Skip to content
AI-Native PM
8 min · 0 of 8 in Security

Write your Security Posture and ship defended

Previous chapter

The alert that wakes your on-call engineer at two in the morning says the assistant's token spend has tripled. The engineer on duty did not build the feature, so the questions land in the incident channel: who can turn this off, which keys does it hold, what data can it reach, who has to be told. Every answer exists: the threats in a planning doc, the key list in a stale questionnaire answer, the kill flag in a runbook nobody bookmarked, the disclosure rule in the head of a teammate asleep in another timezone. Assembling them takes forty minutes, and the meter runs the whole time.

This part had you build every one of those answers: a ranked threat map, a scoped key inventory, a trace of where your product copies data, a register of everything you import, a layer plan for what the prompt cannot stop, and a dated ledger of the attacks you ran on yourself. Still missing is the one page that holds them together, where the person holding the phone can find it.

A security posture nobody wrote down is a mood, not a posture. A mood cannot be handed to the engineer on call.

Security work runs from design to operation

In November 2023, the UK's National Cyber Security Centre and the US Cybersecurity and Infrastructure Security Agency published joint Guidelines for Secure AI System Development, co-sealed by agencies from eighteen countries. The document's structure carries its biggest lesson: the work spans secure design, secure development, secure deployment, and secure operation, because the field's authorities agree security starts before the first line of code and runs as long as the product does.

The frontier labs already keep the written version: OpenAI shipped GPT-4 with a system card, a public record of the failure modes its red teams probed and the mitigations that shipped in response. The Security Posture is the one-page, product-sized form of the same idea, and it ships as The Security Posture, a fillable PDF in the artifacts library, with one field per section. The walk below fills it.

Walk the page from the job line to the signatures

Most fields condense a page this part had you draft; the last few you write here.

The anatomy of the security posture: one annotated page from job line to sign-offsA single document page titled the security posture holds ten slim labeled sections in order, each with a thin callout line to a short annotation on the right. Job line: what it does, for whom, one sentence. Top-5 threat map, washed in iron and marked with five ranked bars: the attacks you actually expect, ranked. Authority table, a tiny three-column table: what the model may read, write, never touch. Data flow and retention, an arrow ending at a stop bar: every hop mapped, every copy gets an expiry. Supply-chain register, three linked chips: models, packages, MCP servers, versions pinned. Defense layers, three stacked lines: each layer assumes the one above it fails. Red-team ledger, a small receipt beside a check mark: attacks tried, dated, with what broke. Cost caps, a spend meter cut by a cap line: abuse becomes a bounded bill, not a blank check. Kill switch and first 24 hours, washed in iron with a clay power button: a named owner and a rehearsed first day. Sign-offs, a signature above a rule: real names accept the residual risk. Caption: if it is not on this page, it is not your posture.THE SECURITY POSTURETHE SECURITY POSTUREWHAT EACH SECTION PINS DOWNJOB LINEWhat it does, for whom, in one sentence.TOP-5 THREAT MAPThe attacks you actually expect, ranked.AUTHORITY TABLEWhat the model may read, write, never touch.DATA FLOW + RETENTIONEvery hop mapped; every copy gets an expiry.SUPPLY-CHAIN REGISTERModels, packages, MCP servers, versions pinned.DEFENSE LAYERSEach layer assumes the one above it fails.RED-TEAM LEDGERAttacks tried, dated, with what broke.COST CAPSAbuse becomes a bounded bill, not a blank check.KILL SWITCH + FIRST 24 HOURSA named owner and a rehearsed first day.SIGN-OFFSReal names accept the residual risk.If it isn't on this page, it isn't your posture.
  • The job line. One sentence: what the feature does, for whom, over what data. Every field below defends it.
  • The top-5 threat map. Your ranked threat lines from Threat-model your AI feature, ordered by reversibility and reach.
  • The authority table. Every action, the identity it borrows, the scope of that key, and its autonomy rung, from Identity: whose keys your AI holds.
  • The data flow with retention. The copies your product keeps, each with a retention number and its readers, from Data: what flows in and what leaks out.
  • The supply-chain register. Every model, library, and tool server you import, with publisher and pin status, from The supply chain you didn't build.
  • The defense layers. Which control catches an attack when the layer above it fails, from Defense in layers: what the prompt cannot stop.
  • The red-team ledger. Attacks you ran on your own product, dated, with what broke and what changed, from Red-team your product before strangers do.
  • Cost caps. Per-session and per-day ceilings that turn abuse into a bounded bill, the meter lesson from Why attackers love AI products.
  • The kill switch and the first 24 hours. Who can stop the feature, where the stop takes effect, when it was last rehearsed, and the first day's steps, expanded below.
  • Sign-offs. Real names and dates, also below.

For the support assistant we have followed through this part, the authority table runs like this.

ActionBorrowed identityScopeAutonomy rung
answer from the help centera service accountreads one corpusacts silently
look up an orderthe signed-in customerreads their rows onlyacts silently
issue a refundthe support team's grantwrites, capped per dayacts with approval

Any row whose scope is wider than its action is a finding, cheaper to fix today than mid-incident.

The posture extends the charter and feeds the quality bar

If your feature acts on the user's behalf, the tool table you signed in Write the Agent Charter and ship with authority you chose seeds the authority table; the posture adds whose keys each action borrows and what an attacker steering the feature would inherit. The red-team ledger feeds the other direction: every attack that worked becomes a must-never statement in The quality bar: decide what good means, retested on every release instead of trusted once.

Write the first 24 hours as steps anyone can run

The kill-switch field is read under the worst conditions the product will ever meet, so write the first day as steps someone who did not build the feature can run alone.

  • Shut the door. Flip the switch and let the feature go dark: Microsoft took its Tay bot offline about sixteen hours after launch when strangers steered it into posting offensive replies, and Meta closed its Galactica demo on day three for producing fluent articles and citations that were false. A switch you can reach in minutes turns a public crisis into an outage.
  • Revoke the keys. Rotate every credential in the authority table, widest scope first; the revocation rehearsal you timed for the key inventory makes this minutes instead of days.
  • Read the receipts. Establish what the feature did before deciding what to say: the run ledger from Receipts and recovery: design for the failed run if you have one, your logs and the data-flow field if not.
  • Tell the people. Affected users, your team, and, where personal data is involved, the regulator on a clock: European law gives you 72 hours from becoming aware of a breach, finished investigating or not.

One rehearsal makes the plan real. Netflix built Chaos Monkey to terminate its own production servers at random, because recovery stays reliable only while it keeps happening. Your version costs one deliberate pull of the switch: time it, and write the number on the page.

Sign-offs turn the page into a commitment

The last field is names and dates: whoever owns the product signs that the page matches what is built, and whoever carries the on-call phone signs that the first day is runnable as written. The same pattern holds at the frontier, where Anthropic's Responsible Scaling Policy names a Responsible Scaling Officer, one person accountable for implementation, because responsibility without a name dissolves under pressure. A signature does not claim the product cannot be hurt; it records that someone looked at the remaining risk and chose to accept it.

Defended is a page you can sign, not a feeling you have. The feeling drifts with every reorg and model swap; the page survives both.

This page closes the part, and the part closes The Practice. You arrived with a feature and a vague worry; you leave with threats ranked, keys scoped, data traced, imports pinned, layers stacked, attacks rehearsed, and one signed page that proves it. The next altitude is The Frontier: fleets of agents, and rooms where the stakes are health, money, and freedom. Everything up there assumes the page in your hand.

Try it now

Give this about fifteen minutes if you ran this part's drills, since every field already exists in your notes, plus one rehearsal.

Gather what the part produced. Download The Security Posture and lay out your threat map, key sentences, data stops, chain register, layer plan, and red-team notes. For any holes, point Claude Code at the repository and ask for the missing rows: keys loaded, dependency versions, every place a payload is written.

Fill every field or mark it open. Copy each artifact in, reduced to what fits its field. Where you have nothing, write "open" rather than something hopeful; the open fields are next month's backlog.

Rehearse the kill switch and time it. Pick a quiet hour, announce it, flip the real switch in staging or behind a production flag, and measure the minutes from decision to silence. Write the number in the kill-switch field; if it embarrasses you, you found your next fix.

Collect the signatures. The product owner and the on-call owner sign and date the page; re-sign it whenever the feature gains a tool, a model, a data source, or a vendor.

Chapter Summary

  • The Security Posture is one page that holds every security decision this part asked you to make, kept where the person on call can find it mid-incident.
  • A security posture nobody wrote down is a mood, and a mood cannot be handed to whoever is holding the phone at two in the morning.
  • Security agencies from eighteen countries signed joint guidelines that organize AI security across design, development, deployment, and operation, and the posture is that idea at product size.
  • The page's fields are this part's artifacts in order: job line, ranked threat map, authority table, data flow with retention, supply-chain register, defense layers, red-team ledger, cost caps, kill switch with the first day, and sign-offs.
  • The authority table extends the Agent Charter, and the red-team ledger feeds the quality bar, so the documents stay short by citing each other instead of repeating.
  • Write the first day as steps: shut the door, revoke the keys, read the receipts, tell the people, and remember the last step can sit on a 72-hour legal clock.
  • A kill switch you never pulled in a rehearsal is a hope, so rehearse it once, time it, and write the number on the page.
  • Defended is a page you can sign, not a feeling you have, and the signature expires whenever the product changes underneath it.
  • This closes The Practice. The next altitude is The Frontier, fleets of agents and high-stakes rooms, all of it assuming the signed page you are leaving with.

Sources

  • UK National Cyber Security Centre and US Cybersecurity and Infrastructure Security Agency, joint Guidelines for Secure AI System Development, co-sealed by security agencies from eighteen countries (November 2023).
  • OpenAI, GPT-4 System Card, the published record of tested failure modes and shipped mitigations (March 2023).
  • Microsoft, "Learning from Tay's introduction," with BBC News reporting on the bot's removal about sixteen hours after launch (March 2016).
  • MIT Technology Review, on Meta withdrawing the public Galactica demo three days after launch (November 2022).
  • Anthropic, Responsible Scaling Policy, which assigns implementation to a named Responsible Scaling Officer (September 2023, since updated).
  • European Union, General Data Protection Regulation, Article 33, the 72-hour breach notification requirement (in force May 2018).
  • Netflix, Chaos Monkey, the resilience tool that terminates production instances at random (open-sourced 2012).
Marks this chapter complete on your course map. Reaching the end does this for you.

Level 2 complete

You have finished The Practice.

Quietly done. You did the reading and the thinking, and that stays with you. Take the next part on your own timing.

Take with youThe Security PostureThe case that your AI product ships defended: the threat map, the authority table, the data and retention grid, the supply-chain register, the defense layers, the red-team ledger, and the kill switch you have pulled once in a rehearsal so you know it works. A fillable PDF, signed before launch.Download it

When you are ready · Level 3

The Frontier is next

Work at the edge of AI, where the practices are still being written.

Begin The Frontier