Security Governance
Govern identity, secrets, provider policy, data handling, WAF, BotID, and approvals.
Key takeaways
- Security governance defines what AI systems may access, which providers they may use, and which actions need human or policy approval.
- Core controls include OIDC identity over long-lived credentials, secret management, centralized gateway policy, WAF and BotID, approval gates, and audit logs.
- Approval gates prevent uncontrolled side effects, while audit logs record user, model, tool, and workflow actions for evidence.
- The risk review asks which data classes the flow can reach, which tools mutate state, which provider and region policies apply, and who owns incidents.
Security governance defines what AI systems may access, which providers they may use, and which actions require human or policy approval.
Governance Controls
| Control | Purpose |
|---|---|
| OIDC and identity | Avoid long-lived deploy credentials |
| Secret management | Keep provider keys out of source and prompts |
| Gateway policy | Centralize provider and model access |
| WAF and BotID | Protect public AI endpoints |
| Approval gates | Prevent uncontrolled side effects |
| Audit logs | Record user, model, tool, and workflow actions |
Risk Review
- Which data classes can the AI flow access?
- Which tools can mutate state?
- Which provider and region policies apply?
- Who owns incidents and escalations?
- What evidence proves the control worked?