Insights¶
The why before the how. Each article identifies a specific problem that the core controls and extensions then solve. Together, they make the case for risk-proportionate runtime controls that reduce harm without imposing disproportionate process.
Start Here¶
These establish the foundational argument: AI systems are non-deterministic, so you can't fully test them before deployment. Runtime behavioral monitoring is the answer.
| # | Article | One-Line Summary |
|---|---|---|
| 1 | The First Control: Choosing the Right Tool | The best way to reduce AI risk is to not use AI where it doesn't belong |
| 1b | The Model You Choose Is a Security Decision | Choosing a flawed model makes every control downstream harder - evaluate security posture, not just capability |
| 2 | Why Your AI Guardrails Aren't Enough | Guardrails block known-bad; you need detection for unknown-bad |
| 2b | Practical Guardrails | What guardrails should catch, international PII, RAG filtering, exception governance |
| 3 | The Judge Detects. It Doesn't Decide. | Async evaluation beats real-time blocking for nuance |
| 4 | Infrastructure Beats Instructions | You can't secure systems with prompts alone |
| 5 | Risk Tier Is Use Case, Not Technology | Classification is about deployment context, not model capability |
| 6 | Humans Remain Accountable | AI assists decisions; humans own outcomes |
Emerging Challenges¶
Where the three-layer pattern meets its limits - and what to do about it.
| # | Article | One-Line Summary | Solution |
|---|---|---|---|
| 7 | The Verification Gap | Current safety approaches can't confirm ground truth | Judge Assurance |
| 8 | Behavioral Anomaly Detection | Aggregating signals to detect drift from normal | Anomaly Detection Ops |
| 8b | Model Drift Impact | Model drift degrades every control layer simultaneously, and closed-loop monitoring is the only viable response | Observability Controls |
| 9 | Multimodal AI Breaks Your Text-Based Guardrails | Images, audio, and video bypass text controls | Multimodal Controls |
| 10 | When AI Thinks Before It Answers | Reasoning models need reasoning-aware controls | Reasoning Model Controls |
| 11 | When Agents Talk to Agents | Multi-agent systems have accountability gaps | Multi-Agent Controls |
| 12 | The Memory Problem | Long context and persistent memory create new risks | Memory and Context Controls |
| 13 | You Can't Validate What Hasn't Finished | Real-time streaming breaks the validation model | Streaming Controls |
| 14 | The Orchestrator Problem | The most powerful agents in your system have the least controls applied to them | Privileged Agent Governance |
| 15 | The MCP Problem | The protocol everyone's adopting gives agents universal tool access - without authentication, authorisation, or monitoring | Tool Access Controls |
| 16 | The Long-Horizon Problem | The security properties you validated on day one may not hold on day thirty - time itself is an attack vector | Observability Controls |
| 17 | Process-Aware Evaluation | Evaluating what an agent produced is less important than evaluating how it got there | Judge Assurance |
| 18 | The Flight Recorder Problem | You log what happened but not why, or how to replay it. AI systems need provenance chains, not just event logs | Logging & Observability |
| 19 | Securing the Connective Tissue | The attack surface has shifted from models to the space between them: agentic service meshes, proof of inference, and ghost agents | Delegation Chains |
Operational Gaps¶
Blind spots in most enterprise AI security programmes.
| # | Article | One-Line Summary | Solution |
|---|---|---|---|
| 14 | The Supply Chain Problem | You don't control the model you deploy | Supply Chain Controls |
| 15 | RAG Is Your Biggest Attack Surface | Retrieval pipelines bypass your existing access controls | RAG Security |
| 16 | The Visibility Problem | You can't govern AI you don't know is running - shadow AI, inventories, and governance KPIs | Operational Metrics |
| 17 | Seeing Through the Fog | In multi-product, multi-agent environments, the hardest problem isn't controlling agents - it's knowing where they are and what they're doing | Observability Controls |
Framework Review¶
How the framework maps to the broader AI ecosystem and where it fits within the full AI lifecycle.
| # | Article | One-Line Summary |
|---|---|---|
| 18 | Review: The Framework Against the AI Lifecycle | Systematic assessment of framework coverage across all seven standard AI lifecycle phases: where it leads, where it defers, and where adopters must supplement |
Research & Evidence¶
What the peer-reviewed literature says about runtime AI security controls.
| # | Article | One-Line Summary |
|---|---|---|
| 17 | The Evidence Gap | What research actually supports - and where the science hasn't caught up to the architecture |
The Case for Runtime Security¶
The argument for why AI systems require a fundamentally different security model.
| Article | One-Line Summary |
|---|---|
| Why AI Security Is a Runtime Problem | Non-deterministic systems cannot be fully tested before deployment - security must be continuous |
Analysis¶
Deeper examinations of where the framework meets production reality - what works, what scales, and where the pattern breaks.
| Article | One-Line Summary |
|---|---|
| State of Reality | The AI security threat is real, specific, and concentrated in measurable failure modes |
| Risk Stories | Real production incidents show where missing controls caused or worsened failures |
| What Scales | Security controls succeed only if their cost grows slower than the system they protect |
| What Works | Deployed controls are measurably reducing breach detection time and costs |
| The Intent Layer | Mechanical controls constrain what agents can do; semantic evaluation determines whether actions align with objectives |
| Containment Through Intent | Declared intent is the organising principle that gives every defence layer its reference point |
| When the Pattern Breaks | The three-layer pattern designed for single-agent systems fails to scale in complex multi-agent architectures |
| Open-Weight Models Shift the Burden | Self-hosted models inherit the provider's control responsibilities |
| PACE Resilience | How the three-layer architecture achieves operational resilience through layered, independent control redundancy |
| Security as Enablement, Not Commentary | Security frameworks create value when delivered as platform infrastructure, not as narrative that diagnoses teams from the sidelines |
| The Constraint Curve | Every constraint reduces both risk and capability - proportionate controls find the peak; over-constraining destroys the value that justified using an LLM |
| The Hallucination Boundary | The same hallucination is a nuisance in one context and a catastrophe in another - tolerance is a function of decision authority, blast radius, and reversibility |
| Automated Risk Tiering | Classification should take two minutes, produce an immediate result, and auto-apply the controls that make the risk manageable |
| Graph-Based Agent Monitoring | Using an in-memory graph database to model agent interactions as a live graph, detect anomalous behavior through temporal graph analysis, and feed results into PACE escalation in near real-time |