SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
SANS Institute — Self-Assessment Tool
How mature is your
AI security posture?
15 questions across three pillars. Takes about 10 minutes. You'll receive a weighted maturity stage with a full scoring breakdown and priority guidance.
Pillar 1 of 3 · Protect
Securing AI Implementations
How well do you control, verify, and harden the AI systems and agents running in your environment?
0 / 5 answered
Maturity requires evidence: Self-reported capabilities without documented evidence should be capped at Stage 2. If you can describe what you do but cannot point to a document, policy, or metric, score yourself at most 2.
Can you produce a current inventory of every AI system, model, and agent used in your environment, with documented owner, data classification, and approved use case?
0–1: No inventory; AI usage discovered incidentally.
2: Inventory exists for sanctioned tools only; known gaps.
3: Comprehensive inventory; classifications, owners, and approved use cases documented.
4: Inventory coverage and drift tracked as metrics; reviewed on cadence.
5: Continuous automated discovery and reconciliation.
For every model, plugin, third-party agent, and AI service you consume, can you verify origin, integrity, and risk before deployment?
0–1: No verification; models pulled freely from public sources.
2: Awareness of risks; ad hoc manual checks.
3: Verification process in place; vendor assessments documented.
4: Automated model scanning integrated into procurement and deployment pipelines.
5: Continuous supply chain validation with real-time integrity attestation.
Are AI agents granted distinct, scoped credentials with documented human owners and least-privilege access to tools, data, and APIs?
0–1: Agents share or reuse human or service credentials; no scoping.
2: Some agents have distinct credentials; access not consistently scoped.
3: Every agent has a distinct identity, scoped access, and a documented human owner.
4: Formal NHI lifecycle with automated credential rotation and decommissioning.
5: Zero Trust extended to agents with context-aware, just-in-time permissions.
How rigorously do you test AI systems against prompt injection, model extraction, instruction manipulation, and other adversarial techniques?
0–1: No AI-specific testing.
2: AI systems in scope for standard pentests, but not deeply tested.
3: Basic adversarial emulation; defenses mapped to MITRE ATLAS techniques.
4: Dedicated AI red team program; automated adversarial testing in CI/CD; full kill-chain ATLAS coverage.
5: Continuous adversarial validation; autonomous detection of novel techniques.
Is AI security embedded in the model and agent development lifecycle: threat modeling, secure training pipelines, training data validation, runtime guardrails, and prompt injection detection?
0–1: AI built without security involvement.
2: Security consulted ad hoc on AI projects.
3: Architecture standards exist; security integrated into the AI/ML lifecycle.
4: MLSecOps operational: secure pipelines, model versioning and provenance, real-time prompt injection detection, execution guardrails for agent API calls.
5: Adaptive, self-improving defenses; chaos engineering validates AI resilience continuously.
Pillar 2 of 3 · Utilize
Using AI for Security
To what extent is your security team actively deploying AI to detect, investigate, and respond to threats?
0 / 5 answered
Maturity requires evidence: Self-reported capabilities without documented evidence should be capped at Stage 2. If you can describe what you do but cannot point to a document, policy, or metric, score yourself at most 2.
To what extent do your detection capabilities use AI/ML, and are those models tuned to your environment rather than running at vendor defaults?
0–1: No AI used in detection.
2: Vendor AI features enabled at defaults; not tuned or validated.
3: AI-powered detection tuned to your environment; UEBA customized for anomaly detection.
4: Custom models developed for organization-specific threats; detection accuracy measured.
5: Predictive defense; cross-organization threat correlation; novel-technique detection.
Are AI capabilities used to triage alerts, accelerate investigation, and automate response through SOAR playbooks?
0–1: Manual processes dominate; no AI assistance.
2: Some vendor automation present; not intentionally configured.
3: AI-assisted triage and automated playbooks for common scenarios.
4: SOAR enhanced with AI decision support; autonomous response for validated scenarios.
5: AI agents authorized for Level 1 remediation; self-healing infrastructure operational.
Do you use AI to proactively hunt threats and enrich threat intelligence beyond alert-driven workflows?
0–1: No AI used in hunting or intelligence.
2: Basic vendor enrichment; no proactive use.
3: AI-powered intelligence enrichment in production; hunting hypotheses informed by AI.
4: AI-powered hunting and predictive analytics operational; outcomes measured.
5: Generative AI used for threat simulation and attack prediction.
Does your security team have the skills to evaluate, deploy, tune, and validate AI security capabilities, supported by defined roles?
0–1: Team unaware of available AI capabilities; no AI/ML skills.
2: Team beginning to learn about AI threats; no dedicated expertise.
3: Team competent with AI security tools; AI Security Specialist and AI Governance Lead roles being defined or filled.
4: Specialist roles operational; structured ongoing training.
5: Team includes AI researchers; expertise attracts talent and is an organizational differentiator.
When a vendor markets an AI feature, can you distinguish genuine ML capability from AI-washing and validate fit before procurement?
0–1: Vendor claims accepted at face value.
2: Some skepticism, but no formal evaluation criteria.
3: Model cards, adversarial testing results, and AI assessment criteria required during procurement.
4: Validation outcomes tracked; vendors held to measured performance standards.
5: Organization shapes vendor practices and contributes to industry validation standards.
Pillar 3 of 3 · Govern
AI Policy, Risk & Oversight
Do your policies, governance structures, and training programs keep pace with your AI usage?
0 / 5 answered
Maturity requires evidence: Self-reported capabilities without documented evidence should be capped at Stage 2. If you can describe what you do but cannot point to a document, policy, or metric, score yourself at most 2.
Is there a current AI acceptable use policy that addresses both conversational AI and agentic AI, and are employees clear on what is sanctioned?
0–1: No policy; BYOAI proliferates unchecked.
2: Policy is binary; workarounds common.
3: Comprehensive policy addressing use cases and data classification; differentiates conversational from agentic AI; sanctioned tools provided.
4: Policy compliance measured; Shadow AI detection operational; policy refined based on data.
5: Policy adapts proactively to AI evolution and regulatory change.
Is there a named owner or cross-functional committee with a clear charter, decision authority, and review cadence for AI decisions?
0–1: No accountable owner; AI decisions made ad hoc.
2: Owner exists but lacks formal authority or charter.
3: AI Governance Committee with charter, decision authority, and regular review cadence.
4: Governance integrated with risk management; board-level AI risk reporting established.
5: Governance recognized externally; organization influences industry standards.
Are AI risks tracked formally on a risk register with a defined assessment methodology, and can you quantify exposure?
0–1: No AI risk assessment conducted.
2: AI risks acknowledged informally; no formal register entry.
3: AI risks on the enterprise risk register with defined assessment methodology.
4: Quantitative methodology adopted (e.g. FAIR for AI); risk appetite formally defined.
5: Predictive AI risk analytics; governance anticipates emerging risk.
When an AI system or agent causes harm, can you produce an audit trail proving the chain of authority from human authorization to agent action?
0–1: No AI-specific incident response; ownership unclear.
2: General incident process applied to AI; no AI-specific procedures.
3: AI-specific IR procedures; structured logging with trace IDs across agent steps and tool calls; Security vs. Reliability ownership defined.
4: Reasoning traceability and decision audit artifacts produced; AI incident MTTD/MTTR tracked.
5: Continuous post-incident learning feeds adaptive defenses.
Has the workforce received AI risk training calibrated to their role, and can the general workforce identify common AI failure modes and escalate anomalies?
0–1: No AI training; workforce unaware of risks.
2: Basic awareness training mentions AI risks.
3: Role-based training covering general workforce, technical staff, and AI-specific roles; employees select tools based on data sensitivity.
4: Training completion and effectiveness measured; workforce reliably escalates AI anomalies.
5: AI security expertise attracts external talent; organization mentors others.
Step 4 of 5 · Industry Profile
What best describes your organization?
The right maturity target isn't universal — it depends on your AI adoption pattern, industry, regulatory environment, and risk tolerance.
Why this matters: Each industry profile adjusts the relative weight of the three pillars. Protect and Govern are weighted higher than Utilize in most profiles because foundational failures in either create cascading risk that advanced Utilize capabilities cannot offset. Select the profile that best reflects your actual risk landscape.
Your AI Security Maturity Stage
—
—
—
Protect
—
—
Utilize
—
—
Govern
—
—
Scoring breakdown
Industry profile—
Weighted raw score—
Raw stage (before caps)—
Cap rules
The AI Security Maturity Model uses two cap rules to prevent a strong pillar from masking a critical weakness. An organization with excellent AI-powered threat detection but no governance structure is not genuinely mature — it is structurally exposed. These rules surface those imbalances so they cannot be hidden behind a high overall average.
Without governance as the foundation, advancement is a structural risk. Severe imbalances in any pillar represent vulnerability regardless of strength elsewhere.
Governance Floor Rule —
—
Your overall stage cannot exceed your Govern pillar stage by more than one. If your Govern pillar scores at Stage 2, your overall maturity caps at Stage 3 regardless of how well you score on Protect and Utilize. Governance is the policy, risk, and oversight foundation that enables and constrains both other pillars. Without it, Utilize becomes uncontrolled experimentation and Protect lacks policy authority.
Minimum Pillar Rule —
—
Your overall stage cannot exceed your lowest individual pillar score by more than one. A program that is highly optimized in two pillars but severely underdeveloped in a third has a structural vulnerability. This rule ensures that imbalance is reflected in the final stage rather than averaged away.
What does this mean for your organization?
Go deeper with the full framework — or talk with a SANS expert about your results.
Free Resource
Download the AI Security Maturity Model eBook
The full framework explains what each stage looks like in practice, what it takes to advance, and how to align your progress with NIST AI RMF, the EU AI Act, and ISO 42001.
Download the eBook →
Expert Guidance
Talk with a SANS AI Security Specialist
Not sure what your scores mean or where to start? A SANS advisor can walk you through your results, identify your highest-leverage gaps, and map a training path to close them.
Contact SANS →