60 minutes · The connective discipline that ties C1, C2B, and C3 into a single security lifecycle
MLSecOps is not new content. It names the discipline and maps the existing content into it. You have already learned every stage. What you have not done is see them as one lifecycle, with a toolchain and an operating cadence that runs from data, through training, through deployment, through inference, through incident response.
Pillar 4 — Frameworks & Governance
C1: harness engineering. C2B: AI security attacks and defenses. C3: fine-tuning. Each module is complete. Each is a piece.
The lifecycle view: the naming, the ordering, the gates between stages, the toolchain, and the operating cadence. The connective tissue that turns pieces into a discipline.
| Stage | Security concern | Maps to |
|---|---|---|
| 1. Data security | Provenance, chain-of-custody, dataset signing, poisoning detection | C3 Pillar 1 + C2B B3 (Memory Poisoning) |
| 2. Model supply chain | Model SBOM, ModelScan, registry verification, hash match | C2B B4 / SDD-B07 + B13 representation attacks |
| 3. Training security | Run integrity, adversarial training, red-team eval, FT hardening | C3 Pillars 2–5 |
| 4. Deployment security | Five-layer harness, C2B defenses, deployment-as-a-gate | C2B B7 + C1 Module 5 |
| 5. Inference monitoring | Observability, drift detection, injection detection, output scoring | C2B B8 + C1 Module 10 |
| 6. Incident response | Runbooks, containment, rollback, root-cause mapping, feedback | C2B Capstone 2 |
Failure: poisoning (clean-label attack), tampered corpus, untrusted third-party dataset. Control: provenance, chain-of-custody, dataset signing, poisoning detection (statistical anomaly on the training distribution).
Failure: trojaned base model, typosquat, evil-twin with valid signature, representation-level backdoor. Control: model SBOM, ModelScan, registry verification, hash matching. The model is a dependency — treat it like one.
Two concerns: (1) training-run integrity (no unauthorized modification of the run); (2) adversarial robustness (the model resists the threats it will face). Controls: access-controlled infra, hashed data, version-controlled hyperparams, adversarial training, red-team eval before deployment.
Failure: the un-harnessed model (served without input validation, tool contracts, sandbox, output handling). Control: the C1 five-layer harness + the C2B defenses. Deployment is a gate, not an event.
Concern: no model is safe at rest; safety is a property of the running system. Threats: deployed attacks (injection, hijack), drift, slow-compromise, silent hallucination. Controls: observability substrate, anomaly detection, injection detection, drift detection.
Failure: undetected, slow-contained, repeated, or un-attributed incidents. Controls: runbooks per incident class, the Capstone 2 engagement as rehearsal, root-cause mapping to a lifecycle stage, and the feedback loop that feeds lessons back into earlier stages.
SBOM (software → model), CI/CD gates, signed artifacts (.safetensors), secrets management, least privilege. The substrate.
Five concerns with no software analogue: (1) model scanning (weight analysis, not binary scanning), (2) adversarial robustness (continuous surface, no clean boundary), (3) drift detection (runtime, not static), (4) prompt-injection monitoring (LLM-specific), (5) representation-layer analysis (the model's internal geometry).
| Check | What must pass | Evidence |
|---|---|---|
| 1. Data security | Corpus hash matches signed manifest; poisoning detection below threshold | Data-provenance report |
| 2. Model supply chain | ModelScan passed; base model SBOM verified; publisher signature valid | Model-scan report + lineage |
| 3. Training security | Red-team eval above threshold; no critical adversarial perturbations | Eval scores + robustness report |
| 4. Deployment security | Five-layer harness checklist complete; C2B defenses configured | Harness-checklist report |
| Tool | Stages covered | Threat addressed |
|---|---|---|
| ModelScan (ProtectAI) | Stage 2 (model supply chain) | Trojaned models, malicious weights, pickle deserialization, anomalous tensors. The canonical file-scanning gate. |
| ProtectAI suite | Stages 3, 4, 5 | Adversarial inputs, prompt injection, production drift, robustness gaps. Most complete single-vendor stack; gaps at data + incident. |
| HiddenLayer | Stages 3 (poisoning) + 5 (runtime) | Adversarial inputs, model extraction, training poisoning, runtime drift. Strongest for high-throughput adversarial serving. |
| Robust Intelligence (Cisco) | Stages 3, 4, 5 (continuous) | Robustness regression post-deployment, poisoning, behavior drift. Continuous validation on a cadence, not just at deployment. |
.safetensors file for known backdoor patterns — the canonical deployment gate..safetensors — extract tensor metadata, run three checks (tensor-name patterns, weight-distribution anomalies, provenance verification), produce a deployment-gate report (PASS/FAIL with reasons). The model is a dependency; dependencies get scanned; the scan is the gate.
MLSecOps is not new content — it is the connective discipline that ties C1, C2B, and C3 into one lifecycle.