Observable · Controlled · Contained

A practical operational security framework for production AI systems that reason, act, and remember.

Modern AI systems are no longer passive software components. They retrieve. They reason. They remember. They delegate. They execute. They interact.

This blueprint presents a comprehensive operational security architecture for securing AI systems across 12 control domains, with practical detection code, mandatory calibration protocols, and honest validation status documentation.

This is not a prompt engineering guide. This is control architecture for systems that think, act, and remember.

• Domain 01: Input & Interface Control (Complete)

  • 8 attack vectors documented with functional detection code
  • Context stuffing, function injection, RAG poisoning, tool response injection, and more
  • Deterministic risk evaluation rules (NIST/OWASP aligned)
  • Mandatory calibration protocol (Section 4.7.3)

• 12-Domain Architecture (Planned)

  • 01 Input & Interface Control ✅
  • 02 Context & RAG Control (Planning)
  • 03 Reasoning Control (Planning)
  • ...and 9 more domains

• Operational Validation

  • Tested against 330+ adversarial payloads
  • Production calibration results from live AI systems
  • Real incident examples and remediation
  • Cross-model validation (Mixtral, Mistral, Qwen)

• Governance & Maturity

  • 5-level maturity model
  • Deterministic rules (not probabilistic scoring)
  • OWASP/NIST/MITRE alignment
  • Forensic audit trail (hash chain architecture)

1. "The model suggests. The architecture decides."

   • Security lives at decision time, not in prompts
   • Controls operate across input, context, reasoning, execution layers

2. Honest Validation Status

   • Detection thresholds are calibrated placeholders requiring local adaptation
   • Openly documents what is validated vs. unvalidated
   • Provides mandatory calibration protocol, not universal guarantees

3. Operational Not Theoretical

   • Developed and validated in production AI systems
   • Tested against dark web monitoring feeds, threat intelligence, and OSINT
   • Real-world incident examples included

4. Observable · Controlled · Contained

   • Every decision logged with audit trail
   • Runtime governance with enforcement points
   • Failure containment and recovery procedures

• Read: AI_Security_Assessment_Blueprint_v2.0.md
• Focus sections: 1.0 (Foundation), 4.2 (Reference Architecture), 4.5-4.6 (Risk & Rules)

• Read: Section 2 (Attack Vectors) + Section 3 (Controls)
• Run: quick_start_validation.py against your endpoint
• Implement: Section 4.7.3 (Calibration Protocol)

• Read: Section 4.3 (Test Framework)
• Use: 330+ adversarial payloads from calibration dataset
• Validate: Section 4.7.3 (Adversarial Validation)

• Read: Section 4.1 (Maturity Model) → measure current state
• Read: Section 4.5 (Risk Framework) → map to your threats
• Plan: 6-week calibration protocol (Section 4.7.3)

This framework has been operationally tested in production:

• Time in Production: 30+ days
• Test Payloads: 330+ adversarial variants
• Models Tested: Mixtral 8x22B, Mistral 7B, Qwen 3B, Qwen 1.5B
• Real Threats: Dark web monitoring, OSINT, threat intelligence feeds
• Detection Rates: 87-99.8% by vector (see case study)
• False Positive Rates: 0-2% (calibrated for production)

See: Case Study: Operational Validation

aisecurityblueprint/
├── docs/
│   ├── AI_Security_Assessment_Blueprint_v2.0.md    [Domain 01 Complete]
│   ├── case-study-operational-validation.md
│   ├── references/
│   │   └── [Industry standards, benchmarks, research papers]
│   └── .gitkeep
├── code/
│   ├── domain01/
│   │   ├── quick_start_validation.py
│   │   ├── detectors/
│   │   │   ├── context_stuffing_detector.py
│   │   │   ├── injection_detector.py
│   │   │   └── ...
│   │   └── controls/
│   │       ├── input_validator.py
│   │       └── ...
│   └── tests/
│       ├── adversarial_payloads_330.json
│       └── validation_harness.py
├── README.md                                         [You are here]
├── ROADMAP.md
├── CONTRIBUTING.md
└── LICENSE (CC-BY-SA 4.0)

• Map your AI system components to the 12 control domains
• Identify which domains are relevant to your architecture
• Prioritize by risk (input handling is universal; agent execution is domain-specific)

• Start with Domain 01 (Input & Interface Control) — always applicable
• Follow the implementation checklist in each domain section
• Use the provided Python reference implementations as templates
• Adapt thresholds using the calibration protocol

• Execute the mandatory calibration protocol (6 weeks)
• Test against adversarial payloads relevant to your threat model
• Adjust thresholds using ROC curve analysis
• Document your calibration results for compliance

• Implement forensic logging (hash chain audit trail)
• Set up real-time alerting for violations
• Create incident response runbooks
• Establish HITL escalation procedures

• Run monthly red team exercises
• Monitor for new attack patterns (OSINT + threat intelligence)
• Update thresholds semi-annually
• Share findings with the community

• GitHub Issues: Report bugs, suggest improvements
• Discussions: Share insights and best practices
• Email: feedback@aisecurityblueprint.com
• LinkedIn: https://www.linkedin.com/in/aisecurityblueprint/

This work is licensed under CC-BY-SA 4.0 (Creative Commons Attribution-ShareAlike 4.0).

You are free to use, modify, and distribute this framework with attribution and under the same license.

@misc{desantana2026aisecurityblueprint,
  title   = {AI Security Assessment Blueprint v2.0: A Comprehensive Operational Security Framework for Production AI Systems},
  author  = {De Santana, Luis},
  year    = {2026},
  howpublished = {\url{https://github.com/aisecurityblueprint/aisecurityblueprint}},
  note    = {Community framework, CC-BY-SA 4.0}
}

Observable · Controlled · Contained

Luis De Santana — AI Security Architect | LLM Security & AI Risk

v2.0 | May 2026