Build your AI Security roadmap with the SAIL 2.0 framework

The SAIL Framework provides a practical, lifecycle-oriented strategy to manage AI-specific risks and build trustworthy AI systems.

Understanding SAIL

What is the SAIL Framework?

In essence, SAIL provides a holistic security methodology covering the complete AI journey, from development to continuous runtime operation. Built on the understanding that AI introduces a fundamentally different lifecycle than traditional software, SAIL bridges both worlds while addressing AI's unique security demands.


SAIL's goal is to unite developers, MLOps, security, and governance teams with a common language and actionable strategies to master AI-specific risks and ensure trustworthy AI. It serves as the overarching framework that integrates with your existing standards and practices.

PUT THE FRAMEWORK TO WORK

What can you use SAIL for

01

Build your roadmap

Assess your current program and get a prioritized plan.

Skill

/sail

assess my current AI security program and build a prioritized roadmap based on the SAIL framework

Reviewing your program against SAIL phases...
02

Write an RFP

Turn SAIL risks into vendor evaluation questions.

Skill

/sail

turn the SAIL risk catalog into a vendor RFP questionnaire for evaluating an AI application security tool

Generating questions from the SAIL risk catalog…
03

Run a risk assessment

Map your AI system against the SAIL risk catalog.

Skill

/sail

access my AI agent against the SAIL risk catalog and flag the gaps I'm not covering yet

Mapping your agent to 90+ SAIL risks…
04

Map to compliance

Turn SAIL controls into a checklist and compare it to your task list.

Skill

/sail

turn the SAIL controls into a compliance checklist and compare it against my current task list

Building your checklist and matching it to open tasks…
05

Threat-model an agent

Walk an agentic workflow through every SAIL phase.

Skill

/sail

walk my agentic workflow through the SAIL phases and surface the threats at each step

Tracing threats across the agent loop…
Skill
use the sail skill
Available as a skill & plugin — works in
use the sail skill
Available as a skill & plugin — works in
Framework phases

SAIL

Your AI Security North Star

The SAIL Framework is a process-oriented methodology that systematically adds security to each phase of the AI journey. It provides a practical approach to unite development, MLOps, security, and governance teams around a common language to manage specific risks.

Last updated: 08.07.2026

1

AI Policy

1. AI Policy (Plan)

This foundational phase establishes the AI and agentic security policy framework, aligned with business objectives, regulatory requirements, and overall AI governance. It covers identifying agent use cases, assessing compliance needs (EU AI Act, NIST AI RMF, ISO 42001), defining risk-based protection levels, and setting up secure experimentation environments. The phase incorporates dedicated threat modeling for agent-specific risks — reasoning manipulation, tool misuse, privilege escalation through delegation chains, and cascading failures across multi-agent workflows — and formalizes how new models, tools, MCP servers, and data sources get vetted before they enter the environment.

(Plan)

2

AI Discovery

2. AI Discovery (Code/No Code)

The Discovery phase focuses on identifying, cataloging, and vetting every agent and AI asset in the environment, whether built in-house, embedded in SaaS platforms, or spun up by developers and business users without security involvement. The inventory covers models, datasets, agent configurations, tool connections, MCP servers, and no-code agent builders. Shadow agents make this phase especially critical: you cannot secure what you cannot see, and the gap between known agents and actual agents is where risk concentrates.

(Code/No Code)

3

Agentic
Posture

3. Agentic Posture (Build)

The Build phase is dedicated to performing a deep posture analysis of the agents and AI assets identified in Discovery. It involves understanding, mapping, and graphing the agent landscape - identity, tool and connector scopes, memory and RAG dependencies, A2A and MCP edges, and the platforms underneath - to establish a clear picture of the system's security posture and the attack paths that span it. Using the protection requirements from the Plan phase, organizations prioritize security controls per asset based on risk and document residual exposure.

(Build)

4

Agentic Red Teaming

4. Agentic Red Teaming (Test)

In the Test phase, agents undergo rigorous security assessments that simulate adversarial behaviors to uncover vulnerabilities, weaknesses, and risks. Unlike traditional AI testing focused on functionality and performance, agentic red teaming goes beyond standard validation to include goal hijacking, prompt injection across tool chains, privilege escalation through delegation, memory poisoning, inter-agent instruction smuggling, and cascading failure propagation. The depth and intensity of testing align with the protection requirements of the supported business processes and cover all three zones from Chapter 1: code and pipeline, SaaS and cloud, and endpoints.

(Test)

5

Runtime
Controls

5. Runtime Controls (Deploy)

The Deploy phase ensures that agents are released into production with runtime controls and active enforcement in place. These controls validate every action against policy, enforce least-privilege tool access per invocation, and provide the ability to pause, redirect, or terminate an agent mid-execution. Static allow/deny lists are a starting point, not the finish line: action-level authorization, input/output filtering, and behavioral baselines must be active before an agent goes live.

(Deploy)

6

Sandbox

6. Sandbox (Operate)

During the Operate phase, agents run within isolated execution environments that limit blast radius. Sandboxing and zero-trust strategies separate agents from critical infrastructure and sensitive data while keeping them productive. For coding agents, MCP servers, and other endpoint-based agents, the sandbox defines what file systems, networks, APIs, and credentials the agent can reach. Isolation applies to agent-to-agent communication as well: a compromised agent should not be able to pivot into another's scope.

(Operate)

7

Govern

7. Govern (Monitor & Retire)

This phase continuously monitors agent activity in production and governs the end-of-life of every agent. On the monitor side, it collects telemetry, maintains audit trails, and tracks reasoning chains, tool invocations, data access patterns, and inter-agent communication for anomalies that signal drift, misuse, or compromise — validating behavior against the AI policy and feeding signals back into the rest of the lifecycle. On the retire side, it owns decommissioning: revoking the non-human identity, rotating credentials, wiping or archiving memory and cache per data-retention policy, removing scheduled triggers, and capturing an end-of-life audit record.

(Monitor & Retire)

We would like to extend our gratitude to the following for providing valuable feedback throughout the development of this framework:

Acknowledgements

John Paramadilok

Executive Director

Raz Karmi

CISO

Robert Oh

Digital & Information Officer (CDIO)

Phillip Morris International logo featuring a crowned shield with stylized horse and lion figures.

Vladimir Lazic

Deputy Global CISO

Kai Wittenburg

CEO

Red FIREBOLT text with horizontal glitch distortion on a white background.

Nir Yizhak

CISO & VP

Ben Hacmon

CISO

James Berthoty

Founder & CEO

Matan Ofir

VP Information Security

Oren Talmor

CISO

Feras Batainah

UK CISO & Principal Advisory Consultant

Fabian Wipf

CISO

Patricia Titus

CISO

Nate Lee

Co-founder & CISO/CEO

Rajat Sharma

CEO

Individual contributors

Ian Schneller

CISO

Assaf Namer

Head of AI Security

Brandon Dixon

Former Partner AI Strategist

Erika Anderson

Senior Security and Compliance

Sean Wright

CISO

Tomer Maman

CISO

Bill Stout

Technical Director, AI Product Security

Manuel García-Cervigón

Security & Compliance Strategic Product Portfolio Architect

Allie Howe

vCISO

Steven Vandenburg

Security Architect

Mor Levi

VP Detection, Analysis & Response (DAR)

Steve Mancini

CISO

Chris Hughes

Founder

Francis Odum

Software Analyst Cybersecurity Research

Colton Ericksen

CISO

Individual contributors

Fabian Libeau

GTM Lead

Individual contributors

Matthew Steele

CPO

José J. Hernández

VP & Chief Information Security Officer

Individual contributors

Cole Murray

AI Consultant

Steve Paek

Director, AI Security

Moran Shalom

CISO

Casey Mott

Associate Director, Data & AI Security

Dušan Vuksanovic

CEO

Ready to
Get Your SAIL Analysis?

See how your AI security measures up against the SAIL framework and get a personalized roadmap for improvement.

Step 1 of 2
Please enter valid work email
Next
Please enter your first name
Please enter your last name
Submit

See how your AI security measures up against the SAIL framework and get a personalized roadmap for improvement.

Diagram showing AI risk categories and specific issues: AI Policy & Safe experimentation, Code/No Code AI Asset Discovery, Build AI Security Posture Management, and Test AI Recruitment and Teaming with associated risks like unrestricted data access, shadow AI deployment, data poisoning, and insecure ML pipeline jobs.
Thank you

We've received your message, and we'll follow up via email shortly