BackMonitor your system’s inputs

This page is still being polished. If you have thoughts, please share them via the feedback form.

Data on this page is preliminary and may change. Please do not share or cite these figures publicly.

Monitor your system’s inputs

UK_NCSC (2023)|LLM classified

Mitigation Taxonomy

1AI System

1.2Non-Model

1.2.3Monitoring & Detection

Runtime behavior observation, anomaly detection, and activity logging.

Also in Non-Model

1.2.1 Guardrails & Filtering1.2.2 Runtime Environment1.2.4 Security Infrastructure1.2.5 Provenance & Watermarking

Definitionp. 16

In line with privacy and data protection requirements, you monitor and log inputs to your system (such as inference requests, queries or prompts) to enable compliance obligations, audit, investigation and remediation in the case of compromise or misuse. This could include explicit detection of out-of-distribution and/or adversarial inputs, including those that aim to exploit data preparation steps (such as cropping and resizing for images).

LLM Classification Details

Reasoning

Runtime monitoring detects out-of-distribution and adversarial inputs through logging and anomaly detection.

Code: 1.2.3Version: v0.5Classified: Jan 22, 2026

Part of

Secure operation and maintenance

This section contains guidelines that apply to the secure operation and maintenance stage of the AI system development life cycle. It provides guidelines on actions particularly relevant once a system has been deployed, including logging and monitoring, update management and information sharing.

Other mitigations from UK_NCSC (2023) (20)

Secure design

This section contains guidelines that apply to the design stage of the AI system development life cycle. It covers understanding risks and threat modelling, as well as specific topics and trade-offs to consider on system and model design.

2.4.2 Design Standards

Lifecycle:Plan and DesignActor:DeployerAIRM:Map

Secure design > Raise staff awareness of threats and risks

System owners and senior leaders understand threats to secure AI and their mitigations. Your data scientists and developers maintain an awareness of relevant security threats and failure modes and help risk owners to make informed decisions. You provide users with guidance on the unique security risks facing AI systems (for example, as part of standard InfoSec training) and train developers in secure coding techniques and secure and responsible AI practices.

2.4.4 Training & Awareness

Lifecycle:Plan and DesignActor:DeployerAIRM:Govern

Secure design > Model the threats to your system

As part of your risk management process, you apply a holistic process to assess the threats to your system, which includes understanding the potential impacts to the system, users, organisations, and wider society if an AI component is compromised or behaves unexpectedly. This process involves assessing the impact of AI-specific threats and documenting your decision making.

2.2.1 Risk Assessment

Lifecycle:Plan and DesignActor:DeployerAIRM:Map

Secure design > Design your system for security as well as functionality and performance

You are confident that the task at hand is most appropriately addressed using AI. Having determined this, you assess the appropriateness of your AI-specific design choices. You consider your threat model and associated security mitigations alongside functionality, user experience, deployment environment, performance, assurance, oversight, ethical and legal requirements, among other considerations.

2.4.2 Design Standards

Lifecycle:Plan and DesignActor:DeployerAIRM:Map

Secure design > Consider security benefits and trade-offs when selecting your AI model

Your choice of AI model will involve balancing a range of requirements. This includes choice of model architecture, configuration, training data, training algorithm and hyperparameters. Your decisions are informed by your threat model, and are regularly reassessed as AI security research advances and understanding of the threat evolves.

2.4.2 Design Standards

Lifecycle:Plan and DesignActor:DeployerAIRM:Map

Secure development

This section contains guidelines that apply to the development stage of the AI system development lifecycle, including supply chain security, documentation, and asset and technical debt management.

2.4.3 Development Workflows

Lifecycle:Build and Use ModelActor:DeployerAIRM:Manage

View all 20 mitigations from this source →

Source Document

Guidelines for secure AI development

UK National Cyber Security Centre (NCSC); US Cybersecurity and Infrastructure Security Agency (CISA); National Security Agency (NSA); Federal Bureau of Investigation (FBI); Australian Signals Directorate's Australian Cyber Security Centre (ASD ACSC) (2023)

This document recommends guidelines for providers of any systems that use artificial intelligence (AI), whether those systems have been created from scratch or built on top of tools and services provided by others. Implementing these guidelines will help providers build AI systems that function as intended, are available when needed, and work without revealing sensitive data to unauthorised parties.

View source

Classification

AI Lifecycle Stage

Operate and Monitor

Running, maintaining, and monitoring the AI system post-deployment

Responsible Actor

Deployer

Entity that integrates and deploys the AI system for end users

Developer

NIST AI RMF Function

Measure

Quantifying, testing, and monitoring identified AI risks

Manage

Risk Domains

Primary

2.2 AI system security vulnerabilities and attacks

Other

4 Malicious Actors & Misuse