Shield

the controls that cut through every layer because some problems don't respect org chart boundaries. security doesn't stop at L5 just because L5 has its own team.

"we secured the model but not the data pipeline. the attacker didn't care about our org chart. they went through the layer that nobody was watching."
"our observability shield covers the application but not the infrastructure. so when the GPU cluster went down, we found out from Twitter."
"the CISO owns security. except at L3 where the data team owns it. except nobody told either of them. that's not a shield, that's a gap with two owners."
Share this one
Canonical Definition

A vertical, cross-cutting control section (S1–S5) that spans all layers. Shields provide governance, security, supply chain, observability, and financial controls that cannot be confined to a single layer. The five shields are: S1 (GRC), S2 (Security), S3 (Supply Chain), S4 (Observability), and S5 (Financial Controls). Where layers provide horizontal separation of concerns, shields provide vertical integration of cross-cutting requirements.

Why It Matters

Some governance concerns refuse to stay in their lane. Security is not an L5 problem or an L3 problem or an L0 problem. It is all of them simultaneously. A supply chain vulnerability in a third-party model (L5) is also a data provenance issue (L3) and a contractual risk (S1). Observability that monitors the application layer but ignores the infrastructure layer creates a monitoring blind spot that adversaries exploit with reliable precision.

The shield architecture exists because the alternative — assigning cross-cutting concerns to individual layers — creates predictable governance failures. When security is “owned” by the engineering team at L5, nobody governs security at L3 (data), L1 (strategy), or L0 (infrastructure). The 2024 OWASP Top 10 for LLM Applications identifies supply chain vulnerabilities (LLM05) and insecure output handling (LLM02) as top risks precisely because organisations confine their security controls to a single layer.

Shields enforce the principle that cross-cutting concerns must be governed at every level, not delegated to whichever layer happens to have budget or headcount. The intersection of a shield and a layer produces specific, testable controls. S2 at L5 produces model security controls. S2 at L3 produces data security controls. S2 at L0 produces infrastructure security controls. Same shield, different layers, different controls.

The Stress Test

A penetration tester finds that your AI system’s model endpoint is secured with authentication, rate limiting, and input validation. Excellent. They then discover that the training data pipeline has no access controls, the model registry allows anonymous writes, and the logging infrastructure sends observability data over unencrypted channels. Your security shield covers L5 (the model) but not L3 (data), L0 (infrastructure), or S4 (observability).

The attacker does not attack your strongest layer. They attack the layer where the shield has gaps. That gap is the finding.

In the Wild

Supply Chain — SolarWinds, 2020
When Security Stops at One Layer

The SolarWinds attack demonstrated what happens when a security shield does not span all layers. SolarWinds’ application layer security was functional. The build pipeline (infrastructure layer) was compromised by Russian intelligence operatives who injected malicious code into the Orion software update process. 18,000 organisations installed the compromised update. The security controls at the application layer could not detect a compromise that occurred at the infrastructure layer because the security shield had a gap between layers.

The application was secure. The build pipeline was not. A shield that does not span all layers is not a shield. It is a curtain.

AI Security — Hugging Face, 2024
Supply Chain Shield Gaps in the Model Ecosystem

Security researchers from JFrog identified over 100 malicious models on Hugging Face, the world’s largest open-source AI model repository. The models contained serialised code that executed on load, enabling remote code execution on any system that downloaded and used them. Organisations with strong security controls at the model training layer (S2 at L5) but no supply chain controls (S3) for third-party model procurement loaded these models directly into production environments.

If your supply chain shield does not cover model procurement, every open-source model is an unscreened dependency running with full system privileges.

Observability — Knight Capital, 2012
$440 Million in 45 Minutes Without Observability

Knight Capital Group deployed new trading software that contained a bug from a previous version. The firm’s deployment process reused a feature flag that had been repurposed. Within 45 minutes, the system executed erroneous trades that cost $440 million. The observability shield (S4) did not span the deployment layer — there was no automated check that the deployed code matched the tested code, no real-time monitoring of trade execution anomalies against expected parameters, and no circuit breaker triggered by loss velocity.

The trading algorithm worked as coded. The code was wrong. Observability that monitors output without monitoring deployment is half a shield.

How to Govern It

A shield must span every layer, or it protects nothing.

Within the AI Enterprise Control Index, shields are governed through vertical integration:

  • S1 — GRC (Governance, Risk, and Compliance) — The control register, risk appetite, regulatory mapping, and evidence collection. S1 operates at every layer to ensure that governance is not confined to the board room.
  • S2 — Security — Authentication, authorisation, encryption, and adversarial testing at every layer from infrastructure (L0) to integration (L7). Security at one layer without security at all layers is a vulnerability disclosure waiting to happen.
  • S3 — Supply Chain — Third-party model provenance, data supplier governance, API dependency management, and vendor risk assessment. Every external component that enters any layer must pass through S3.
  • S4 — Observability — Runtime monitoring, logging, alerting, and performance tracking at every layer. If you cannot observe it, you cannot govern it.
  • S5 — Financial Controls — Cost monitoring, budget allocation, ROI tracking, and compute governance across all layers. AI systems that exceed their financial boundaries are ungoverned by definition.

When It's Relevant

Shields are relevant in every AI deployment. The question is not whether you need shields but whether your shields span all layers. An organisation that secures its models but not its data pipelines has a partial S2 implementation. An organisation that monitors its application but not its infrastructure has a partial S4 implementation. Partial shields create the illusion of governance while leaving predictable attack surfaces.

Shield governance becomes critical when:

  • The organisation uses third-party AI models or data sources
  • Multiple teams contribute to the AI system across different layers
  • The system is subject to security or compliance requirements
  • Production incidents trace back to layers that were not monitored
  • The organisation must demonstrate cross-cutting governance to auditors or regulators

See shields in the framework. The full S1–S5 shield architecture is visualised in the AI Enterprise Control Index v6.0.

Open Framework →

Related Terms

References

  1. [1] OWASP Foundation (2025) OWASP Top 10 for Large Language Model Applications v2025.1. Available at: owasp.org/www-project-top-10-for-large-language-model-applications.
  2. [2] CISA (2021) SolarWinds Supply Chain Attack Advisory. Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security.
  3. [3] JFrog Security Research (2024) ‘Malicious ML Models on Hugging Face’, JFrog Blog. Available at: jfrog.com/blog.
  4. [4] SEC (2013) In the Matter of Knight Capital Americas LLC. Securities and Exchange Commission, Administrative Proceeding File No. 3-15570.
  5. [5] ISO/IEC 42001:2023. Information Technology — Artificial Intelligence — Management System. International Organization for Standardization.
  6. [6] NIST (2024) Artificial Intelligence Risk Management Framework: Generative AI Profile (AI 600-1). National Institute of Standards and Technology.
  7. [7] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union.

AI Enterprise Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0

By Jeroen Janssen, Apparens