MLSecOps — The ML Security Lifecycle
The term appears in over thirty files across the course corpus, always as a forward reference, never as a taught subject. This module teaches it. Six stages — data, supply chain, training, deployment, inference, incident response — each mapping to content you have already learned. MLSecOps extends DevSecOps: five primitives transfer (SBOM, CI/CD gates, signed artifacts, secrets management, least privilege), five are genuinely new (model scanning, adversarial robustness, drift detection, prompt-injection monitoring, representation-layer analysis). The deployment gate is the single most important practice. The value is the lifecycle, not the content.
MLSecOps is not new content — it is the connective discipline. Every stage maps to content already taught: data security to C3 Pillar 1 + C2B B3; model supply chain to C2B B4/SDD-B07 + B13; training security to C3 Pillars 2–5; deployment security to C2B B7 + C1 Module 5; inference monitoring to C2B B8 + C1 Module 10; incident response to C2B Capstone 2. What MLSecOps adds is the naming, the ordering, the gates between stages, the toolchain, and the operating cadence — the connective tissue that turns pieces into a discipline. A team that learned the pieces in isolation knows the controls; a team that learned MLSecOps knows when to apply each control, what gate it belongs in, and what tool implements it.
MLSecOps extends DevSecOps: five primitives transfer, five are genuinely new. The transferring primitives (SBOM → model SBOM, CI/CD gates → model gates, signed artifacts → signed model/dataset, secrets management, least privilege) apply because the underlying problem is the same — an artifact is produced, transported, verified, deployed, operated. The new primitives (model scanning, adversarial robustness, drift detection, prompt-injection monitoring, representation-layer analysis) have no DevSecOps analogue because they arise from properties of ML that software does not have. The anti-pattern 'we have a CI/CD pipeline, so we are doing MLSecOps' is the team that does the transferring primitives and misses the five new ones. The cure is to extend, not abandon, the DevSecOps substrate.
The deployment gate is the single most important MLSecOps practice. A model does not reach production until four composed checks pass, with evidence recorded in the model SBOM: data security (corpus hash matches manifest, poisoning detection below threshold), model supply chain (ModelScan passed, base SBOM verified, publisher signature valid), training security (red-team eval above threshold, no critical adversarial perturbations), deployment security (harness checklist complete and passing). Production is a privilege earned by evidence, not a default. The gate is the MLSecOps analogue of a DevSecOps deployment gate.
No single tool covers the lifecycle — integrate by stage, via shared evidence. ModelScan covers model-supply-chain scanning; ProtectAI's broader suite covers training, deployment, and monitoring; HiddenLayer is strongest at inference monitoring and training-poisoning detection; Robust Intelligence distinguishes itself with continuous validation. Each produces evidence (scan results, eval scores, monitoring alerts) that the model SBOM carries forward to the next stage's gate. The SBOM is the integration point, not any single vendor's stack.