AI Security Checklist for
Enterprise Teams: 25 Controls
to Implement Now

In a 2026 enterprise survey, 88% of organizations had an AI security incident in the last year and 82% of executives thought their policies were already covering them. That six-point difference is where the risk is. This is the practical, auditable list of 25 controls that closes the gap – mapped to OWASP, NIST and MITRE ATLAS.

88% / 82%
of orgs had an AI security incident last year — yet 82% believed policy already protected them
10x
more access than their workflow needs is granted to the average AI agent — over-permissioning at scale
10%
of employee GenAI prompts contain sensitive corporate data — before any attacker is involved
80/20
rule: a focused set of controls mitigates the majority of AI risk — you don't need all 1,000+

There are no lack of AI security frameworks in 2026. OWASP has the LLM Top 10 and the Agentic Top 10. NIST has the AI RMF, the Generative AI Profile, and an adversarial-ML taxonomy. There is MITRE ATLAS, Google's SAIF, ISO/IEC 42001, and CISA's joint guidance with the Five Eyes. For a security team that actually wants to do something on a Monday morning, this plethora is its own problem – what CISOs are increasingly calling "compliance chaos." The frameworks tell you what good looks like, but don't hand you a checklist.

So we made one. Here are 25 concrete AI security controls, grouped in 5 categories that follow the lifecycle of AI risk – from knowing what you have to protecting the data to securing the model and agents to monitoring to governance. Each is mapped to the framework it covers, so the checklist is also your compliance evidence. Tick them off as you go – the tracker at the top follows you. Start with the ones marked DO NOW — they close the largest gaps fastest.

0 / 25 controls
How to Use This

You don't need to have all 25 live before you deploy AI — but you should know where you are on each.80/20 principle : NIST control catalogs are over a thousand items, but a focused subset addresses most of the real risk. The nine controls we've flagged DO NOW are that subset — the highest-leverage moves. Everything is mapped to a real framework (OWASP LLM/Agentic Top 10, NIST AI RMF, MITRE ATLAS), so finishing the list also gives you audit evidence.

🔍
1. Visibility & Inventory
Controls 1–5 · You can't secure what you can't see
01Build a complete AI asset inventoryDO NOWNIST MAP

List every AI model, agent, copilot and tool connected to an MCP and what data it can access, which tools it can call and what permissions it has. Manage it as a software asset. This is the first control, everything else depends on it.

02Discover shadow AI continuouslyDO NOWNIST MAP

Sanctioned tools are only part of the picture. Run continuous discovery for unapproved AI use across endpoints, browsers, and SaaS – the embedded copilots and consumer tools employees use without supervision – a one-time audit is stale in a week

03Classify data before it reaches AINIST MAP · EU AI Act Art 10

Know what data is sensitive (PII, PHI, financial, source code, secrets) before it can flow into an AI system. Data classification is the prerequisite for any policy that treats different data differently.

04Map data flows through each AI systemNIST MAP

Document where data enters, what the model does with it, where the outputs go and what downstream systems the AI can reach. Data-flow mapping is the process of turning an inventory into a risk picture.

05Inventory the AI supply chainOWASP LLM03

Keep track of the third-party models, datasets, libraries and plugins your AI relies on. A poisoned model from a public repository or a vulnerable dependency is a supply chain attack – you can't defend what you haven't cataloged.

🛡️
2. Data Protection
Controls 6–10 · Prevent sensitive data from entering AI that it should not see
06Inspect and redact prompts in real timeDO NOWOWASP LLM02

Detect sensitive data (PII, PHI, secrets, source code) in prompts before they are fed to a model and redact/block it. 10% of employee prompts contain sensitive corporate data and input-side inspection is the highest-value data control.

07Filter and validate model outputsDO NOWOWASP LLM02 / LLM05

Sensitive-data leakage from screen output, treat model output as untrusted before rendering or downstream, improper output is a known exfiltration path. Never render raw model output into a privileged context unescaped.

08Never train on raw sensitive dataOWASP LLM02 · NIST

Train and fine-tune with tokenization, anonymization or synthetic data. Models can memorize and later output training data – raw PII or secrets in a training set is a leak in the making in an output.

09Secure the RAG knowledge baseOWASP LLM08

Restrict access to the retrieval corpora and vector stores of a model so that the model can only retrieve what the requesting user is allowed to see. An over-permissioned RAG index leaks data via a seemingly innocent query.

10Encrypt data in transit and at restNIST · EU AI Act Art 15

Encrypt prompts, outputs, embeddings and stored model artifacts. A prompt in transit to an AI service is a data transmission like any other and must be strongly encrypted end to end.

The Control Gap That Bites Most

The most abused AI attack is not some weird thing. Prompt injection is the #1 OWASP LLM risk and it works because a large language model processes instructions and data on the same channel with no enforced separation – unlike a database where you have parameterized queries that cleanly separate the two. A sentence hidden in a retrieved document, a webpage, or a code comment can change an agent's behavior without malware and without stolen credentials. The Drift AI supply-chain incident spread across more than 700 organizations from one injection. Controls 11–15 exist because you can't fully "validate away" this class of attack – you have to constrain what a compromised model can do.

🤖
3. Model & Agent Security
Controls 11–15 · Constrain what the AI can do and reach
11Deploy prompt-injection defensesDO NOWOWASP LLM01

Layer input filtering, instruction/data separation and an AI gateway to filter injection patterns before they are injected into the model context. No single defense is perfect, so combine them and pair with least-privilege so that a successful injection has a limited blast radius.

12Enforce least-privilege on agentsDO NOWOWASP ASI · NIST MANAGE

Examine every agent's tool access and data reach to its function only – nothing more. With agents 10x over-permissioned, this is the control that turns a successful injection from a breach into a contained event. A support agent should not have access to HR or finance data.

13Give each AI system a managed identityNIST · CISA guidance

Consider every model and agent as an authenticated identity with its own credentials and access reviews – not as an anonymous process. New guidance is emerging that points to OAuth 2.0 and SPIFFE/SPIRE for agent identity and authorization.

14Sandbox and isolate model executionOWASP LLM01 · MITRE ATLAS

Separate the model and the tool-execution environment from internal systems and networks, so that a compromised model cannot pivot. Limit outbound connectivity and the APIs the model can call.

15Require human-in-the-loop for high-risk actionsEU AI Act Art 14 · NIST

Add human approval steps before AI system makes a critical irreversible action (transferring money, changing access, external communication). No human oversight means that model errors and injections become real-world harm.

📊
4. Monitoring & Testing
Controls 16–20 · Detect, log, and stress-test continuously
16Log every AI interaction immutablyDO NOWNIST · EU AI Act Art 12

Log everything: prompts, outputs, tool calls, in a tamper-proof audit trail owned by the security team, not the application owner. More than 50% of AI deployments today do not log anything – and that is the forensic evidence you will need in case of an incident.

17Monitor runtime behavior for anomaliesNIST MEASURE · MITRE ATLAS

Look out for unusual patterns: jailbreak spikes, weird retrieval, output weirdness and model drift. AI systems are living systems – what was safe at deployment can drift into risk in production.

18Red-team AI systems regularlyDO NOWNIST · MITRE ATLAS

Run adversarial testing (prompt injection, jailbreaks, data-extraction, agent tool-misuse) on a monthly or quarterly basis using scenarios from MITRE ATLAS. Static checks are not enough to protect systems that evolve.

19Shift AI testing left into CI/CDGoogle SAIF · NIST

Integrate automated adversarial testing and model scanning into your DevSecOps pipeline so that prompts, models and agents are re-tested every time the configuration changes – just like unit tests or dependency scans.

20Have an AI-specific incident response planNIST · EU AI Act Art 73

Expand your IR playbook to AI incident types (prompt injection, data leakage, model poisoning, agent hijack), pre-authorize containment (gateway isolation) and know your regulatory reporting clocks. Most IR runbooks were not written for no-signature breach.

⚖️
5. Governance & Compliance
Controls 21–25 · Make it accountable and provable
21Establish an AI governance structureDO NOWNIST GOVERN · ISO 42001

Establish clear ownership and decision rights for AI risk (a committee of security, legal and risk) and set the organization's risk tolerance. NIST is clear: govern first and infuse it. Without it, technical controls are unaccountable.

22Write and enforce an AI acceptable-use policyNIST GOVERN

What tools are allowed, what data is forbidden and what use cases are allowed – and then justify the policy with a technical control. A policy that nobody can enforce is documentation, not security; a QSA or regulator can tell the difference.

23Map controls to your regulatory obligationsEU AI Act · ISO 42001

Crosswalk your controls to the regimes you are subject to (EU AI Act, sector rules, state laws) so that one set of controls provides evidence for many obligations. The EU AI Act high risk obligations come into effect August 2026.

24Manage third-party and vendor AI riskNIST GOVERN · OWASP LLM03

Vet AI vendors' data handling, contracts not to train on your data, and confirmation that you are still able to meet your obligations even if a third party processes the data. You own the risk no matter who runs the model.

25Train employees on secure AI useNIST GOVERN

Teach people what is safe to feed into AI, what tools are approved and how to identify AI-specific risks. The human is still a critical weakness: trust in AI outputs and careless data input lead to incidents that no technical control alone can catch.

The 9 "do now" controls — where to start for the biggest risk reduction
Sequenced for fastest gap-closure — see first, then protect, constrain, prove SEE 2 CONTROLS 01 · AI inventory 02 · Shadow-AI discovery PROTECT 2 CONTROLS 06 · Redact prompts 07 · Filter outputs CONSTRAIN 2 CONTROLS 11 · Injection defense 12 · Least privilege PROVE 3 CONTROLS 16 · Immutable logs 18 · Red-team 21 · Governance These nine close the largest gaps first. The remaining 16 deepen coverage across all five categories.

"Frameworks don't tell you what good looks like, they don't tell you what to do on Monday morning. The teams that get AI security right don't implement a thousand controls, they implement the right twenty-five, and they enforce them where the AI runs, not in a policy document."

— Polygraf AI, on operationalizing AI security
Free Tool · Polygraf AI Risk Calculator

See which gaps cost you the most — before you start checking boxes

Unsure which of the 25 controls to focus on? Polygraf's AI Risk Calculator models your organization's exposure to breach, regulatory and litigation risk – and shows you which obligations apply – so you can sequence your checklist by what actually reduces your risk the most.

  • Quantified exposure across every major risk category
  • A tailored read on which regulations and frameworks apply to you
  • Gaps surfaced across visibility, data protection, and governance
  • Modeled reduction from adding inline detection and control
Run the free AI Risk Assessment →
Sample result
Total Potential Exposure
$49.8M
Data breach
Regulatory
Reputational
Litigation
Where Polygraf AI Covers This Checklist

Polygraf AI's Behavioral Control Plane directly implements or enhances a large portion of these 25 controls – which are all in the highest-leverage "do now" set. It offers shadow-AI discovery and inventory (controls 1–2), real-time prompt inspection and redaction plus output filtering (6–7), data classification at the AI boundary (3), enforcement that enables least-privilege and injection containment (11–12), immutable interaction logging (16) and the enforcement layer that turns an acceptable-use policy into a real control (22). It is on-premise, zero data egress, sub-100ms latency, so the controls are on live AI traffic without adding a new exposure point. It does not replace your governance program or your red-team – it is the technical layer that makes the data-facing controls real where the AI runs.

Polygraf AI

Implement the Data-Facing Controls in One Layer

Polygraf AI protects the most important controls on this list – shadow-AI discovery, prompt inspection and redaction, output filtering, least-privilege enforcement, and immutable logging – in-line, where your AI runs. On-premise, sub-100ms, zero data egress.

Request a Demo →
Air-gap ready · HIPAA · SOC 2
Deploys in under an hour

NEWS & More

Insights & Updates from Polygraf.

Blog Posts

Banks that ban AI lose productivity. Banks that don't govern it face breaches. Polygraf explains how financial institutions are securing employee AI tools.

To learn more about Polygraf, please get in touch.

At Polygraf, we envision a future where AI augments human capabilities without compromising safety, privacy, or ethical standards. Trust in our commitment to building this future with you.

Products

thank you

Your download will start now.

Thank you!

Please provide information below and
we will send you a link to download the white paper.