AI Governance you own this product

Secure, privacy-preserving, ethical systems

Engin Bozdag and Stefano Bennati

MEAP began November 2025
Last updated April 2026
Publication in Fall 2026 (estimated)

ISBN 9781633436817
225 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Data Science / Deep Learning / Generative AI

resources: Book forum

table of content

1 Governing Generative AI

1.1 Why Governance, Risk and Compliance (GRC) for GenAI Matters Now?

1.2 GRC for AI: More Than a Compliance Checklist

1.3 A Mental Model for GenAI GRC

1.4 Challenges in Practice: Illustrative Scenarios

1.5 Tools and Practices You’ll Need

1.6 Conclusion: Motivation and Map for What’s Ahead

2 Adoption Models for GenAI

2.1 SaaS or Application Consumers

2.2 API Integrators

2.2.1 Organization-Controlled Zone: Enhanced Customization and Governance

2.2.2 Vendor-Controlled Zone: Stability and Reliability

2.2.3 Governance and Risk Management Opportunities

2.2.4 Achieving Effective Governance for an API Integrator

2.3 Model Hosters

2.3.1 Architecture Overview: What’s Inside the Controlled Zone

2.3.2 Governance and Risk Management Opportunities

2.3.3 Achieving Effective Governance for a Model Hoster

2.4 Risk dimensions across deployment postures

2.5 Agentic AI

2.5.1 What Does “Agentic” Mean?

2.5.2 Common properties of Agentic AI

2.5.3 Why Agentic AI is still experimental

2.5.4 Governance Challenges

2.6 MediAssist: A case study in AI governance

2.7 Summary

3 The Six-Level Governance Framework

3.1 Practical Responsible AI Governance: Recap

3.2 Strategy & Policy (Level 1)

3.2.1 Key artifacts

3.2.2 Common Failures

3.2.3 MediAssist at Level 1

3.3 Risk & Impact Assessment (Level 2)

3.3.1 Key artifacts

3.3.2 Key Metrics

3.3.3 Common Failures

3.3.4 MediAssist at Level 2

3.4 Implementation Review (Level 3)

3.4.1 Integrating with Existing Review Processes

3.4.2 Key Artifacts

3.4.3 Key metrics

3.4.4 Common Failures

3.4.5 Mediassist at Level 3

3.5 Acceptance Testing (Level 4)

3.5.1 Key artifacts

3.5.2 Key Metrics

3.5.3 Common Failures

3.5.4 MediAssist at Level 4

3.6 Operations & Monitoring (Level 5)

3.6.1 Key artifacts

3.6.2 Key Metrics

3.6.3 Common Failures

3.6.4 Mediassist at Level 5

3.7 Learning & Improvement (Level 6)

3.7.1 Key Artifacts

3.7.2 Key Metrics

3.7.3 Common Failures

3.7.4 MediAssist in Level 6

3.8 Maturity Levels Across the 6L-G Model

3.9 Summary

4 Securing GenAI

4.1 ClaimAssist

4.2 Risk Factors

4.2.1 ClaimAssist and How Risk Factors Stack

4.3 Insecure Environments

4.3.1 Insufficient Logging

4.3.2 Vendor security gaps

4.3.3 Supply-Chain Risks

4.3.4 Uncontrolled usage and denial of service

4.3.5 Improper secret management

4.3.6 Shadow AI

4.4 Model Risks

4.4.1 Model Weight Risks

4.4.2 Backdoors, Poisoning and Malicious Models

4.4.3 Model Theft

4.4.4 Mitigating Model-Level Risks

4.5 Untrustworthy Input

4.5.1 Beyond Chat-Based Attacks

4.6 Data Security

4.6.1 The Confused Deputy Problem

4.6.2 When Existing Permissions Are Too Broad

4.6.3 Poisoning the Well

4.7 The Ability to Make Changes

4.7.1 Building Controls for AI That Can Act

4.8 Agency

4.8.1 Why Autonomy Changes the Threat Landscape

4.8.2 Agentic Browsers

4.8.3 MCP and the New Tool Ecosystem

4.8.4 Managing What Tools the Agent Can Use

4.8.5 Tool Authorization

4.8.6 When Humans Need to Stay in the Loop

4.8.7 Containment and Detection

4.8.8 Baseline and Advanced Practices

4.9 ClaimAssist: From FAQ Bot to Agentic System

4.10 Summary

5 Privacy

5.1 The Four Pillars of GenAI Privacy

5.2 Collection and Purpose

5.2.1 No Valid Legal Basis

5.2.2 Overcollection

5.2.3 Vendor’s Inappropriate Use of Organizational Data

5.2.4 Adoption Model Differences

5.3 Storage and Memorization

5.3.1 Memorization and Membership Inference

5.3.2 Insufficient deletion of embeddings

5.3.3 Insufficient Deletion of (Meta)data

5.3.4 Adoption Model Differences

5.4 Output Integrity

5.4.1 Hallucinations and Defamations

5.4.2 Overreliance and Automated Decision Making

5.4.3 Adoption Model Differences

5.5 User Rights & Governance

5.5.1 Making models forget and correct

5.5.2 Data Subject Access Requests (DSAR)

5.5.3 Transparency

5.5.4 Adoption Model Differences

5.6 Agentic AI and Privacy

5.6.1 Purpose Limitation (and Data Minimization) Under Strain

5.6.2 Lawful Basis Challenges for Autonomous Processing

5.6.3 Storage Limitation and Erasure Rights in an Agent Context

5.6.4 Governance and Operational Challenges in the Long Term

5.6.5 Summary of Privacy Risks and Mitigations in Agentic AI

5.7 Summary

6 Ethical and trustworthy GenAI

7 Regulatory landscape

8 The road ahead

Appendix

Appendix A: A quick intro to Generative AI

Overview

4 Securing GenAI

This chapter explains why securing GenAI requires a different playbook from traditional software security. Because large language models interpret meaning rather than structure, they cannot reliably separate instructions from data, making prompt injection and jailbreaks a systematic risk rather than an edge case. The text introduces a compounding exposure model—environment, model, input, data access, ability to make changes, and agency—and shows through the ClaimAssist narrative how each step up in capability (from FAQ bot to autonomous agent) widens the blast radius of mistakes or attacks. Real-world incidents and large-scale red-teaming underline that once systems can read sensitive data, take actions, or plan autonomously, misinterpretation becomes a security incident, not just a bad answer.

The chapter catalogs the major failure modes across that ladder: indirect and multimodal prompt injection (including document and configuration poisoning), data exfiltration via the “lethal trifecta” of untrusted input, sensitive data access, and outbound channels, and environmental weaknesses such as vendor gaps, fragile supply chains, secrets sprawl, and denial-of-wallet resource exhaustion. It details model-specific risks—safety degradation from fine-tuning, backdoored or poisoned weights, and model theft—and enterprise access pitfalls like the confused deputy pattern and overshared permissions that retrieval makes newly visible. With write access and agency, risks shift to tool misuse, memory poisoning that persists across sessions, cascading multi-agent failures, and rogue behavior, all amplified by emerging tool ecosystems like MCP that can silently expand capabilities and trust boundaries.

Controls are mapped to exposure rather than one-size-fits-all. Baselines include hardened environments and vendors, comprehensive and privacy-aware logging, SBOM and supply‑chain hygiene, strict secret handling, quotas and circuit breakers, and input/output guardrails with narrowed retrieval scopes and document sanitization. For data access, the chapter emphasizes user‑context queries, least privilege, tenant isolation plus metadata filtering, and real‑time authorization. Once systems can act, it prescribes short‑lived scoped credentials, pre‑execution validations, explicit action exclusions, calibrated human‑in‑the‑loop approval tiers, and rate/scope limits. For agency, it moves enforcement outside the model with policy engines and approved tool registries, adds MCP gateways, sandboxed execution, memory isolation with paraphrased persistence, behavioral monitoring with reasoning traces, graceful degradation, kill switches, and agent identity governance—rounded out by staged red‑teaming and a pragmatic stance on shadow AI: meet user needs with sanctioned options to reduce unsafe workarounds.

ClaimAssist v1 on the left is a simple policy chatbot. ClaimAssist v4 on the right can accept user uploaded images and change a claim status as “ready for adjuster review”.

Security Risk Factors. Each additional factor compounds the risk.

Real life prompt injection attack

Image prompt injection causing a faulty decision in ChatGPT-5.

Summary

Generative AI introduces security challenges that traditional software controls were not designed to address. Large language models cannot reliably distinguish between data they should process and instructions they should follow. When you connect these systems to sensitive data, let them take actions, or grant them autonomy to pursue goals, you create attack surfaces that traditional controls cannot protect. Firewalls, access controls, and input validation were not designed for systems that blur the line between data and instruction.

The six risk factors introduced in Section 4.2 determine how much exposure a GenAI system carries. Environment and model risks set the foundation: an insecure underlying platform or a compromised model undermines everything built on top. Untrustworthy input and data security risks compound: prompt injection against a system with data access turns every input manipulation into a potential breach. Action capability and agency take it to its worst form: from “the model said something wrong” to “the model did something wrong at scale, across multiple sessions, without anyone asking it to.”

The Lethal Trifecta (untrusted input, access to sensitive data, and a channel for external communication) is the condition that makes agentic systems most dangerous. Break any one element and the worst attacks fail. But useful AI assistants often need all three, making containment rather than prevention the realistic goal.

The controls at each layer follow a consistent architecture: match permissions to the requesting user’s identity, not a shared service account; enforce authorization decisions outside the model’s reasoning process; require human review proportional to consequence; maintain complete audit trails for actions, not just outputs; contain damage through sandboxing and rate limits; and monitor reasoning traces, not just network traffic.

The attacks described in this chapter have affected production systems at major vendors and compromised customer data. Organizations that handle these threats successfully will match controls to exposure, treat security as a governance discipline, and constrain capabilities when adequate protections do not yet exist.

FAQ

Why can’t LLMs reliably separate “instructions” from “data,” and why do classic injection defenses fail?

LLMs interpret all input as natural language, not as strictly typed fields. When an instruction (“summarize this”) and content (the text to summarize) arrive as plain text, the model decides what to follow based on context, not on structural boundaries. Because there’s no reliable technical delimiter between commands and data, traditional defenses like escaping characters or separating command/data channels (which work for SQL/web apps) don’t translate to LLMs.

What are the six GenAI security risk factors and how do they compound?

The ladder of exposure is: (1) Environment (logging, secrets, plugins, vendor security), (2) Model (unvetted/poisoned or fine-tuned models), (3) Input (untrusted content that can inject prompts), (4) Data access (runtime retrieval of sensitive info), (5) Ability to make changes (write actions in real systems), and (6) Agency (autonomous planning and tool choice). Each added factor expands the attack surface; controls must match the highest factors that apply.

How does the ClaimAssist case study show risk growing with capability?

V1: FAQ bot (basic environment/model/input risk). V2: Same but on an unvetted model (adds model risk). V3: Personalized answers with data access (enables sensitive data leaks). V4: Fine-tuned model (degraded safety/memorization risks). V5: Action-enabled (from “said something wrong” to “did something wrong”). V6: Agentic (autonomous planning, inter-agent trust risks). Each step requires stronger controls.

What is prompt injection, and how is it different from jailbreaks and indirect injection?

Prompt injection crafts inputs that override an AI’s intended behavior. Jailbreaks specifically target a model’s built-in safety rules. Indirect injection hides instructions inside content the AI later processes (documents, emails, code, config files), triggering misuse even without a chat prompt. The risk escalates when combined with data access and any outbound communication path.

What is the “Lethal Trifecta” in AI data security, and how do you break it?

The trifecta is: untrusted input + access to sensitive data + an external communication channel. Many real attacks rely on all three. Containment strategies include narrowing retrieval scope, user-context permissions, sanitizing/stripping hidden content before indexing, requiring source citation, restricting outbound network calls, and monitoring for exfiltration patterns.

What is the confused deputy problem in GenAI and how do we avoid it?

It occurs when an assistant uses high-privilege service credentials and unwittingly retrieves or acts on data beyond a user’s rights. Avoid it by: using user-context queries (act with the requester’s permissions), enforcing least privilege for any service accounts, performing real-time authorization checks, and auditing/monitoring tool calls and retrievals.

Which controls are essential before giving AI write access to production systems?

- Short-lived, narrowly scoped credentials issued per operation - Pre-execution validation (business rules and invariants) - Tiered human approval based on impact; explicit exclusions for high-risk operations - Rate and scope limits (per session, per record class, monetary caps) - Full audit chains: user intent, AI interpretation, approvals, exact mutations, and outcomes - Reversibility by default and post-execution verification

Why do agentic systems add new threats, and what extra controls help?

Agents plan steps, select tools, and coordinate with other systems, enabling tool misuse, memory poisoning, cascading failures, and even rogue behavior. Mitigations: external policy engines for tool authorization, risk-based human-in-the-loop, sandboxed execution, memory isolation/aging and summarization, behavioral monitoring with reasoning traces, graceful degradation, and a kill switch.

How should organizations govern the tool ecosystem (e.g., MCP) safely?

Create an approved tool registry; pin versions; disable or review dynamic tool discovery; require strong authentication (prefer OAuth over static keys); scope permissions per tool; deploy an MCP security gateway for policy enforcement, request inspection, and logging; and continuously scan tool descriptions/configs for hidden instructions or toxic data flows.

Which “classic” environment risks most amplify GenAI incidents, and what are the key safeguards?

- Insufficient logging: capture prompts, tool calls, versions, decisions; redact PII; keep request IDs end-to-end - Vendor/supply chain gaps: verify tenant isolation, provenance, SBOMs; pin and scan dependencies; sandbox models; prefer SafeTensors - Uncontrolled usage/costs: rate limits, token/step caps, timeouts, hard spend limits, real-time cost monitors - Secret management: vault storage, rotation, short-lived tokens, scanning for leaked keys, centralized API gateways - Shadow AI: train and provide sanctioned tools; monitor and block unsanctioned endpoints; enforce SSO and data loss prevention

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $33.59

you save $14.40 (30%)

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more