NSS Labs outlines a runtime and governance framework for enterprise AI security
Two NSS Labs papers argue that enterprise AI security evaluations should extend beyond model protection to runtime guardrails, governance, and auditable controls around data, tools, and permissions, with buyer questions and warning signs.
Research Overview
In March, NSS Labs published a two-part enterprise AI security white paper series focused on how organizations should evaluate protections for production deployments.
The first paper frames enterprise risk as arising from the system surrounding AI models, while the second presents an evaluation approach with questions, warning signs, and comparison criteria for buyers.
Key Findings
NSS Labs says securing only the model does not cover the main risks seen in real deployments, where exposure can come from inputs, tool access, delegated permissions, and governing policies.
The series emphasizes runtime guardrails as the controls that enforce policy, constrain access, mediate tool use, reduce data leakage, and create evidence for security and governance teams.
Technical Breakdown
The first paper analyzes enterprise AI security through categories that include input integrity, output risk, resilience, policy governance, agentic behavior, observability, and GRC.
These areas cover how systems manage what the AI can access and do, along with what monitoring and reporting are available when behavior deviates from policy.
Operational Impact
Across the series, NSS Labs links AI security with governance requirements such as the ability to explain controls, test them, monitor and tune them, and support audit processes.
The papers describe an operational expectation to track decisions, identify which policy triggered them, record accessed data and invoked tools, and verify that authority remains constrained.
Leadership Perspective
NSS Labs presents the buyer evaluation framework as a way to distinguish disciplined controls from demonstrations that address narrow success cases.
The organization also states that AI security evaluation standards have not kept pace with product movement, and it characterizes its ongoing work as defining how controls should be evaluated and tested independently.
Overall, the series directs enterprise buyers toward runtime guardrails and governance-oriented evidence when assessing AI security controls for production environments, and this “Blog Signals brief” is a fact-based summary of the vendor blog.