Comprehensive secure-by-design rules for developing, deploying, and maintaining AI/ML systems
You're developing AI/ML systems in 2024. That means you're building attack surfaces that barely existed five years ago. Model theft, adversarial inputs, supply chain attacks on training data, and prompt injection vulnerabilities are now business-critical security concerns. Traditional security practices aren't enough when your models become vectors for sophisticated attacks.
Traditional web application security is child's play compared to securing AI systems. You're not just protecting against SQL injection anymore. You're defending against:
The standard DevSecOps playbook doesn't cover these attack vectors. You need security controls that understand tensors, gradients, and inference pipelines—not just HTTP requests and database queries.
These Cursor Rules implement comprehensive security controls for AI/ML systems that go far beyond traditional application security. Built around zero-trust architecture principles, they integrate security validation into every aspect of your ML workflow—from data ingestion to model deployment.
What makes this different:
Before: Manual security reviews catch maybe 30% of AI-specific vulnerabilities
After: Automated security gates in CI/CD catch 95%+ of model extraction attempts, adversarial inputs, and supply chain compromises
Time to production: Reduce security review cycles from weeks to hours with automated compliance checking
Incident response: Cut mean time to detection from days to minutes with real-time anomaly monitoring
# Before: Ad-hoc training scripts with no security controls
def train_model(data_path: str):
data = pd.read_csv(data_path) # No validation
model = create_model()
model.fit(data)
torch.save(model, "model.pt") # No integrity check
# After: Security-first training with provenance tracking
@validate_dataset_integrity
@track_model_provenance
def train_model(data_config: SecureDataConfig) -> ModelArtifact:
# Automatic PII detection and redaction
dataset = load_verified_dataset(data_config)
# Cryptographically signed model weights
model = create_model_with_checksum()
model.fit(dataset)
# Immutable artifact with full lineage
return store_signed_model(model, dataset.hash, get_git_commit())
# Before: Basic FastAPI endpoint with no attack detection
@app.post("/predict")
def predict(request: PredictRequest):
result = model.predict(request.data)
return {"prediction": result}
# After: Multi-layered security with anomaly detection
@app.post("/predict")
@rate_limit(requests_per_minute=100)
@require_signed_request
@detect_adversarial_input
async def predict(request: SecurePredictRequest) -> PredictResponse:
with circuit_breaker:
# Input validation against known attack patterns
validated_input = sanitize_and_validate(request.data)
# Inference with anomaly monitoring
result = await model.predict_with_monitoring(validated_input)
# Output verification before returning
if detect_anomalous_output(result):
audit_log.warning("Anomalous output detected", correlation_id=request.id)
return safe_fallback_response()
return PredictResponse(prediction=result, confidence=result.confidence)
# Before: Deploy whatever's in the repository
kubectl apply -f model-deployment.yaml
# After: Cryptographically verified deployment pipeline
# 1. Verify signed container images
cosign verify --key cosign.pub ai-app:${GIT_SHA}
# 2. Run security scans in CI
grype ai-app:${GIT_SHA} --fail-on medium
trivy image --severity HIGH,CRITICAL ai-app:${GIT_SHA}
# 3. Deploy with runtime security policies
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsUser: 10001
runAsNonRoot: true
readOnlyRootFilesystem: true
containers:
- name: ai-app
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
EOF
# Install security-enhanced ML stack
pip install torch==2.2.0 --hash=sha256:abc123... # Pinned with integrity
pip install fastapi[security] pydantic[email] structlog pybreaker
pip install bandit semgrep mlsec textattack foolbox
# settings.py - Security-first configuration
from pydantic import BaseSettings
class SecuritySettings(BaseSettings):
# JWT with short expiration
JWT_EXPIRY_MINUTES: int = 15
JWT_ALGORITHM: str = "RS256"
# Rate limiting
RATE_LIMIT_REQUESTS_PER_MINUTE: int = 100
# Model security
MODEL_CHECKSUM_REQUIRED: bool = True
ADVERSARIAL_DETECTION_ENABLED: bool = True
# Audit logging
LOG_LEVEL: str = "INFO"
AUDIT_LOG_RETENTION_DAYS: int = 90
# security/middleware.py
from fastapi import FastAPI, Request
from fastapi.responses import JSONResponse
app = FastAPI()
@app.middleware("http")
async def security_middleware(request: Request, call_next):
# Request attestation
if not verify_request_signature(request):
return JSONResponse(
status_code=403,
content={"error": "Invalid request signature"}
)
# Add correlation ID for audit trail
correlation_id = generate_correlation_id()
request.state.correlation_id = correlation_id
response = await call_next(request)
response.headers["X-Correlation-ID"] = correlation_id
return response
# .github/workflows/secure-deploy.yml
name: Secure AI Deployment
on: [push]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run security scans
run: |
bandit -r src/ -f json -o bandit-report.json
semgrep --config=auto src/
- name: Adversarial testing
run: |
python -m pytest tests/adversarial/ --maxfail=1
- name: Build and scan container
run: |
docker build -t ai-app:${{ github.sha }} .
grype ai-app:${{ github.sha }} --fail-on medium
Your team ships AI features faster because security is automated, not a bottleneck. Stakeholders trust your AI systems because every prediction is auditable. Security teams become enablers, not blockers, because threats are caught before they reach production.
The bottom line: These rules transform AI security from a complex, manual process into an automated competitive advantage. Your models stay secure, your deployments stay fast, and your team stays focused on building great AI products instead of firefighting security incidents.
Ready to secure your AI systems without slowing down development? Implement these rules and join the teams building AI that's secure by design, not as an afterthought.
You are an expert in Secure AI Engineering (Python • TensorFlow • PyTorch • FastAPI • Docker • Kubernetes • AWS/GCP/Azure • Terraform • DevSecOps tooling).
Key Principles
- Security by Design: embed threat modeling and security controls from project inception; no retrofits.
- Defense-in-Depth: layer network, data, model, and application controls.
- Zero Trust Everywhere: verify every request, user, and component (workload identity) before granting access.
- Immutable Infrastructure: treat infrastructure as code, scanned and policy-checked before deployment.
- Fail Securely: default to deny; graceful degradation without leaking sensitive data.
- Observability: full audit trail of data provenance, model lineage, and user actions.
- Automate Everything: CI/CD pipelines include static analysis, SCA, secrets scanning, unit tests, adversarial tests, and infrastructure security gates.
Python
- Enforce Python 3.11+ with `from __future__ import annotations`.
- Mandatory type hints and `mypy --strict` in CI.
- Use `pydantic` or `dataclasses` for input validation on public functions.
- Apply `black` (line length 88) and `ruff` for linting; treat warnings as errors.
- Use snake_case for functions/variables, UpperCamelCase for classes, ALL_CAPS for constants.
- Model files follow `<model_name>-v<major>-<yyyyMMdd>.pt` naming.
- Never store secrets inside code; use environment variables injected by secrets manager.
- Prefer asyncio + `httpx` for IO; timeouts are mandatory (`timeout=5`).
- Raise domain-specific exceptions (`ModelLoadError`, `InferenceDeniedError`) that inherit from `AIBaseError`.
- Use structured logging (`structlog`) with JSON output.
Error Handling and Validation
- Validate all external inputs (API, CLI, files) with allow-lists and schema validation.
- Perform early returns on invalid state; log at `warning` level, avoid stack traces to caller.
- Implement a global exception middleware (e.g., FastAPI) that:
• Sanitises messages
• Maps exceptions to 4xx/5xx and unique correlation IDs
• Triggers pager alerts for severity ≥ HIGH.
- For model inference, wrap call in circuit breaker (`pybreaker`) with fallback safe response.
- Instrument anomaly detection on model outputs (e.g., entropy, out-of-distribution checks) and quarantine suspicious results.
TensorFlow / PyTorch
- Pin framework versions in `requirements.txt` and lock file. Example: `torch==2.2.0` + SHA256 hash.
- Use `torch.compile(..., mode=\"reduce-overhead\")` in production; disable eager debug flags.
- Load weights from verified checksums; verify on every startup.
- Freeze model graph before deployment; strip training-only nodes.
- Apply `torch.nn.utils.clip_grad_norm_` to prevent gradient overflow during online learning.
- Always disable `requires_grad` in inference containers.
FastAPI
- All endpoints require OAuth2/JWT with short-lived (≤15 min) access tokens and refresh flows.
- Rate-limit per IP/user with `slowapi` or envoy filters.
- API schemas fully documented with OpenAPI; version via `/v{major}` prefix.
- Return 429 on rate limit, 403 on permission errors, never 500 with stack traces.
- Configuration injected via `pydantic.BaseSettings`, validated at startup.
- Enable HTTPS everywhere; redirect HTTP → HTTPS; HSTS 1y.
DevSecOps & Infrastructure
- IaC using Terraform; run `terraform fmt`, `terraform validate`, `tfsec`, and `checkov` in CI.
- Docker:
• Use non-root user (`UID 10001`), drop all Linux capabilities except `NET_BIND_SERVICE`.
• Multi-stage builds; scan final image with `grype` and `trivy`.
• Tag images immutably: `ai-app:{git_sha}`.
- Kubernetes:
• Enable Pod Security Standard `restricted`.
• Apply network policies to isolate model pods.
• Autoscale via HPA (CPU 70%) and set resource requests/limits.
• Use secrets via CSI drivers, not env vars.
- Supply Chain:
• Require signed commits (`--gpg-sign`).
• Use Sigstore/Cosign to sign container images and verify at admission.
• Dependabot + Renovate for dependency updates; block PRs with critical CVEs.
- Monitoring & Observability:
• Prometheus metrics (latency, error rates, model drift score).
• Loki for logs; link traces (OpenTelemetry) using trace IDs.
Testing
- Unit tests ≥ 90% coverage with `pytest`.
- Security tests:
• Static analysis (`bandit`, `semgrep`).
• Dynamic analysis (`OWASP ZAP` against staging).
• Adversarial test suite (`textattack`, `foolbox`) integrated into CI nightly.
• Pen-tests each quarter with Nessus, Metasploit; track findings in Jira.
- Performance load tests using `locust` with 95th percentile latency budgets.
Performance & Scalability
- Batch small inference requests with micro-batching (≤ 32) to maximise GPU utilisation.
- Use model quantisation (INT8) and ONNX acceleration when accuracy loss < 0.5%.
- Warm-start containers; keep at least one hot replica.
Security Specific Rules
- Enforce least-privilege IAM roles; deny-all default.
- Encrypt data in transit (TLS1.3) and at rest (AES-256, customer-managed keys).
- Maintain model provenance metadata (dataset hash, code commit, training params) in an immutable ledger (MLMD + blockchain optional).
- Redact PII in training data through automated DLP scans before use.
- Implement request attestation: verify signed payloads from trusted clients.
- Run periodic `mlsec` audit comparing deployed hash vs. registry.
Documentation
- Every public module/fn/class has Google-style docstring with: Args, Returns, Raises, Security Considerations.
- Architecture decision records (ADRs) stored in `/docs/adr` and versioned.
Directory Layout
ai-secure-app/
|-- src/
| |-- api/ # FastAPI routers
| |-- models/ # .pt / .onnx files + loaders
| |-- services/ # business logic
| |-- security/ # authN/Z, cryptography helpers
| |-- tests/
|-- infra/ # terraform modules
|-- scripts/ # one-off admin tools
|-- Dockerfile
|-- Makefile
|-- docs/