Awareness Equates to the Inception of Knowledge
Introduction
In the ever-evolving paradigm shift that is Generative AI, adoption is accelerating at an unprecedented level. Organizations find it increasingly challenging to keep up with the multiple security branches of defence and attack that are complementing the adoption.
With agentic and autonomous agents being the new security frontier we will be concentrating on for the next 10 years, the need to understand, secure and govern what Generative AI applications are running within an organisation becomes critical.
Organizations that have a strong “security first” principle have been able to integrate AI by following appropriate methodologies such as Microsoft’s Prepare, Discover, Protect and Govern approach, and are now accelerating the adoption with strong posture management.
Link: Build a strong security posture for AI | Microsoft Learn
However, due to the nature of this rapid adoption, many organizations have found themselves in a “chicken and egg” situation whereby they are racing to allow employees and developers to adopt and embrace both Low Code and Pro Code solutions such as Microsoft Copilot Studio and Microsoft Foundry, but due to governance and control policies not being implemented in time, now find themselves in a Shadow AI situation, and require the ability to retroactively assess already deployed solutions.
Why AI Security Posture Management?
Generative AI Workloads, like any other, can only be secured and governed if the organization is aware of their existence and usage. With the advent of Generative AI we now not only have Shadow IT but also Shadow AI, so the need to be able to discover, assess, understand, and govern the Generative AI tooling that is being used in an organisation is now more important than ever.
Consider the risks mentioned in the recent Microsoft Digital Defence Report and how they align to AI Usage, AI Applications and AI Platform Security. As Generative AI becomes more ingrained in the day-to-day operations of organizations, so does the potential for increased attack vectors, misuse and the need for appropriate security oversight and mitigation.
Link: Microsoft Digital Defense Report 2025 – Safeguarding Trust in the AI Era
A recent study by KMPG discussing Shadow AI listed the following statistics:
44% of employees have used AI in ways that contravene policies and guidelines, indicating a significant prevalence of shadow AI in organizations.
57% of employees have made mistakes due to AI, and 58 percent have relied on AI output without evaluating its accuracy.
41% of employees report that their organization has a policy guiding the use of GenAI, highlighting a huge gap in guardrails.
A very informed comment by Sawmi Chandrasekaran, Principal, US and Global AI and Data Labs leader at KPMG states:
“Shadow AI isn’t a fringe issue—it’s a signal that employees are moving faster than the systems designed to support them. Without trusted oversight and a coordinated architectural strategy, even a single shortcut can expose the organization to serious risk. But with the right guardrails in place, shadow AI can become a powerful force for innovation, agility, and long-term competitive advantage. The time to act is now—with clarity, trust, and bold forward-looking leadership.”
Link: Shadow AI is already here: Take control, reduce risk, and unleash innovation
It’s abundantly clear that organizations require integrated solutions to deal with the escalating risks and potential flashpoints. The “Best of Breed” approach is no longer sustainable considering the integration challenges both in cross-platform support and data ingestion charges that can arise, this is where the requirements for a modern CNAPP start to come to the forefront.
The Next Era of Cloud Security report created by the IDC highlights Cloud Native Application Protection Platforms (CNAPPs) as a key investment area for organizations:
“The IDC CNAPP Survey affirmed that 71% of respondents believe that over the next two years, it would be beneficial for their organization to invest in an integrated SecOps platform that includes technologies such as XDR/EDR, SIEM, CNAPP/cloud security, GenAI, and threat intelligence.”
Link: The Next Era of Cloud Security: Cloud-Native Application Protection Platform and Beyond
AI Security Posture Management vs Data Security Posture Management
Data Security Posture Management (DSPM) is often discussed, having evolved prior to the conceptualization of Generative AI. However, DSPM is its own solution that is covered in the Blog Post Data Security Posture Management for AI.
AI Security Posture Management (AI-SPM) focuses solely on the ability to monitor, assess and improve the security of AI systems, models, data and infrastructure in the environment.
Microsoft’s Approach – Defender for Cloud
Defender for Cloud is Microsoft’s modern Cloud Native Application Protection Platform (CNAPP), encompassing multiple cloud security solution services across both Proactive Security and Runtime Protection.
However, for the purposes of this article, we will just be delving into AI Security Posture Management (AI-SPM) which is a sub feature of Cloud Security Posture Management (CSPM), both of which sit under Proactive Security solutions.
Link: Microsoft Defender for Cloud Overview - Microsoft Defender for Cloud | Microsoft Learn
Understanding AI Security Posture Management
The following is going to attempt to “cut to the chase” on each of the four areas and cover an overview of the solution and the requirements. For detailed information on feature enablement and usage, each section includes a link to the full documentation on Microsoft Learn for further reading
AI Security Posture Management
AI Security Posture Management is a key component of the all-up Cloud Security Posture Management (CSPM) solution, and focuses on 4 key areas:
o Generative AI Workload Discover
o Vulnerability Assessment
o Attack Path Analysis
o Security Recommendations
Generative AI Workload Discovery
Overview
Arguably, the principal role of AI Security Posture Management is to discover and identify Generative AI Workloads in the organization. Understanding what AI resources exist in the environment being the key to understanding their defence.
Microsoft refers to this as the AI Bill-Of-Materials or AI-BOM. Bill-Of-Materials is a manufacturing term used to describe the components that go together to create a product (think door, handle, latch, hinges and screws). In the AI World this becomes application components such as data and artifacts.
AI-SPM can discover Generative AI Applications across multiple supported services including:
- Azure OpenAI Service
- Microsoft foundry
- Azure Machine Learning
- Amazon Bedrock
- Google Vertex AI (Preview)
Why no Microsoft Copilot Studio Integration?
Microsoft Copilot Studio is not an external or custom AI agent service and is deeply integrated into Microsoft 365. Security posture for Microsoft Copilot Studio is handed over to Microsoft Defender for Cloud Apps and Microsoft Purview, with applications being marked as Sanctioned or Unsanctioned via the Defender for Cloud portal.
For more information on Microsoft Defender for Cloud Apps see the link below.
Requirements
- An active Azure Subscription with Microsoft Defender for Cloud.
- Cloud Security Posture Management (CSPM) Enabled
- Have at least one environment with an AI supported workload.
Link: Discover generative AI workloads - Microsoft Defender for Cloud | Microsoft Learn
Vulnerability Assessment
Once you have a clear overview of which AI resources exist in your environment, Vulnerability Assessment in AI-SPM allows you to cover two main areas of consideration.
- The first allows for the organization to discover vulnerabilities within containers that are running generative AI images with known vulnerabilities.
- The second allows vulnerability discovery within Generative AI Library Dependences such as TensorFlow, PyTorch, and LangChain.
Both options will align any vulnerabilities detected to known Common Vulnerabilities and Exposures (CVE) IDs via Microsoft Threat Detection.
Requirements
- An active Azure Subscription with Microsoft Defender for Cloud.
- Cloud Security Posture Management (CSPM) Enabled
- Have at least one Azure OpenAI resource, with at least one model deployment connected to it via Azure AI Foundry portal.
Attack Path Analysis
AI-SPM hunts for potential attack paths in a multi-cloud environment, by concentrating on real, externally driven and exploitable threats rather than generic scenarios. Using a proprietary algorithm, the attack path is mapped from outside the organization, through to critical assets.
The attack path analysis is used to highlight immediately, exploitable threats to the business, which attackers would be able to exploit and breach the environment. Recommendations are given to be able to resolve the detected security issues.
Discovered Attack Paths are organized by risk levels, which are determined using a context-aware risk-prioritization engine that considers the risk factors of each resource.
Requirements
- An active Azure Subscription with Microsoft Defender for Cloud.
- Cloud Security Posture Management (CSPM) with Agentless Scanning Enabled.
- Required roles and permissions: Security Reader, Security Admin, Reader, Contributor, or Owner.
To view attack paths that are related to containers:
- You must enable agentless container posture extension in Defender CSPM or
- You can enable Defender for Containers, and install the relevant agents in order to view attack paths that are related to containers. This also gives you the ability to query containers data plane workloads in security explorer.
- Required roles and permissions: Security Reader, Security Admin, Reader, Contributor, or Owner.
Link: Identify and remediate attack paths - Microsoft Defender for Cloud | Microsoft Learn
Security Recommendations
Microsoft Defender for Cloud evaluates all resources discovered, including AI resources, and all workloads based on both built-in and custom security standards, which are implemented across Azure subscriptions, Amazon Web Services (AWS) accounts, and Google Cloud Platform (GCP) projects. Following these assessments, security recommendations offer actionable guidance to address issues and enhance the overall security posture.
Defender for Cloud utilizes an advanced dynamic engine to systematically assess risks within your environment by considering exploitation potential and possible business impacts. This engine prioritizes security recommendations according to the risk factors associated with each resource, determined by the context of the environment, including resource configuration, network connections, and existing security measures.
Requirements
No specific requirements are required for Security Recommendations if you have Defender for Cloud enabled in the tenant as the feature is included by default. However, you will not be able to see Risk Prioritization unless you have the Defender for CSPM plan enabled.
Link: Review Security Recommendations - Microsoft Defender for Cloud | Microsoft Learn
CSPM Pricing
CSPM has two billing models,
- Foundational CSPM (Free)
- Defender CSPM, which has its own additional billing model. AI-SPM is only included as part of the Defender CSPM plan.
|
|
Foundational CSPM |
Defender CSPM |
Cloud Availability |
|
AI Security Posture Management | - |
Azure, AWS, GCP (Preview) | |
|
Price |
Free |
$5.11/Billable resource/month |
|
Information regarding licensing in this article is provided for guidance purposes only and doesn’t provide any contractual commitment. This list and license requirements are subject to change without any prior notice.
Full details can be found on the official Microsoft documentation found here,
Link: Pricing - Microsoft Defender for Cloud | Microsoft Azure.
Final Thoughts
AI Security Posture Management can no longer be considered an optional component to security, but rather a cornerstone to any organization’s operations. The integration of Microsoft Defender for Cloud across all areas of an organization shows the true potential of a modern a CNAPP, where AI is no longer a business objective, but rather a functional business component.
Microsoft