Practice‑1: Identity‑Aware AI Security Practice

Practice Summary

Who this is for

This practice is for CISOs, CIOs, CDOs, enterprise architects, security engineering teams, and platform teams responsible for deploying AI capabilities that touch business‑critical systems and data.

What this practice helps you do

This practice shows how to implement SPH‑1 (Identity‑Aware AI Security) by:

• Inventorying AI capabilities that touch sensitive data (copilots, chatbots, RAG systems, workflow agents).
• Mapping human and non‑human identities and entitlements that those AI capabilities use.
• Designing and implementing:
  • Identity‑aware retrieval (AI only sees data the calling identity is allowed to see).
  • Identity‑aware abstraction (what level of detail is revealed to which audiences).
  • Identity‑aware authorization enforcement via IGA and policy engines.

What’s in the interactive workbook

The interactive workbook (free in Version 1) includes:

• Module 1 – AI capability and data‑surface mapping
  Identify AI systems, the data they touch, and existing controls.

• Module 2 – Identity model and non‑human identities
  Document how human and non‑human identities are represented today and where governance gaps exist.

• Module 3 – Identity‑aware retrieval patterns
  Design retrieval layers that apply authorization‑first patterns for copilots, chatbots, RAG, and agents.

• Module 4 – Identity‑aware abstraction for insight agents
  Define read/transform/reveal rules and detail tiers for enterprisewide insight agents.

• Module 5 – Integration with IGA, policy engines, and security tooling
  Connect AI capabilities to existing IGA platforms, policy engines, DLP/DSPM, and SOC tooling.

This workbook assumes familiarity with SPH‑1 and basic identity/security concepts. It goes deeper than the hypothesis and Practice Summary and is optimized for practitioners and agents.