Security controls for the development stage

The development stage requires foundational security controls that establish essential protections without impeding the rapid iteration and experimentation that characterizes the PoC objectives. At this stage, security focuses on building secure practices into the development workflow while maintaining the agility needed for innovation.

During system design, threat modelling provides the foundation for all subsequent security decisions. Conducting threat modelling early identifies security requirements before they become costly to implement. This helps teams understand the unique attack surface of generative AI applications across input processing, reasoning, and output generation. This analysis directly informs the implementation of basic guardrails. Adopting solutions such as Amazon Bedrock Guardrails with prompt injection filters can help provide immediate protection against common attack vectors while remaining lightweight enough for experimental environments.

Fundamental access controls can protect development environments, training data, and model artifacts through appropriate authentication mechanisms. They also help you securely store sensitive data and credentials. Development environments should implement role-based access controls that limit access to training datasets, model configurations, and experimental outputs based on team member responsibilities. Secure credential management and encrypted storage of sensitive artifacts can prevent unauthorized access while maintaining the collaborative nature essential for effective development work. Finally, development environments should be integrated with a AWS Security Hub CSPM to support organizational security observability needs.

Supply chain security assessment and basic data validation for training complete the development stage security posture. These controls address the integrity of third-party models, libraries, and data sources. They also implement validation processes to detect potential data poisoning or bias. The lightweight nature of these controls helps teams to establish security foundations early. This can help you avoid costly retrofitting while preparing for the more rigorous requirements of subsequent stages.

For more information, see the following resources:

• AWS Well-Architected Framework best practices:

  • Enforce encryption at rest

  • Identify threats and prioritize mitigations using a threat model

  • Grant least privilege access

  • Implement secure key management

  • Understand your data classification scheme

  • Use strong sign-in mechanisms

• Threat modeling your generative AI workload to evaluate security risk (AWS blog post)