Group Purchasing
Group Purchasing

Why Sounil Yu and I built the AI Defense Matrix

We agreed that the AI era presents defenders with new types of assets that require new controls.

Authored byLenny Zeltser
Lenny Zeltser

The AI Defense Matrix is a free framework that Sounil Yu and I created to help organizations decide how to defend AI systems. Security leaders can use it to find gaps, assign ownership, and select controls for the AI capabilities in their environments.

I saw the need for this framework at RSAC 2026. On the expo floor, vendor after vendor talked about securing AI or using AI for security. After a day of hearing those conversations, I needed a mental model to make sense of the market. I wanted a way to compare the controls an enterprise needs against the AI systems that security leaders are tasked with defending.

Sounil and I talked about his Cyber Defense Matrix, which organizes the broad universe of cybersecurity products. We agreed that the AI era presents defenders with new types of assets that require new controls. While "AI for security" is well represented in his original matrix, we felt the industry would benefit from a dedicated "security for AI" companion. The AI Defense Matrix is that grid.

We debated the columns and rows of the AI Defense Matrix more than anything else. For the columns, we kept the NIST CSF functions, expanding the original matrix's five functions to the six functions in CSF 2.0. Security practitioners already know this framework and use it to describe defensive activities. For the rows, we settled on eight AI-specific asset classes that enterprises need to safeguard with specialized capabilities beyond traditional cybersecurity defenses:

  • AI-Workload Platforms: Inference servers, training platforms, vector database platforms, and the model-loading supply chain.
  • AI Orchestration Tools: Agentic orchestration tools, plus their plugins, skills, hooks, system prompts, scaffolding, harnesses, configuration settings, and MCP clients on user devices.
  • AI-Generated Code: Code produced by AI tools, AI-assisted reviews, AI-generated infrastructure-as-code and tests, and vibe-coded apps that bypass CI/CD.
  • AI Gateways and Routers: MCP proxies and gateways, LLM routers, outbound AI-service traffic, shadow AI egress, and model-registry traffic.
  • AI Models: Model weights, fine-tuning checkpoints, model cards, registries, AIBOMs, and the third-party LLMs your enterprise consumes.
  • Training Data: Datasets used for training, fine-tuning, and continued learning.
  • Runtime AI Data: User prompts, inference inputs, RAG content, vector database content, persistent agent memory, and interaction history.
  • AI Agent Identities: AI agents as non-human principals, plus their credentials, keys, permission scopes, service accounts, and delegation chains across agents and tools.

Practitioners and vendors can use the matrix in different ways:

  • Practitioners: Review each cell and ask whether any processes or technologies in your program exist at that intersection. For example, the Detect cell for AI Orchestration Tools covers prompt-injection testing and agent anomaly detection. Start with Govern to anchor on ownership and policy, then build a gap inventory for your AI defense roadmap.
  • Vendors: Map your capabilities to specific cells rather than claiming broad coverage. Treat thinly covered cells as opportunities to differentiate.

Explore the matrix at aidefensematrix.com, where you can download it in CSV, YAML, and Markdown formats. We also cross-mapped each row to nine other frameworks, including NIST IR 8596, MITRE ATLAS, the OWASP LLM Top 10, and the SANS Critical AI Security Guidelines. The site's change log records each revision and the reasoning behind it.

Use the matrix to anchor your AI defense work as the field evolves. Let the gaps you find shape your priorities.