Every hype cycle brings fresh security concerns, and AI is no exception. AI governance might sound like uncharted territory, but it’s really just another evolution of the same security principles AppSec teams have been applying for years. The fundamentals—secure coding, risk management, compliance, and policy enforcement—haven’t changed.

If your organization already follows secure coding practices, access control policies, and compliance frameworks, you’re well-equipped to handle AI. Governance around new AI models and components, including inference providers, datasets, RAG, and agents, for example, fits neatly into existing security and compliance workflows. Governing AI applications is not far off from governing any other non-AI applications. We already apply security controls to automation and machine learning models in fraud detection, bot mitigation, and anomaly detection.

The key isn’t to reinvent governance—it’s to refine and adapt existing best practices. Secure development lifecycles (SDLC), risk assessments, and policy enforcement mechanisms don’t need a dramatic overhaul. They just need to account for AI as another factor in software security.

That being said…

While AI governance is largely an extension of existing security governance practices, there are a few concerns that are slightly different from what we’ve encountered before, such as:

• Unpredictable Model Behavior: Traditional software operates in deterministic ways, but AI models can behave unpredictably, producing different outputs for the same input or even “hallucinating” responses that don’t align with reality.
• Data Leakage Risks: AI-powered applications can unintentionally expose proprietary information if trained on sensitive data or configured without proper safeguards.
• Adversarial Manipulation: Attackers can exploit AI’s vulnerabilities, such as poisoning training data or crafting inputs that bypass security measures in ways traditional rule-based systems wouldn’t allow.
• Regulatory Uncertainty: While compliance frameworks like SOC 2 and ISO 27001 provide strong governance foundations, AI-specific regulations are still evolving, requiring organizations to stay agile.
• AI Licenses Are Built Different: Many AI models and weights are open… sort of. But they’re not the same as traditional open source licenses.

These challenges are not insurmountable, and most can be addressed with the same security-first, shift-left mindset AppSec pros already use. AI may be a new(ish) tool, but securing it is just another iteration of the same governance playbook.

If it all feels overwhelming, there’s just one place to start: finding the shadow AI in your codebase and beyond. You cannot protect or govern the things you’re not aware of. 

From there, address these top-level concerns by fitting them into existing AppSec practices:

Data governance and privacy controls

• Ensure AI models don’t train on sensitive or proprietary data that could lead to unintentional data leakage.
• Implement role-based access controls (RBAC) for AI tools handling security-sensitive tasks.
• Regularly audit input and output logs to detect potential data exposure.

AI model security and monitoring

• Protect against adversarial attacks by validating AI inputs and outputs against known attack patterns.
• Regularly test AI models to prevent model drift and security regressions.
• Use explainable AI (XAI) techniques to make AI decisions more transparent and auditable.

Regulatory compliance and policy enforcement

• Align AI security policies with existing compliance frameworks like SOC 2, ISO 27001, and GDPR.
• Maintain clear documentation of AI decision-making processes to support compliance audits.
• Monitor emerging AI-specific regulations and adjust governance policies accordingly.

AI supply chain security

• Vet third-party AI models for security risks before integration into production environments.
• Use hashing and digital signatures to verify the integrity of AI models and prevent tampering.
• Enforce provenance tracking for artifacts to ensure traceability.

AI risk assessment and incident response

• Incorporate AI-specific risks into existing threat models and security assessments.
• Develop AI-specific incident response playbooks to handle misconfigurations or unexpected model behavior.
• Conduct red teaming exercises to simulate attacks against AI-powered systems.

Ethical AI and bias mitigation

• Regularly test AI models for bias and fairness issues, particularly in security decision-making.
• Establish AI ethics committees to review high-risk AI applications.
• Provide users with visibility and control over AI-driven security decisions where applicable.

All of these governance measures build upon existing AppSec best practices and reinforce the idea that AI security is an evolution—not a reinvention—of the governance frameworks we already use.

*** This is a Security Bloggers Network syndicated blog from Mend authored by Lisa Haas. Read the original post at: https://www.mend.io/blog/ai-governance-in-appsec-the-more-things-change-the-more-they-stay-the-same/