AWS re:Invent 2025 - Advanced AI Security: Architecting Defense-in-Depth for AI Workloads (SEC410)

Securing AI Workloads: Architecting Defense-in-Depth

Introduction

• This was an advanced session on securing AI workloads using AWS services and open-source frameworks.
• The presenters, Rick Goodman and Jason Garmin, are Principal Security Solutions Architects at AWS focused on AI security.
• The session was structured in phases to cover different aspects of securing AI applications, from the foundational layer to advanced agent-based architectures.

Phase 1: Securing the Foundational Layer

• Large Language Models (LLMs) are the core of many AI applications, but they are complex "black boxes" that pose unique security challenges.
• LLMs are not deterministic - their outputs can vary based on hyperparameters like temperature, making them functionally non-deterministic.
• LLMs do not have any built-in data authorization or identity management, so anything sent to the model will be processed without regard for permissions.
• AWS provides Amazon Bedrock, a managed service for deploying LLMs, which includes Bedrock Guardrails to filter out harmful or sensitive content. However, these are non-deterministic controls.
• The key is to "implement security outside the model" rather than trying to secure the LLM itself.

Data Sources and Retrieval Augmented Generation (RAG)

• AI applications can pull data from various sources to include in the prompts sent to LLMs, such as context engineering, vector databases (RAG), and memory.
• RAG allows unstructured data to be indexed into a vector database, which can then be queried to find relevant chunks to include in the prompt.
• Permissions management is critical when using RAG, as the application needs to ensure the user only has access to the appropriate data chunks.
• Techniques like per-user/group vector databases and pre-retrieval metadata filtering can be used to enforce permissions.

Tool-Based Architectures

• Tools allow AI applications to take actions beyond just generating text, such as controlling a web browser or calling APIs.
• Tool definitions specify the inputs, outputs, and purpose of a tool, which the LLM can then reason about and decide which tools to call.
• Security implications include ensuring the LLM only calls authorized tools with appropriate parameters, using identity-based access controls.
• The Model Context Protocol (MCP) provides a standard way to define and interact with tools, including support for OAuth-based authorization.

Agent-Based Architectures

• Agents are autonomous, goal-oriented AI systems that can plan, reason, and take actions to achieve their objectives.
• Agents use an "agentic loop" to continuously interact with the LLM, tools, and data sources to accomplish their goals.
• This increases the complexity and risk profile, as the agent has more decision-making power delegated to the LLM.
• Techniques like human-in-the-loop approval hooks and deterministic workflow design can help maintain control and security.

Key Takeaways

• Security for AI workloads must be implemented outside the LLM, as the models themselves are not designed for security.
• Careful management of data sources, permissions, and tool/agent access is critical to prevent unauthorized access or data leakage.
• A defense-in-depth approach using a combination of deterministic controls and non-deterministic AI-based security is necessary.
• Identity and authorization are foundational to securing all aspects of the AI application architecture.

Resources

• The presenters provided several QR codes linking to blog posts, reference architectures, and over 100 AWS re:Invent sessions on AI security.