That single habit closes a large share of LLM application vulnerabilities.

Next Steps

With AI systems defended, continue to AI-assisted Security to turn AI into a defensive tool, then AI Governance, Risk, and Compliance to manage it responsibly. Review the foundations in Basic AI Concepts and return to the CompTIA SecAI+ Course .