Build your AI Security roadmap with the SAIL 2.0 framework
The SAIL Framework provides a practical, lifecycle-oriented strategy to manage AI-specific risks and build trustworthy AI systems.

What is the SAIL Framework?

In essence, SAIL provides a holistic security methodology covering the complete AI journey, from development to continuous runtime operation. Built on the understanding that AI introduces a fundamentally different lifecycle than traditional software, SAIL bridges both worlds while addressing AI's unique security demands.
SAIL's goal is to unite developers, MLOps, security, and governance teams with a common language and actionable strategies to master AI-specific risks and ensure trustworthy AI. It serves as the overarching framework that integrates with your existing standards and practices.
What can you use SAIL for
Build your roadmap
Assess your current program and get a prioritized plan.
/sail
assess my current AI security program and build a prioritized roadmap based on the SAIL framework
Write an RFP
Turn SAIL risks into vendor evaluation questions.
/sail
turn the SAIL risk catalog into a vendor RFP questionnaire for evaluating an AI application security tool
Run a risk assessment
Map your AI system against the SAIL risk catalog.
/sail
access my AI agent against the SAIL risk catalog and flag the gaps I'm not covering yet
Map to compliance
Turn SAIL controls into a checklist and compare it to your task list.
/sail
turn the SAIL controls into a compliance checklist and compare it against my current task list
Threat-model an agent
Walk an agentic workflow through every SAIL phase.
/sail
walk my agentic workflow through the SAIL phases and surface the threats at each step
/sail
assess my current AI security program and build a prioritized roadmap based on the SAIL framework
/sail
turn the SAIL risk catalog into a vendor RFP questionnaire for evaluating an AI application security tool
/sail
access my AI agent against the SAIL risk catalog and flag the gaps I'm not covering yet
/sail
turn the SAIL controls into a compliance checklist and compare it against my current task list
/sail
walk my agentic workflow through the SAIL phases and surface the threats at each step
SAIL
Your AI Security North Star
The SAIL Framework is a process-oriented methodology that systematically adds security to each phase of the AI journey. It provides a practical approach to unite development, MLOps, security, and governance teams around a common language to manage specific risks.
Last updated: 08.07.2026
AI Policy
1. AI Policy (Plan)
This foundational phase establishes the AI and agentic security policy framework, aligned with business objectives, regulatory requirements, and overall AI governance. It covers identifying agent use cases, assessing compliance needs (EU AI Act, NIST AI RMF, ISO 42001), defining risk-based protection levels, and setting up secure experimentation environments. The phase incorporates dedicated threat modeling for agent-specific risks — reasoning manipulation, tool misuse, privilege escalation through delegation chains, and cascading failures across multi-agent workflows — and formalizes how new models, tools, MCP servers, and data sources get vetted before they enter the environment.
(Plan)
AI Discovery
2. AI Discovery (Code/No Code)
The Discovery phase focuses on identifying, cataloging, and vetting every agent and AI asset in the environment, whether built in-house, embedded in SaaS platforms, or spun up by developers and business users without security involvement. The inventory covers models, datasets, agent configurations, tool connections, MCP servers, and no-code agent builders. Shadow agents make this phase especially critical: you cannot secure what you cannot see, and the gap between known agents and actual agents is where risk concentrates.
(Code/No Code)
Agentic
Posture
3. Agentic Posture (Build)
The Build phase is dedicated to performing a deep posture analysis of the agents and AI assets identified in Discovery. It involves understanding, mapping, and graphing the agent landscape - identity, tool and connector scopes, memory and RAG dependencies, A2A and MCP edges, and the platforms underneath - to establish a clear picture of the system's security posture and the attack paths that span it. Using the protection requirements from the Plan phase, organizations prioritize security controls per asset based on risk and document residual exposure.
(Build)
Agentic Red Teaming
4. Agentic Red Teaming (Test)
In the Test phase, agents undergo rigorous security assessments that simulate adversarial behaviors to uncover vulnerabilities, weaknesses, and risks. Unlike traditional AI testing focused on functionality and performance, agentic red teaming goes beyond standard validation to include goal hijacking, prompt injection across tool chains, privilege escalation through delegation, memory poisoning, inter-agent instruction smuggling, and cascading failure propagation. The depth and intensity of testing align with the protection requirements of the supported business processes and cover all three zones from Chapter 1: code and pipeline, SaaS and cloud, and endpoints.
(Test)
Runtime
Controls
5. Runtime Controls (Deploy)
The Deploy phase ensures that agents are released into production with runtime controls and active enforcement in place. These controls validate every action against policy, enforce least-privilege tool access per invocation, and provide the ability to pause, redirect, or terminate an agent mid-execution. Static allow/deny lists are a starting point, not the finish line: action-level authorization, input/output filtering, and behavioral baselines must be active before an agent goes live.
(Deploy)
Sandbox
6. Sandbox (Operate)
During the Operate phase, agents run within isolated execution environments that limit blast radius. Sandboxing and zero-trust strategies separate agents from critical infrastructure and sensitive data while keeping them productive. For coding agents, MCP servers, and other endpoint-based agents, the sandbox defines what file systems, networks, APIs, and credentials the agent can reach. Isolation applies to agent-to-agent communication as well: a compromised agent should not be able to pivot into another's scope.
(Operate)
Govern
7. Govern (Monitor & Retire)
This phase continuously monitors agent activity in production and governs the end-of-life of every agent. On the monitor side, it collects telemetry, maintains audit trails, and tracks reasoning chains, tool invocations, data access patterns, and inter-agent communication for anomalies that signal drift, misuse, or compromise — validating behavior against the AI policy and feeding signals back into the rest of the lifecycle. On the retire side, it owns decommissioning: revoking the non-human identity, rotating credentials, wiping or archiving memory and cache per data-retention policy, removing scheduled triggers, and capturing an end-of-life audit record.
(Monitor & Retire)
We welcome your feedback, suggestions, and insights to ensure that the SAIL Framework remains a valuable, up-to-date, and practical resource for the entire AI and cybersecurity community
Send feedback & get involved
Copied to clipboard
sail@pillar.security
We would like to extend our gratitude to the following for providing valuable feedback throughout the development of this framework:
John Paramadilok
Executive Director
Raz Karmi
CISO
Robert Oh
Digital & Information Officer (CDIO)

Vladimir Lazic
Deputy Global CISO
Kai Wittenburg
CEO

Nir Yizhak
CISO & VP
Ben Hacmon
CISO
James Berthoty
Founder & CEO
Matan Ofir
VP Information Security
Oren Talmor
CISO
Feras Batainah
UK CISO & Principal Advisory Consultant
Fabian Wipf
CISO
Patricia Titus
CISO
Nate Lee
Co-founder & CISO/CEO
Rajat Sharma
CEO
Ian Schneller
CISO
Assaf Namer
Head of AI Security
Brandon Dixon
Former Partner AI Strategist
Erika Anderson
Senior Security and Compliance
Sean Wright
CISO
Tomer Maman
CISO
Bill Stout
Technical Director, AI Product Security
Manuel García-Cervigón
Security & Compliance Strategic Product Portfolio Architect
Allie Howe
vCISO
Steven Vandenburg
Security Architect
Mor Levi
VP Detection, Analysis & Response (DAR)
Steve Mancini
CISO
Chris Hughes
Founder
Francis Odum
Software Analyst Cybersecurity Research
Colton Ericksen
CISO
Fabian Libeau
GTM Lead
Matthew Steele
CPO
José J. Hernández
VP & Chief Information Security Officer
Cole Murray
AI Consultant
Steve Paek
Director, AI Security
Moran Shalom
CISO
Casey Mott
Associate Director, Data & AI Security
Dušan Vuksanovic
CEO
Ready to
Get Your SAIL Analysis?
See how your AI security measures up against the SAIL framework and get a personalized roadmap for improvement.
We value your privacy. See our Privacy Policy for details.
See how your AI security measures up against the SAIL framework and get a personalized roadmap for improvement.

We've received your message, and we'll follow up via email shortly
