Blog

min read

Introducing the SAIL Framework: A Practical Guide to Secure AI Systems

By

Dor Sarig

and

Ziv Karliner

July 2, 2025

min read

AI is transforming how software is built. It introduces a new abstraction layer, shifting the human role from writing deterministic code to guiding intelligent systems that can generate content, make autonomous decisions, and evolve after deployment.

Security teams are now grappling with novel threats like data poisoning, prompt injection, and insecure AI agent behaviors, often with tools not designed for this new reality.

Addressing these challenges requires moving beyond patching existing tools and applying first-principles thinking. For AI, this means dissecting the new development lifecycle to understand its core phases, components, workflows, and - most critically - the unique risks associated with each stage.

Co-developed With Practitioners, For Practitioners

To address these challenges, we collaborated with AI and cybersecurity leaders - from innovative startups to Fortune 500 enterprises - to create the Secure AI Lifecycle (SAIL) Framework. Born from their real-world challenges and battle-tested approaches, SAIL was designed to translate high-level security principles into practical, actionable guidance across the entire AI lifecycle.

The SAIL Framework addresses this need by embracing a process-oriented approach that both harmonizes with and enhances the valuable contributions of existing standards. Its unique strength lies in embedding security actions into each phase of the AI development lifecycle. This methodology complements the strategic risk management governance of the NIST AI RMF, the formal management system structures of ISO 42001, the critical vulnerability identification of the OWASP Top 10 for LLMs, and the essential component-level technical risk identification provided by frameworks like the DASF.

By synthesizing these diverse perspectives through a lifecycle lens, SAIL provides an operational guide that empowers organizations to transform security knowledge into actionable practices.

Ultimately, SAIL serves as the overarching methodology that bridges communication gaps between AI development, MLOps, LLMops, security, and governance teams. This collaborative, process-driven approach ensures security becomes an integral part of the AI journey - from policy creation through runtime monitoring - rather than an afterthought.

It provides a shared roadmap to:

  • Address the threat landscape using a detailed library of over 70 mapped AI-specific risks organized across 7 interconnected phases.
  • Define the key capabilities and controls needed to build a robust AI security program.
  • Accelerate secure AI adoption while protecting reputation and ensuring compliance

How the SAIL Framework Secures the AI Lifecycle

At its core, SAIL is structured around seven lifecycle phases, addressing more than 70 mapped risks across the AI development and deployment pipeline.

The SAIL Framework mirrors the AI development lifecycle itself, integrating protection strategies into the planning, building, testing, deployment, and operation of AI. By aligning with real-world workflows, it helps organizations move from fragmented defenses to coordinated, lifecycle-wide protection. 

In the sections below, we’ll explore each of the seven SAIL phases and demonstrate how they address the most pressing AI security risks.

Plan: AI Policy & Safe Experimentation

Before a single line of code is written, organizations must align AI initiatives with business goals, regulatory requirements, and ethical standards. This phase also introduces structured threat modeling to identify novel risks early and guide system design decisions.

For example, a team preparing to test a generative model with customer data may overlook internal privacy requirements. Without secure experimentation guidelines, such initiatives can unintentionally expose the organization to regulatory and reputational risk.

This phase also defines how data, models, and third-party components are safely introduced into development workflows. By establishing clear vetting processes and governance structures, organizations ensure that innovation proceeds securely and consistently.

SAIL supports this phase through policy mapping, threat modeling, governance alignment, and secure experimentation environments.  These practices ensure AI policies evolve in tandem with organizational needs and regulatory demands. 

Code/No Code: AI Asset Discovery

As AI capabilities spread across teams, asset sprawl is a growing concern. This phase is about discovering and documenting every model, dataset, prompt, AI asset, MCP server, and tool, no matter who built it or where it resides.

A complete inventory is the first line of defense. Without visibility, organizations are left with blind spots for attackers or compliance violations.

Take shadow AI, for example. A marketing analyst might use a no-code tool to build a model that processes sensitive customer data without consulting IT or passing any governance checks.

SAIL advocates mitigating this risk by deploying automated discovery tools, promoting policy awareness, and instituting centralized AI governance. These controls ensure that all AI assets, regardless of origin, are secured and accountable.

Build: AI Security Posture Management 

Once assets are identified, organizations need to understand how they interact and where the risks lie. This phase focuses on modeling system-wide security posture and prioritizing protections based on risk.

Effective posture management prevents reactive security. By identifying chokepoints, overexposed connections, and weak configurations early, teams can focus efforts where they matter most.

One high-impact risk is mislabeled or undocumented data. A training set might contain personal identifiers, but if it wasn’t flagged during intake, those details can slip into production without safeguards.

SAIL mitigation guidance includes promoting strict classification protocols, continuous documentation audits, and thorough validation. These steps build a solid security foundation before systems go live.

Test: AI Red Teaming

Here, AI systems are pushed to the edge with adversarial testing and simulated attacks. The goal is to challenge assumptions, validate defenses, and identify vulnerabilities before real threats exploit them.

Unlike traditional testing, red teaming emulates the creativity and persistence of attackers, making it a powerful tool for exposing overlooked weaknesses.

One common issue is inconsistency. If different teams use varying test methods or severity ratings, critical risks may go undetected or under-prioritized.

To mitigate these issues, SAIL encourages a unified approach to red teaming with standardized taxonomies, trained offensive security staff, and risk-aligned testing scenarios. This consistency ensures every identified weakness receives the attention it deserves.

Deploy: Runtime Guardrails 

Security should continue to evolve even after a model is released. This phase introduces safeguards that operate in real time like filtering inputs, sanitizing outputs, and enforcing runtime policies.

Because AI behavior can shift during deployment, live monitoring and enforcement are essential for detecting anomalies, malicious inputs, or emerging risks.

For example, to prevent prompt injection attacks, models should be wrapped with hardened instructions and protective layers that limit unexpected behavior.

To reduce this risk, SAIL advocates prompt hardening, rigorous input validation, and adversarial testing. These defenses help ensure AI systems stay secure in real-world environments.

Operate: Safe Execution Environments 

Once operational, AI systems must be monitored to prevent harm from unexpected behavior or malicious activity. This phase focuses on creating sandboxed environments for high-risk actions.

Operating AI in isolation limits blast radius if something goes wrong, especially for autonomous systems capable of executing their own code or interacting with sensitive infrastructure.

Imagine an AI agent that writes Python code to automate a task. Without sandboxing or human oversight, that code could open a reverse shell, bypassing all pre-execution checks.

SAIL counters this risk by suggesting mitigations that include runtime restrictions, mandatory code reviews, and strict audit trails for autonomous actions. These safeguards keep high-risk behavior in check.

Monitor: AI Activity Tracing

The final phase emphasizes transparency and accountability. By continuously monitoring AI behavior and performance, teams can identify drift, respond to incidents, and ensure regulatory compliance.

Without this observability, models can degrade silently, outputs may become unpredictable, and malicious behavior can go undetected for weeks or months.

Drift is a prime example. A model trained on customer reviews may slowly lose accuracy as language trends change, but without alerts or validation, this loss of accuracy often goes unnoticed until trust is compromised.

SAIL mitigations include ongoing performance checks, drift detection triggers, and telemetry pipelines that support fast investigation and reliable model updates. With complete visibility, AI systems remain safe, effective, and trustworthy over time.

A Collective Effort in Securing AI

The risks surrounding AI are complex and fast-moving. While existing standards provide a valuable foundation, security teams need a practical framework to connect the dots across the entire lifecycle. SAIL provides that unifying layer. It offers a common structure and shared vocabulary to move from awareness to execution, empowering you to build an AI security roadmap that is tailored to your architecture and risk profile.

We welcome your feedback, suggestions, and insights to ensure that the SAIL Framework remains a valuable, up-to-date, and practical resource for the entire AI and cybersecurity community. Send feedback & get involved: sail@pillar.security

Get Started With SAIL

 

Acknowledgements 

We would like to extend our gratitude to the following reviewers and contributors. Their constructive input and insightful feedback were invaluable throughout the development of this framework. We deeply appreciate their willingness to share their expertise and their commitment to advancing AI security practices within the community:

  • Allie Howe, vCISO, Growth Cyber
  • Assaf Namer, Head of AI Security, Google Cloud
  • Ben Hacmon, CISO, Perion Network
  • Bill Stout,  Technical Director, AI Product Security, Servicenow
  • Brandon Dixon, Former Partner AI Strategist, Microsoft
  • Casey Mott, Associate Director, Data & AI Security, Oscar Health
  • Chris Hughes, Founder, Resilient Cyber
  • Cole Murray, AI Consultant
  • Colton Ericksen, CISO, Starburst
  • Dušan Vuksanovic, CEO of Swisscom Outpost in Silicon Valley
  • Erika Anderson, Senior Security and Compliance - SAP Sovereign Cloud
  • Fabian Libeau, Cyber Security GTM Lead
  • James Berthoty, Founder & CEO, Latio Tech
  • José J. Hernández, CISO, Corning Inc.
  • Kai Wittenburg, CEO, Neam GmbH
  • Manuel García-Cervigón, Security & Compliance Strategic Product Portfolio Architect, Nestlé
  • Matthew Steele, CPO, Generate Security
  • Mor Levi, VP Detection and Response, Salesforce
  • Moran Shalom, CISO, Honeybook
  • Nir Yizhak, CISO & VP, Firebolt Analytics
  • Raz Karmi, CISO, Eleos Health
  • Robert Oh, Chief Digital & Information Officer (CDIO), International
  • Sean Wright, CISO, AvidXchange
  • Steve Paek, Expert- Cybersecurity (AI Security), AT&T
  • Steve Mancini, CISO, Guardant Health
  • Steven Vandenburg, Security Architect - AI, Cotiviti
  • Tomer Maman, CISO, Similarweb
  • Vladimir Lazic, Deputy Global CISO, Philip Morris International

Subscribe and get the latest security updates

Back to blog

MAYBE YOU WILL FIND THIS INTERSTING AS WELL