Skip to content

AI Security Assessment

Template Download Template

Purpose: Identify and evaluate security risks specific to AI systems, covering data security, model security, infrastructure security, and operational security. This template addresses both traditional IT security and AI-specific threats.
At a Glance
  • Time to complete: 4-8 hours depending on system complexity
  • Who should participate: Security team, Data scientists, System owners
  • Output: Risk ratings, findings, and prioritised recommendations
  • Prerequisite: System architecture documentation

AI-Specific Threats

AI systems face unique attack vectors not covered by traditional security assessments, including data poisoning, model extraction, adversarial attacks, and prompt injection. This template addresses these AI-specific threats.

Assessment Information

Field Details
Project Name
AI System Name
Assessment Date
Assessor(s)
Review Date
Classification OFFICIAL / PROTECTED / SECRET

Section 1: System Overview

1.1 AI System Description

Question Response
What is the purpose of the AI system?
What type of AI/ML is used? (Classification, NLP, etc.)
What decisions or outputs does the system produce?
Who are the users of the system?
What is the criticality level? Low / Medium / High / Critical

1.2 System Components

Component Technology/Platform Location Owner
Data storage Cloud/On-prem
Model training environment
Model serving/inference
User interface
APIs/Integrations
Monitoring/logging

Section 2: Data Security Assessment

2.1 Data Classification

Data Type Classification Volume Retention Encryption
Training data Yes/No
Validation data Yes/No
Production input data Yes/No
Model outputs Yes/No
Logs/audit trails Yes/No

2.2 Data Security Controls

Control Status Evidence Risk if Missing
Data at Rest
Encryption enabled Yes/No/Partial
Key management in place Yes/No/Partial
Access controls configured Yes/No/Partial
Data in Transit
TLS/SSL enabled Yes/No/Partial
Certificate management Yes/No/Partial
API authentication Yes/No/Partial
Data Access
Role-based access control Yes/No/Partial
Principle of least privilege Yes/No/Partial
Access logging enabled Yes/No/Partial
Regular access reviews Yes/No/Partial

2.3 Sensitive Data Handling

Check Status Notes
PII identified and documented Yes/No
PII minimization applied Yes/No
Data anonymization/masking used Yes/No
Synthetic data considered Yes/No
Data retention policies defined Yes/No
Secure deletion procedures Yes/No

Risk Rating for Data Security: Low / Medium / High / Critical

Section 3: Model Security Assessment

3.1 Model Development Security

Control Status Evidence
Secure development environment Yes/No
Version control for code Yes/No
Code review process Yes/No
Dependency scanning Yes/No
Training data validation Yes/No
Model artifact signing Yes/No

3.2 AI-Specific Attack Vectors

Threat Applicable Mitigations in Place Residual Risk
Data Poisoning Yes/No Low/Med/High
Adversarial training data
Label manipulation
Model Evasion Yes/No Low/Med/High
Adversarial inputs
Input manipulation
Model Extraction Yes/No Low/Med/High
Query-based extraction
Side-channel attacks
Model Inversion Yes/No Low/Med/High
Training data inference
Membership inference
Prompt Injection (if LLM) Yes/No Low/Med/High
Direct prompt injection
Indirect prompt injection

3.3 Model Integrity Controls

Control Status Notes
Model checksums/hashes Yes/No
Model provenance tracking Yes/No
Immutable model registry Yes/No
Model deployment approval Yes/No
Rollback capability Yes/No

Risk Rating for Model Security: Low / Medium / High / Critical

Section 4: Infrastructure Security

4.1 Compute Environment

Control Status Evidence
Hardened operating systems Yes/No
Patch management process Yes/No
Container security (if applicable) Yes/No
Network segmentation Yes/No
Firewall rules documented Yes/No
DDoS protection Yes/No

4.2 Cloud Security (if applicable)

Control Status Evidence
Cloud security configuration Yes/No
Identity and access management Yes/No
Resource tagging/inventory Yes/No
Cloud security posture management Yes/No
Data sovereignty compliance Yes/No

4.3 API Security

Control Status Evidence
API authentication required Yes/No
API rate limiting Yes/No
Input validation Yes/No
Output sanitization Yes/No
API versioning Yes/No
API documentation secured Yes/No

Risk Rating for Infrastructure Security: Low / Medium / High / Critical

Section 5: Operational Security

5.1 Access Management

Role Access Level Number of Users Review Frequency
System Administrator
Data Scientist
ML Engineer
Business User
Support Staff

5.2 Monitoring and Logging

Monitoring Type Implemented Tool/Method Alert Threshold
Access logging Yes/No
Model performance Yes/No
Anomaly detection Yes/No
Security events Yes/No
Audit trails Yes/No

5.3 Incident Response

Requirement Status Evidence
AI-specific incident procedures Yes/No
Escalation paths defined Yes/No
Model rollback tested Yes/No
Communication plan Yes/No
Post-incident review process Yes/No

Risk Rating for Operational Security: Low / Medium / High / Critical

Section 6: Compliance & Governance

6.1 Regulatory Requirements

Requirement Applicable Compliance Status Evidence
Privacy Act 1988 Yes/No Compliant/Gap
PSPF Yes/No Compliant/Gap
ISM Controls Yes/No Compliant/Gap
Agency-specific requirements Yes/No Compliant/Gap

6.2 Security Documentation

Document Status Last Updated
System Security Plan Exists/Draft/None
Risk Assessment Exists/Draft/None
Incident Response Plan Exists/Draft/None
Business Continuity Plan Exists/Draft/None
Security Operating Procedures Exists/Draft/None

Section 7: Risk Summary

Overall Risk Ratings

Domain Risk Rating Key Concerns
Data Security Low/Med/High/Critical
Model Security Low/Med/High/Critical
Infrastructure Security Low/Med/High/Critical
Operational Security Low/Med/High/Critical
Overall Rating Low/Med/High/Critical

Risk Register

ID Risk Description Likelihood Impact Current Controls Risk Level Treatment
R1 L/M/H L/M/H L/M/H/C Accept/Mitigate/Transfer/Avoid
R2
R3
R4
R5

Section 8: Recommendations

Critical (Address Immediately)

# Finding Recommendation Owner Due Date
1
2

High (Address Within 30 Days)

# Finding Recommendation Owner Due Date
1
2

Medium (Address Within 90 Days)

# Finding Recommendation Owner Due Date
1
2

Low (Address When Feasible)

# Finding Recommendation Owner Due Date
1
2

Section 9: Sign-Off

Role Name Signature Date
Security Assessor
System Owner
Security Officer
Project Manager

Appendices

Appendix A: Assessment Evidence

List documents reviewed, interviews conducted, and tests performed

Appendix B: Security Architecture Diagram

Include or reference system architecture diagram

Appendix C: Glossary

Term Definition
Data Poisoning Attack where adversaries inject malicious data into training datasets
Model Evasion Attack where inputs are crafted to cause misclassification
Model Extraction Attack to recreate a model by querying it systematically
Model Inversion Attack to infer sensitive information about training data
Related Resources
Template
Risk Register
Track and manage identified risks
Guide
Monitoring Guide
Implement production security monitoring
Template
Incident Response Plan
Prepare for security incidents
Journey
Prepare for Launch
Pre-deployment security checklist