Lesson 1Access controls and role-based permissions, least privilege, privileged access monitoringDis section explain how fi design access controls an role-based permissions fi AI systems, enforce least privilege, an monitor privileged access so dat sensitive data an administrative functions remain tightly governed.
Defining AI-specific roles and permissionsImplementing least privilege for AI adminsStrong authentication for privileged usersSession recording and just-in-time accessPeriodic access review and recertificationLesson 2Logging, audit trails, and immutable logging for data access and model query recordsDis section cover logging strategies fi AI systems, including detailed audit trails an immutable logs fi data access an model queries, enabling investigations, accountability, an evidence fi regulatory or internal reviews.
Defining AI logging scope and granularityCapturing user, admin, and system actionsImmutable logging and tamper resistanceLog minimization and pseudonymizationLog review, alerting, and investigationsLesson 3Data minimization and pre-processing: techniques for reducing PII before sending to LLMDis section explain data minimization an preprocessing techniques dat reduce personal data before sending it to AI models, using redaction, aggregation, an transformation fi lower risk while preserving utility fi business use cases.
Identifying unnecessary personal data fieldsRedaction and masking of free-text inputsAggregation and generalization techniquesEdge preprocessing before API submissionBalancing utility with minimization dutiesLesson 4Input filtering and prompt engineering: removing sensitive data, pattern-based scrubbing, NLP-based classifiersDis section focus on input filtering an prompt engineering fi remove sensitive data before processing, using pattern-based scrubbing an NLP classifiers fi detect risky content an enforce organizational policies at di boundary.
Pattern-based scrubbing of identifiersNLP classifiers for sensitive categoriesPrompt templates that avoid PII captureReal-time input validation and blockingUser guidance and consent at input timeLesson 5Governance: DPIA integration, Data Processing Agreements (DPAs), record updates and change controlDis section describe governance structures fi AI, including integrating DPIAs, managing Data Processing Agreements, an maintaining records an change control so dat system modifications remain transparent, assessed, an compliant.
When and how to run AI-focused DPIAsKey DPA clauses for AI processingMaintaining records of processing for AIChange control for models and datasetsGovernance forums and approval workflowsLesson 6Pseudonymization and tokenization approaches for free-text data and structured fieldsDis section explore pseudonymization an tokenization strategies fi both free-text an structured data, showing how fi replace identifiers wid reversible or irreversible tokens while managing re-identification an key separation risks.
Pseudonymization versus anonymization limitsTokenization for structured identifiersHandling names and IDs in free-text dataKey and token vault management controlsRe-identification risk assessment methodsLesson 7Output filtering and post-processing: sensitivity detection, hallucination detection, confidence scoringDis section cover mechanisms dat inspect an adjust AI outputs fi detect sensitive data, identify hallucinations, an apply confidence scoring so dat risky responses are blocked, flagged, or routed fi review before reaching end users.
Detecting personal and sensitive data in model outputsHallucination detection rules and model ensemblesDesigning confidence scores and thresholdsHuman review workflows for risky responsesUser feedback loops to refine output filtersLesson 8Retention policies, automated deletion, and backup retention alignment with purpose limitationDis section explain how fi define retention schedules fi AI data, configure automated deletion, an align backups wid purpose limitation so dat training data, logs, an prompts are not stored longer than necessary or used incompatibly.
Mapping data categories to retention periodsAutomated deletion of prompts and logsBackup retention and restore testingHandling legal holds and exceptionsDocumenting retention decisions for auditsLesson 9Sandboxing and rate-limiting API calls; throttling, request validation, and queuingDis section explain how fi isolate AI services, control traffic volume, an validate incoming requests using sandboxing, rate limits, throttling, an queuing so dat systems remain stable, secure, an resistant to abuse or denial-of-service.
Designing API rate limits and burst controlsSandbox environments for testing AI featuresRequest validation and schema enforcementQueueing strategies for high-volume workloadsAbuse detection and automated blocking rulesLesson 10Vendor due diligence: security questionnaires, SOC/ISO reports, penetration test requirementsDis section detail how fi evaluate AI vendors using structured due diligence, including security questionnaires, SOC an ISO reports, an penetration testing requirements, ensuring processors meet legal, security, an resilience expectations.
Building AI-specific security questionnairesReviewing SOC 2, ISO 27001, and similar reportsPenetration testing scope for AI integrationsAssessing data residency and subcontractorsOngoing vendor monitoring and reassessmentLesson 11Operational measures: staff training, privacy-by-design, incident response playbooks, breach notification proceduresDis section focus on operational safeguards such as staff training, privacy-by-design practices, incident response playbooks, an breach notification procedures dat ensure AI operations remain compliant, resilient, an well documented.
AI-specific security and privacy trainingEmbedding privacy by design in AI projectsIncident detection and triage for AI systemsAI incident response and communication plansBreach notification timelines and contentLesson 12Encryption in transit and at rest; key management and envelope encryption for model inputs/outputsDis section cover encryption in transit an at rest fi AI data, including key management an envelope encryption patterns dat protect prompts, outputs, an logs while supporting access control, rotation, an regulatory expectations.
TLS configuration for AI APIs and servicesDisk, database, and object storage encryptionEnvelope encryption for prompts and outputsKey lifecycle, rotation, and segregationHSMs and cloud KMS integration options
