{"id":18861,"date":"2026-07-16T15:50:47","date_gmt":"2026-07-16T07:50:47","guid":{"rendered":"https:\/\/www.quape.com\/?p=18861"},"modified":"2026-07-16T15:53:34","modified_gmt":"2026-07-16T07:53:34","slug":"ai-infrastructure-security","status":"publish","type":"post","link":"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/","title":{"rendered":"AI Infrastructure Security, A Complete Guide for Engineers"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div>\r\n<div class=\"qps\">\r\n<style>\r\n.qps{--ink:#111318;--body:#33363d;--mut:#8a8f98;--line:#e8e8ea;--code-bg:#0d0f12;--code-ink:#e7e9ec;--code-file:#8a8f98;font-family:-apple-system,BlinkMacSystemFont,\"Segoe UI\",Roboto,Helvetica,Arial,sans-serif;color:var(--body);line-height:1.78;font-size:17px;max-width:720px;margin:0 auto;-webkit-font-smoothing:antialiased;letter-spacing:-.003em}\r\n.qps *{box-sizing:border-box}\r\n.qps p{margin:0 0 22px}\r\n.qps b,.qps strong{color:var(--ink);font-weight:600}\r\n.qps-lead{font-size:1.2rem;line-height:1.68;color:var(--ink);font-weight:420;margin:0 0 46px}\r\n.qps-h2{font-size:1.4rem;font-weight:640;letter-spacing:-.02em;color:var(--ink);margin:56px 0 18px;line-height:1.3}\r\n.qps-h2 .qps-idx{color:var(--mut);font-weight:500;margin-right:14px;font-variant-numeric:tabular-nums;font-size:.92em}\r\n.qps-code{margin:10px 0 30px;border:1px solid var(--line);border-radius:10px;overflow:hidden;background:var(--code-bg)}\r\n.qps-code-top{display:flex;align-items:center;justify-content:space-between;padding:11px 16px;border-bottom:1px solid rgba(255,255,255,.07)}\r\n.qps-code-file{font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-size:.76rem;color:var(--code-file);letter-spacing:.02em}\r\n.qps-copy{appearance:none;border:1px solid rgba(255,255,255,.16);background:transparent;color:#c9cdd3;font:inherit;font-size:.74rem;letter-spacing:.04em;padding:5px 12px;border-radius:6px;cursor:pointer;transition:.15s ease;line-height:1}\r\n.qps-copy:hover{background:rgba(255,255,255,.08);color:#fff}\r\n.qps-copy[data-done=\"1\"]{color:#8fd6a4;border-color:rgba(143,214,164,.4)}\r\n.qps-code pre{margin:0;background:var(--code-bg);color:var(--code-ink);padding:20px;overflow-x:auto;font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-size:.855rem;line-height:1.75;tab-size:2}\r\n.qps-tablewrap{overflow-x:auto;margin:10px 0 30px;-webkit-overflow-scrolling:touch;border:1px solid var(--line);border-radius:10px}\r\n.qps-table{width:100%;border-collapse:collapse;font-size:.9rem;min-width:600px}\r\n.qps-table th,.qps-table td,.qps-table tr,.qps-table thead,.qps-table tbody{border:0 !important;background-image:none}\r\n.qps-table thead th{text-align:left;padding:14px 20px !important;font-weight:600;color:#fff;background:#16181d !important;font-size:.72rem;letter-spacing:.07em;text-transform:uppercase;white-space:nowrap}\r\n.qps-table tbody td{padding:15px 20px !important;vertical-align:top;line-height:1.5;color:var(--body);border-bottom:1px solid var(--line) !important}\r\n.qps-table tbody tr:last-child td{border-bottom:0 !important}\r\n.qps-table tbody tr:nth-child(even) td{background:#fafafa !important}\r\n.qps-table td:first-child{color:var(--ink);font-weight:600}\r\n.qps-table .sev{font-family:ui-monospace,Menlo,Consolas,monospace;font-size:.76rem;letter-spacing:.04em;color:var(--mut)}\r\n.qps code.i{font-family:ui-monospace,Menlo,Consolas,monospace;font-size:.87em;color:var(--ink);background:#f4f4f5;padding:1px 6px;border-radius:4px}\r\n.qps-fig{margin:8px 0 36px}\r\n.qps-fig img{width:100%;height:auto;display:block;border-radius:12px;border:1px solid var(--line)}\r\n.qps-fig figcaption{margin-top:12px;font-size:.84rem;color:var(--mut);text-align:center;line-height:1.5}\r\n.qps-svg{width:100%;height:auto;display:block;border:1px solid var(--line);border-radius:12px;background:#fff}\r\n.qps-svg text{font-family:-apple-system,BlinkMacSystemFont,\"Segoe UI\",Roboto,Helvetica,Arial,sans-serif}\r\n.qps-cta{margin:48px 0 10px;background:#F7F9FB;border-radius:16px;padding:48px 40px;display:flex;flex-direction:column;align-items:center;text-align:center}\r\n.qps-cta>*{text-align:center;max-width:100%}\r\n.qps-cta .eyebrow{font-size:.72rem;font-weight:600;letter-spacing:.16em;text-transform:uppercase;color:var(--mut);margin:0 0 14px}\r\n.qps-cta h3{color:var(--ink);font-size:1.4rem;font-weight:650;letter-spacing:-.02em;line-height:1.3;margin:0 0 14px}\r\n.qps-cta p{color:var(--body);font-size:1.02rem;line-height:1.7;margin:0 0 28px;max-width:460px}\r\n.qps-cta a.btn{display:inline-block;background:var(--ink);color:#fff;text-decoration:none;font-size:.96rem;font-weight:600;padding:15px 32px;border-radius:9px;transition:.15s ease}\r\n.qps-cta a.btn:hover{opacity:.9}\r\n@media(max-width:600px){.qps{font-size:16px}.qps-h2{font-size:1.22rem}.qps-lead{font-size:1.08rem}.qps-cta{padding:36px 24px}}\r\n<\/style>\r\n\r\n<p class=\"qps-lead\">Protecting AI in production means securing far more than a single model endpoint. <b>AI infrastructure security<\/b> covers the compute, network, data, and identity that sit underneath every model you train and serve, and in 2026 it has become one of the hardest problems in the field. Autonomous agents now write code, spin up cloud resources, and call privileged APIs on their own, and they do it faster than any human review process was ever built to keep up with.<\/p>\r\n\r\n<figure class=\"qps-fig\">\r\n<svg class=\"qps-svg\" viewBox=\"0 0 720 420\" role=\"img\" aria-label=\"Concentric defense in depth layers wrapping the model and data core\">\r\n<rect x=\"46\" y=\"24\" width=\"628\" height=\"372\" rx=\"16\" fill=\"#ffffff\" stroke=\"#dcdfe4\" stroke-width=\"1.4\"\/>\r\n<rect x=\"86\" y=\"66\" width=\"548\" height=\"322\" rx=\"14\" fill=\"#fafbfc\" stroke=\"#dcdfe4\" stroke-width=\"1.4\"\/>\r\n<rect x=\"126\" y=\"108\" width=\"468\" height=\"272\" rx=\"13\" fill=\"#f5f7f9\" stroke=\"#dcdfe4\" stroke-width=\"1.4\"\/>\r\n<rect x=\"166\" y=\"150\" width=\"388\" height=\"222\" rx=\"12\" fill=\"#eef1f4\" stroke=\"#dcdfe4\" stroke-width=\"1.4\"\/>\r\n<rect x=\"206\" y=\"192\" width=\"308\" height=\"172\" rx=\"11\" fill=\"#e7ebef\" stroke=\"#dcdfe4\" stroke-width=\"1.4\"\/>\r\n<rect x=\"246\" y=\"234\" width=\"228\" height=\"122\" rx=\"12\" fill=\"#111318\"\/>\r\n<text x=\"360\" y=\"46\" font-size=\"14.5\" font-weight=\"600\" fill=\"#111318\" text-anchor=\"middle\">Edge<\/text>\r\n<text x=\"360\" y=\"61\" font-size=\"11.5\" fill=\"#7a808a\" text-anchor=\"middle\">TLS 1.3, WAF, DDoS scrubbing<\/text>\r\n<text x=\"360\" y=\"88\" font-size=\"14.5\" font-weight=\"600\" fill=\"#111318\" text-anchor=\"middle\">Network<\/text>\r\n<text x=\"360\" y=\"103\" font-size=\"11.5\" fill=\"#7a808a\" text-anchor=\"middle\">zero trust, mTLS, default deny<\/text>\r\n<text x=\"360\" y=\"130\" font-size=\"14.5\" font-weight=\"600\" fill=\"#111318\" text-anchor=\"middle\">Identity<\/text>\r\n<text x=\"360\" y=\"145\" font-size=\"11.5\" fill=\"#7a808a\" text-anchor=\"middle\">SPIFFE SVIDs, dynamic secrets<\/text>\r\n<text x=\"360\" y=\"172\" font-size=\"14.5\" font-weight=\"600\" fill=\"#111318\" text-anchor=\"middle\">Runtime<\/text>\r\n<text x=\"360\" y=\"187\" font-size=\"11.5\" fill=\"#7a808a\" text-anchor=\"middle\">eBPF detection, sandboxing<\/text>\r\n<text x=\"360\" y=\"214\" font-size=\"14.5\" font-weight=\"600\" fill=\"#111318\" text-anchor=\"middle\">Supply chain<\/text>\r\n<text x=\"360\" y=\"229\" font-size=\"11.5\" fill=\"#7a808a\" text-anchor=\"middle\">signed and scanned artifacts<\/text>\r\n<text x=\"360\" y=\"291\" font-size=\"15\" font-weight=\"600\" fill=\"#ffffff\" text-anchor=\"middle\">Model and data<\/text>\r\n<text x=\"360\" y=\"312\" font-size=\"11.5\" fill=\"#b7bac1\" text-anchor=\"middle\">encrypted, access controlled<\/text>\r\n<\/svg>\r\n<figcaption>Defense in depth. Each layer wraps the model and data at the core, so no single failure exposes the whole system.<\/figcaption>\r\n<\/figure>\r\n\r\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#01Why_2026_Rewrote_the_Threat_Model\" >01Why 2026 Rewrote the Threat Model<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#02Mapping_the_Attack_Surface\" >02Mapping the Attack Surface<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#03Zero_Trust_for_AI_Workloads\" >03Zero Trust for AI Workloads<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#04Constraining_Agentic_Workloads\" >04Constraining Agentic Workloads<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#05Defending_Against_Prompt_Injection\" >05Defending Against Prompt Injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#06Securing_the_Model_Supply_Chain\" >06Securing the Model Supply Chain<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#07Machine_Identity_and_Secrets\" >07Machine Identity and Secrets<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#08Data_Protection_and_Encryption\" >08Data Protection and Encryption<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#09Runtime_Threat_Detection\" >09Runtime Threat Detection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#10Posture_Management_and_Exposure\" >10Posture Management and Exposure<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#11Making_AI_Infrastructure_Security_Work\" >11Making AI Infrastructure Security Work<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.quape.com\/zh\/ai-infrastructure-security\/#Skip_the_maintenance_Keep_the_security\" >Skip the maintenance. Keep the security.<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"qps-h2\"><span class=\"ez-toc-section\" id=\"01Why_2026_Rewrote_the_Threat_Model\"><\/span><span class=\"qps-idx\">01<\/span>Why 2026 Rewrote the Threat Model<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n<p>For years the security perimeter was a place. You defended the edge of the network and trusted whatever ran inside it. That broke this year for two reasons. Agentic AI moved into production, and these agents hold credentials, reach for tools, and carry out multi step plans against live systems. At the same time attackers picked up the same machinery, automating vulnerability discovery and exploit chaining until the gap between a public weakness and mass exploitation shrank to hours. Machine and non human identities now outnumber human ones by more than eighty to one, according to CyberArk research, models became assets worth stealing, and prompt injection turned into the most practical way in. That last point matters because prompt injection is the number one entry on the OWASP Top 10 for large language models, and any untrusted text reaching a model that holds tools behaves like remote code execution.<\/p>\r\n\r\n<h2 class=\"qps-h2\"><span class=\"ez-toc-section\" id=\"02Mapping_the_Attack_Surface\"><\/span><span class=\"qps-idx\">02<\/span>Mapping the Attack Surface<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n<p>Every control in this AI infrastructure security guide maps to a specific layer of the AI stack. Keep this table close as the shorthand for where each risk lives and what answers it.<\/p>\r\n\r\n<div class=\"qps-tablewrap\">\r\n<table class=\"qps-table\">\r\n<thead><tr><th>Layer<\/th><th>Primary threats<\/th><th>Severity<\/th><th>Core controls<\/th><\/tr><\/thead>\r\n<tbody>\r\n<tr><td>Training data<\/td><td>Data poisoning, hidden backdoors, label flipping<\/td><td><span class=\"sev\">HIGH<\/span><\/td><td>Provenance tracking, dataset signing, anomaly screening<\/td><\/tr>\r\n<tr><td>Model and weights<\/td><td>Exfiltration, tampering, unsafe deserialization<\/td><td><span class=\"sev\">CRITICAL<\/span><\/td><td>Encryption at rest, signed artifacts, safetensors<\/td><\/tr>\r\n<tr><td>Inference and serving<\/td><td>Prompt injection, jailbreaks, output manipulation<\/td><td><span class=\"sev\">CRITICAL<\/span><\/td><td>Input and output guardrails, context isolation<\/td><\/tr>\r\n<tr><td>Agent runtime<\/td><td>Tool abuse, privilege escalation, lateral movement<\/td><td><span class=\"sev\">CRITICAL<\/span><\/td><td>Scoped ephemeral tokens, sandboxing, approval gates<\/td><\/tr>\r\n<tr><td>Supply chain<\/td><td>Malicious models, poisoned dependencies<\/td><td><span class=\"sev\">HIGH<\/span><\/td><td>AI BOM, model scanning, signature verification<\/td><\/tr>\r\n<tr><td>Retrieval and memory<\/td><td>Cross tenant leakage, indirect injection via RAG<\/td><td><span class=\"sev\">MEDIUM<\/span><\/td><td>Per tenant access control, content quarantine<\/td><\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n\r\n<h2 class=\"qps-h2\"><span class=\"ez-toc-section\" id=\"03Zero_Trust_for_AI_Workloads\"><\/span><span class=\"qps-idx\">03<\/span>Zero Trust for AI Workloads<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n<p>Once a threat can run inside your cluster as an authenticated workload, network location stops meaning anything. What matters is whether a service can prove who it is on every request. Give each inference service, agent, and vector store a short lived identity through SPIFFE and SPIRE, an SVID that rotates automatically and expires in about an hour by default, instead of a static key that never changes, then enforce mutual TLS with a mesh like Istio or Linkerd and deny traffic between services by default. A compromised agent pod has no business reaching the model registry, and a network policy makes that boundary enforceable.<\/p>\r\n\r\n<div class=\"qps-code\">\r\n<div class=\"qps-code-top\"><span class=\"qps-code-file\">networkpolicy-model-server.yaml<\/span><button class=\"qps-copy\" type=\"button\">Copy<\/button><\/div>\r\n<pre>apiVersion: networking.k8s.io\/v1\r\nkind: NetworkPolicy\r\nmetadata:\r\n  name: model-server-lockdown\r\nspec:\r\n  podSelector:\r\n    matchLabels: { app: model-server }\r\n  policyTypes: [Ingress]\r\n  ingress:\r\n    - from:\r\n        - podSelector:\r\n            matchLabels: { app: inference-gateway }\r\n      ports:\r\n        - { protocol: TCP, port: 8080 }<\/pre>\r\n<\/div>\r\n\r\n<p>Harden the pod itself in the same breath. A non root, read only, no privilege escalation security context removes most of the primitives an attacker needs after a container compromise.<\/p>\r\n\r\n<div class=\"qps-code\">\r\n<div class=\"qps-code-top\"><span class=\"qps-code-file\">pod-securitycontext.yaml<\/span><button class=\"qps-copy\" type=\"button\">Copy<\/button><\/div>\r\n<pre>securityContext:\r\n  runAsNonRoot: true\r\n  runAsUser: 10001\r\n  allowPrivilegeEscalation: false\r\n  readOnlyRootFilesystem: true\r\n  seccompProfile:\r\n    type: RuntimeDefault\r\n  capabilities:\r\n    drop: [\"ALL\"]<\/pre>\r\n<\/div>\r\n\r\n<h2 class=\"qps-h2\"><span class=\"ez-toc-section\" id=\"04Constraining_Agentic_Workloads\"><\/span><span class=\"qps-idx\">04<\/span>Constraining Agentic Workloads<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n<p>Agents are the hardest part of AI infrastructure security to get right, because they pair open ended reasoning with the ability to act. An agent should never carry more authority than its current task needs, and that authority should expire the moment the task ends. Scope each tool to the smallest policy that works, issue short lived credentials per task, and run agent generated code inside a sandbox with no host mounts and tight egress rules.<\/p>\r\n\r\n<div class=\"qps-code\">\r\n<div class=\"qps-code-top\"><span class=\"qps-code-file\">issue-scoped-agent-credentials.sh<\/span><button class=\"qps-copy\" type=\"button\">Copy<\/button><\/div>\r\n<pre>aws sts assume-role \\\r\n  --role-arn arn:aws:iam::123456789012:role\/agent-readonly-s3 \\\r\n  --role-session-name agent-task-$(uuidgen) \\\r\n  --duration-seconds 900 \\\r\n  --policy '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\r\n    \"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::reports\/*\"}]}'<\/pre>\r\n<\/div>\r\n\r\n<p>Anything irreversible, deleting data, deploying, spending money, should pause for human approval, and every prompt, tool call, and response should land in an immutable log. The mistake that shows up most often is handing an agent one broad role because scoping every tool felt like too much work. That single role becomes the blast radius of every prompt injection you will ever receive.<\/p>\r\n\r\n<figure class=\"qps-fig\">\r\n<svg class=\"qps-svg\" viewBox=\"0 0 720 272\" role=\"img\" aria-label=\"Dual LLM pattern keeping untrusted input away from the model that holds tools\">\r\n<defs>\r\n<marker id=\"d2arrow\" markerWidth=\"9\" markerHeight=\"9\" refX=\"7\" refY=\"3\" orient=\"auto\"><path d=\"M0,0 L7,3 L0,6 Z\" fill=\"#8a8f98\"\/><\/marker>\r\n<\/defs>\r\n<text x=\"360\" y=\"24\" font-size=\"11\" fill=\"#9aa0a8\" text-anchor=\"middle\" letter-spacing=\"0.4\">PRIVILEGE BOUNDARY<\/text>\r\n<line x1=\"360\" y1=\"34\" x2=\"360\" y2=\"250\" stroke=\"#c7cace\" stroke-width=\"1.5\" stroke-dasharray=\"5 6\"\/>\r\n<rect x=\"24\" y=\"42\" width=\"210\" height=\"70\" rx=\"11\" fill=\"#f7f9fb\" stroke=\"#e4e6ea\"\/>\r\n<text x=\"129\" y=\"73\" font-size=\"13.5\" font-weight=\"600\" fill=\"#111318\" text-anchor=\"middle\">Untrusted input<\/text>\r\n<text x=\"129\" y=\"92\" font-size=\"11\" fill=\"#7a808a\" text-anchor=\"middle\">user, web, RAG<\/text>\r\n<rect x=\"24\" y=\"172\" width=\"210\" height=\"70\" rx=\"11\" fill=\"#f7f9fb\" stroke=\"#e4e6ea\"\/>\r\n<text x=\"129\" y=\"203\" font-size=\"13.5\" font-weight=\"600\" fill=\"#111318\" text-anchor=\"middle\">Quarantined LLM<\/text>\r\n<text x=\"129\" y=\"222\" font-size=\"11\" fill=\"#7a808a\" text-anchor=\"middle\">no tools<\/text>\r\n<rect x=\"486\" y=\"42\" width=\"210\" height=\"70\" rx=\"11\" fill=\"#111318\"\/>\r\n<text x=\"591\" y=\"73\" font-size=\"13.5\" font-weight=\"600\" fill=\"#ffffff\" text-anchor=\"middle\">Privileged planner<\/text>\r\n<text x=\"591\" y=\"92\" font-size=\"11\" fill=\"#b7bac1\" text-anchor=\"middle\">holds tools<\/text>\r\n<rect x=\"486\" y=\"172\" width=\"210\" height=\"70\" rx=\"11\" fill=\"#f7f9fb\" stroke=\"#e4e6ea\"\/>\r\n<text x=\"591\" y=\"212\" font-size=\"13.5\" font-weight=\"600\" fill=\"#111318\" text-anchor=\"middle\">Tools and actions<\/text>\r\n<line x1=\"129\" y1=\"112\" x2=\"129\" y2=\"170\" stroke=\"#8a8f98\" stroke-width=\"1.6\" marker-end=\"url(#d2arrow)\"\/>\r\n<text x=\"139\" y=\"146\" font-size=\"11\" fill=\"#7a808a\">raw text<\/text>\r\n<path d=\"M234,207 H440 V90 H484\" fill=\"none\" stroke=\"#8a8f98\" stroke-width=\"1.6\" marker-end=\"url(#d2arrow)\"\/>\r\n<text x=\"255\" y=\"199\" font-size=\"11\" fill=\"#7a808a\">validated data<\/text>\r\n<line x1=\"591\" y1=\"112\" x2=\"591\" y2=\"170\" stroke=\"#8a8f98\" stroke-width=\"1.6\" marker-end=\"url(#d2arrow)\"\/>\r\n<text x=\"601\" y=\"146\" font-size=\"11\" fill=\"#7a808a\">scoped calls<\/text>\r\n<line x1=\"234\" y1=\"64\" x2=\"484\" y2=\"64\" stroke=\"#b0b4ba\" stroke-width=\"1.6\" stroke-dasharray=\"5 4\"\/>\r\n<text x=\"360\" y=\"52\" font-size=\"11\" fill=\"#9aa0a8\" text-anchor=\"middle\">untrusted blocked<\/text>\r\n<text x=\"360\" y=\"69\" font-size=\"13\" fill=\"#9aa0a8\" text-anchor=\"middle\">&#10007;<\/text>\r\n<\/svg>\r\n<figcaption>The dual LLM pattern. Untrusted text never reaches the model that holds tools, so an injected instruction has nothing to act on.<\/figcaption>\r\n<\/figure>\r\n\r\n<h2 class=\"qps-h2\"><span class=\"ez-toc-section\" id=\"05Defending_Against_Prompt_Injection\"><\/span><span class=\"qps-idx\">05<\/span>Defending Against Prompt Injection<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n<p>Think of injection as data against instructions. Your system prompt is trusted, everything else is not, and the moment untrusted content lands in the same context an attacker can try to rewrite the agent goals. The defense is to keep those streams apart and never let raw model output drive a dangerous sink. Screen inbound prompts with a guardrail, then validate every model output against a strict schema before it reaches a shell, a query, or <code class=\"i\">eval()<\/code>.<\/p>\r\n\r\n<div class=\"qps-code\">\r\n<div class=\"qps-code-top\"><span class=\"qps-code-file\">output-schema-guard.py<\/span><button class=\"qps-copy\" type=\"button\">Copy<\/button><\/div>\r\n<pre>from typing import Literal\r\nfrom pydantic import BaseModel, ValidationError\r\n\r\nclass ToolCall(BaseModel):\r\n    action: Literal[\"search_docs\", \"summarize\"]\r\n    query: str\r\n\r\ndef enforce(raw_model_output: str) -> ToolCall:\r\n    try:\r\n        return ToolCall.model_validate_json(raw_model_output)\r\n    except ValidationError:\r\n        raise PermissionError(\"model output rejected: not an allowed action\")<\/pre>\r\n<\/div>\r\n\r\n<p>When the model has to read an untrusted document, strip its tools for the duration. For the highest stakes work, run a dual model setup where a privileged planner never sees raw untrusted data and hands parsing to a quarantined model with no tools at all. The rule underneath it stays the same. If one component both reads attacker controlled text and holds a dangerous capability, that is a vulnerability, not a feature. It is worth reading the <a href=\"https:\/\/genai.owasp.org\/llm-top-10\/\" target=\"_blank\" rel=\"noopener\">OWASP Top 10 for LLM Applications<\/a> in full, since injection sits at the top of it.<\/p>\r\n\r\n<h2 class=\"qps-h2\"><span class=\"ez-toc-section\" id=\"06Securing_the_Model_Supply_Chain\"><\/span><span class=\"qps-idx\">06<\/span>Securing the Model Supply Chain<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n<p>A model pulled from a public hub is code, and it deserves the same suspicion as any dependency. A malicious pickle runs on load, and weights can be quietly backdoored. This is not hypothetical. In early 2025, researchers at ReversingLabs found malicious models on Hugging Face that used broken pickle files to slip past picklescan, a technique they named nullifAI, and the payload was a plain reverse shell. Scan artifacts before they load, prefer <code class=\"i\">safetensors<\/code> which stores only tensor data and cannot execute code, sign what you trust with Cosign, and verify signatures at admission so an unsigned model cannot be served.<\/p>\r\n\r\n<div class=\"qps-code\">\r\n<div class=\"qps-code-top\"><span class=\"qps-code-file\">verify-model-before-serve.sh<\/span><button class=\"qps-copy\" type=\"button\">Copy<\/button><\/div>\r\n<pre>modelscan -p .\/models\/llama-3-8b.safetensors || exit 1\r\n\r\ncosign verify \\\r\n  --key cosign.pub \\\r\n  registry.example.com\/models\/llama-3@sha256:abc123...<\/pre>\r\n<\/div>\r\n\r\n<p>Enforce that verification at the cluster edge so policy, not a person, is the gate. A Kyverno rule that rejects unsigned images turns supply chain hygiene into something that cannot be skipped under deadline.<\/p>\r\n\r\n<div class=\"qps-code\">\r\n<div class=\"qps-code-top\"><span class=\"qps-code-file\">kyverno-require-signed-models.yaml<\/span><button class=\"qps-copy\" type=\"button\">Copy<\/button><\/div>\r\n<pre>apiVersion: kyverno.io\/v1\r\nkind: ClusterPolicy\r\nmetadata:\r\n  name: require-signed-models\r\nspec:\r\n  validationFailureAction: Enforce\r\n  rules:\r\n    - name: verify-model-signature\r\n      match:\r\n        any:\r\n          - resources:\r\n              kinds: [Pod]\r\n      verifyImages:\r\n        - imageReferences: [\"registry.example.com\/models\/*\"]\r\n          attestors:\r\n            - entries:\r\n                - keys:\r\n                    publicKeys: |-\r\n                      -----BEGIN PUBLIC KEY-----\r\n                      MFkwEwYHKoZI...\r\n                      -----END PUBLIC KEY-----<\/pre>\r\n<\/div>\r\n\r\n<h2 class=\"qps-h2\"><span class=\"ez-toc-section\" id=\"07Machine_Identity_and_Secrets\"><\/span><span class=\"qps-idx\">07<\/span>Machine Identity and Secrets<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n<p>Non human identities are the largest piece of attack surface most teams never manage. Issue database and provider credentials dynamically so they expire on their own and never sit static in an env file or a commit history. Instead of a long lived password, an agent requests a lease that dies in an hour.<\/p>\r\n\r\n<div class=\"qps-code\">\r\n<div class=\"qps-code-top\"><span class=\"qps-code-file\">vault-dynamic-db-creds.sh<\/span><button class=\"qps-copy\" type=\"button\">Copy<\/button><\/div>\r\n<pre>vault read -format=json database\/creds\/agent-role \\\r\n  | jq '{user: .data.username, ttl: .lease_duration, lease: .lease_id}'\r\n\r\n# rotate the static root that mints them on a schedule\r\nvault write -f database\/rotate-root\/app-postgres<\/pre>\r\n<\/div>\r\n\r\n<p>Rotate every API key and service token on a schedule, run <code class=\"i\">gitleaks<\/code> or <code class=\"i\">trufflehog<\/code> in CI so a leaked key is caught before it merges, and audit continuously for the dormant, over privileged identities attackers settle into and wait behind.<\/p>\r\n\r\n<h2 class=\"qps-h2\"><span class=\"ez-toc-section\" id=\"08Data_Protection_and_Encryption\"><\/span><span class=\"qps-idx\">08<\/span>Data Protection and Encryption<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n<p>Encryption is the part of AI infrastructure security teams most often assume is handled and most often is not. It should cover the whole pipeline, and it is safest to assume any store can eventually be read by someone who should not. Terminate everything on TLS 1.3, disable weaker protocols, and enforce HSTS on every hop including the internal ones.<\/p>\r\n\r\n<div class=\"qps-code\">\r\n<div class=\"qps-code-top\"><span class=\"qps-code-file\">tls-hardening.conf<\/span><button class=\"qps-copy\" type=\"button\">Copy<\/button><\/div>\r\n<pre>ssl_protocols TLSv1.3;\r\nssl_prefer_server_ciphers off;\r\nssl_session_tickets off;\r\nadd_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\" always;<\/pre>\r\n<\/div>\r\n\r\n<p>At rest, training data, vector stores, and weights all deserve envelope encryption backed by a KMS or HSM. Tokenize or redact sensitive fields before they reach a prompt or an embedding job, and give retrieval per tenant access controls so one customer&#8217;s question can never surface another customer&#8217;s documents.<\/p>\r\n\r\n<figure class=\"qps-fig\">\r\n<svg class=\"qps-svg\" viewBox=\"0 0 720 288\" role=\"img\" aria-label=\"eBPF runtime detection flow from container syscalls to SIEM alert\">\r\n<defs>\r\n<marker id=\"rarrow\" markerWidth=\"9\" markerHeight=\"9\" refX=\"7\" refY=\"3\" orient=\"auto\"><path d=\"M0,0 L7,3 L0,6 Z\" fill=\"#8a8f98\"\/><\/marker>\r\n<\/defs>\r\n<rect x=\"24\" y=\"24\" width=\"228\" height=\"66\" rx=\"10\" fill=\"#f7f9fb\" stroke=\"#e4e6ea\"\/>\r\n<text x=\"138\" y=\"52\" font-size=\"14\" font-weight=\"600\" fill=\"#111318\" text-anchor=\"middle\">AI serving pod<\/text>\r\n<text x=\"138\" y=\"72\" font-size=\"11.5\" fill=\"#6b7280\" text-anchor=\"middle\">user space<\/text>\r\n<line x1=\"18\" y1=\"128\" x2=\"702\" y2=\"128\" stroke=\"#c7cace\" stroke-width=\"1.5\" stroke-dasharray=\"5 5\"\/>\r\n<text x=\"696\" y=\"120\" font-size=\"11\" fill=\"#9aa0a8\" text-anchor=\"end\">user space  \/  kernel<\/text>\r\n<rect x=\"24\" y=\"162\" width=\"180\" height=\"66\" rx=\"10\" fill=\"#111318\"\/>\r\n<text x=\"114\" y=\"190\" font-size=\"14\" font-weight=\"600\" fill=\"#ffffff\" text-anchor=\"middle\">eBPF probe<\/text>\r\n<text x=\"114\" y=\"210\" font-size=\"11.5\" fill=\"#b7bac1\" text-anchor=\"middle\">kernel<\/text>\r\n<rect x=\"256\" y=\"162\" width=\"184\" height=\"66\" rx=\"10\" fill=\"#f7f9fb\" stroke=\"#e4e6ea\"\/>\r\n<text x=\"348\" y=\"190\" font-size=\"14\" font-weight=\"600\" fill=\"#111318\" text-anchor=\"middle\">Falco \/ Tetragon<\/text>\r\n<text x=\"348\" y=\"210\" font-size=\"11.5\" fill=\"#6b7280\" text-anchor=\"middle\">rule engine<\/text>\r\n<rect x=\"492\" y=\"162\" width=\"204\" height=\"66\" rx=\"10\" fill=\"#f7f9fb\" stroke=\"#e4e6ea\"\/>\r\n<text x=\"594\" y=\"199\" font-size=\"14\" font-weight=\"600\" fill=\"#111318\" text-anchor=\"middle\">Alert &#8594; SIEM<\/text>\r\n<line x1=\"114\" y1=\"90\" x2=\"114\" y2=\"160\" stroke=\"#8a8f98\" stroke-width=\"1.6\" marker-end=\"url(#rarrow)\"\/>\r\n<text x=\"124\" y=\"124\" font-size=\"11\" fill=\"#6b7280\">syscalls: execve, open<\/text>\r\n<line x1=\"204\" y1=\"195\" x2=\"254\" y2=\"195\" stroke=\"#8a8f98\" stroke-width=\"1.6\" marker-end=\"url(#rarrow)\"\/>\r\n<line x1=\"440\" y1=\"195\" x2=\"490\" y2=\"195\" stroke=\"#8a8f98\" stroke-width=\"1.6\" marker-end=\"url(#rarrow)\"\/>\r\n<text x=\"466\" y=\"185\" font-size=\"10.5\" fill=\"#6b7280\" text-anchor=\"middle\">match<\/text>\r\n<\/svg>\r\n<figcaption>Runtime detection with eBPF. A shell spawned inside a serving pod becomes a syscall the kernel probe sees and the rule engine flags in real time.<\/figcaption>\r\n<\/figure>\r\n\r\n<h2 class=\"qps-h2\"><span class=\"ez-toc-section\" id=\"09Runtime_Threat_Detection\"><\/span><span class=\"qps-idx\">09<\/span>Runtime Threat Detection<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n<p>Runtime detection is the last line of AI infrastructure security, because prevention fails eventually and you need to watch what happens while it happens. eBPF tools like Falco and Tetragon observe system calls at the kernel level without touching your application, which makes them well suited to catching a container escape or an unexpected process the instant it appears.<\/p>\r\n\r\n<div class=\"qps-code\">\r\n<div class=\"qps-code-top\"><span class=\"qps-code-file\">falco-rule-ai-container.yaml<\/span><button class=\"qps-copy\" type=\"button\">Copy<\/button><\/div>\r\n<pre>- rule: Shell in AI Serving Container\r\n  desc: Detect an interactive shell inside a model serving pod\r\n  condition: &gt;\r\n    spawned_process and container\r\n    and container.image.repository contains \"model-server\"\r\n    and proc.name in (bash, sh, zsh)\r\n  output: \"Shell in AI container (user=%user.name cmd=%proc.cmdline)\"\r\n  priority: WARNING<\/pre>\r\n<\/div>\r\n\r\n<p>Feed the logs into a SIEM such as Wazuh or Elastic Security, alert on abnormal token consumption alongside the usual indicators of compromise, and scatter canary tokens through your data stores so that exfiltration announces itself early.<\/p>\r\n\r\n<h2 class=\"qps-h2\"><span class=\"ez-toc-section\" id=\"10Posture_Management_and_Exposure\"><\/span><span class=\"qps-idx\">10<\/span>Posture Management and Exposure<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n<p>The cheapest bugs to fix are the ones that never ship. Scan infrastructure as code in the pipeline so an open bucket or a misconfigured GPU cluster is caught before it becomes an exposure, and fail the build on anything critical.<\/p>\r\n\r\n<div class=\"qps-code\">\r\n<div class=\"qps-code-top\"><span class=\"qps-code-file\">ci-iac-scan.yml<\/span><button class=\"qps-copy\" type=\"button\">Copy<\/button><\/div>\r\n<pre>steps:\r\n  - name: Scan infrastructure as code\r\n    run: |\r\n      tfsec . --minimum-severity HIGH\r\n      trivy config --exit-code 1 --severity CRITICAL,HIGH .\r\n      checkov -d . --compact --quiet<\/pre>\r\n<\/div>\r\n\r\n<p>Beyond individual findings, continuous threat exposure management strings them into the path an attacker would actually walk. This is the five stage Gartner model of scoping, discovery, prioritization, validation, and mobilization, and it targets the specific chain of misconfigurations and exposed credentials that ends at your models rather than treating every alert as equal. And with the first post quantum standards now <a href=\"https:\/\/www.nist.gov\/news-events\/news\/2024\/08\/nist-releases-first-3-finalized-post-quantum-encryption-standards\" target=\"_blank\" rel=\"noopener\">finalized by NIST as FIPS 203, 204, and 205<\/a>, building crypto agility in today makes tomorrow&#8217;s migration a configuration change rather than a rebuild.<\/p>\r\n\r\n<h2 class=\"qps-h2\"><span class=\"ez-toc-section\" id=\"11Making_AI_Infrastructure_Security_Work\"><\/span><span class=\"qps-idx\">11<\/span>Making AI Infrastructure Security Work<span class=\"ez-toc-section-end\"><\/span><\/h2>\r\n\r\n<p>None of this is a product you buy in a box. AI infrastructure security is a program you run, made of workload identity for everything, agents on a short leash, serving hardened against injection, a supply chain you can vouch for, secrets that expire on their own, encryption everywhere, and detection at the same speed as the threats.<\/p>\r\n\r\n<p>No single control carries the load. Layered together they push the cost of an attack past what most adversaries will pay, as long as you keep auditing, scanning, patching, and red teaming on a steady cadence. That cadence is where most teams run out of hours, because hardening hosts, watching logs, rotating keys, and applying patches is work that never really stops.<\/p>\r\n\r\n<div class=\"qps-cta\">\r\n<p class=\"eyebrow\">Managed VPS by Quape<\/p>\r\n<h3><span class=\"ez-toc-section\" id=\"Skip_the_maintenance_Keep_the_security\"><\/span>Skip the maintenance. Keep the security.<span class=\"ez-toc-section-end\"><\/span><\/h3>\r\n<p>Quape VPS Hosting is secure by default and fully managed by our team. We handle the hardening and monitoring so you can focus on your product.<\/p>\r\n<a class=\"btn\" href=\"https:\/\/www.quape.com\/hosting\/vps-hosting\/\">Explore VPS Hosting<\/a>\r\n<\/div>\r\n\r\n<script>\r\n(function(){\r\n  var root = document.currentScript.closest('.qps');\r\n  if(!root) return;\r\n  root.querySelectorAll('.qps-copy').forEach(function(btn){\r\n    btn.addEventListener('click', function(){\r\n      var pre = btn.closest('.qps-code').querySelector('pre');\r\n      var text = pre.innerText;\r\n      var done = function(){\r\n        btn.textContent = 'Copied';\r\n        btn.setAttribute('data-done','1');\r\n        setTimeout(function(){ btn.textContent = 'Copy'; btn.removeAttribute('data-done'); }, 1800);\r\n      };\r\n      if(navigator.clipboard && navigator.clipboard.writeText){\r\n        navigator.clipboard.writeText(text).then(done).catch(function(){ fallback(text); done(); });\r\n      } else { fallback(text); done(); }\r\n      function fallback(t){\r\n        var ta = document.createElement('textarea');\r\n        ta.value = t; ta.style.position='fixed'; ta.style.opacity='0';\r\n        document.body.appendChild(ta); ta.select();\r\n        try{ document.execCommand('copy'); }catch(e){}\r\n        document.body.removeChild(ta);\r\n      }\r\n    });\r\n  });\r\n})();\r\n<\/script>\r\n\r\n<\/div>\r\n\r\n","protected":false},"excerpt":{"rendered":"<p>Protecting AI in production means securing far more than a single model endpoint. AI infrastructure security covers the compute, network, data, and identity that sit underneath every model you train and serve, and in 2026 it has become one of the hardest problems in the field. Autonomous agents now write code, spin up cloud resources, [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":18883,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[93,9,24],"tags":[481,482,485,484,483],"class_list":["post-18861","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-hosting","category-server","tag-ai-infrastructure-security","tag-ai-security","tag-cloud-security","tag-prompt-injection","tag-zero-trust"],"_links":{"self":[{"href":"https:\/\/www.quape.com\/zh\/wp-json\/wp\/v2\/posts\/18861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.quape.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quape.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quape.com\/zh\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quape.com\/zh\/wp-json\/wp\/v2\/comments?post=18861"}],"version-history":[{"count":17,"href":"https:\/\/www.quape.com\/zh\/wp-json\/wp\/v2\/posts\/18861\/revisions"}],"predecessor-version":[{"id":18881,"href":"https:\/\/www.quape.com\/zh\/wp-json\/wp\/v2\/posts\/18861\/revisions\/18881"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quape.com\/zh\/wp-json\/wp\/v2\/media\/18883"}],"wp:attachment":[{"href":"https:\/\/www.quape.com\/zh\/wp-json\/wp\/v2\/media?parent=18861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quape.com\/zh\/wp-json\/wp\/v2\/categories?post=18861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quape.com\/zh\/wp-json\/wp\/v2\/tags?post=18861"}],"curies":[{"name":"\u53ef\u6e7f\u6027\u7c89\u5242","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}