Runtime.

Why this dimension matters

Runtime is operational AI security. Rate limiting, monitoring, isolation, incident response, and audit logging. The Posture Check measures these five controls because they collectively determine whether your AI deployments can be operated safely at production scale, observed when things go wrong, and recovered from incidents. This dimension maps to OWASP LLM06 (Excessive Agency), LLM10 (Unbounded Consumption), and the Manage function of NIST AI RMF. Runtime is the dimension where SOC and SecOps teams have the most direct contribution: AI-specific detection content, AI-aware IR playbooks, and AI usage telemetry feeding the SIEM. Weak runtime scores often correlate with strong governance scores: the policy is right but the operational reality has not caught up.

Posture Check questions for runtime

1. Do you have rate limiting on AI API calls to prevent abuse?
   • 0 No rate limiting
   • 1 Identified the gap
   • 2 Partial rate limiting
   • 3 Comprehensive rate limiting with abuse detection
2. Do you have monitoring and alerting for unusual AI usage patterns (volume spikes, jailbreak attempts, sensitive data leakage)?
   • 0 No monitoring
   • 1 Identified the need
   • 2 Partial monitoring
   • 3 Comprehensive monitoring with documented response
3. Are AI deployments isolated such that compromise of one does not affect others?
   • 0 No isolation
   • 1 Identified the need
   • 2 Partial isolation
   • 3 Strong isolation with tested boundary controls
4. Do you have an incident response plan specifically for AI-related security incidents?
   • 0 No specific plan
   • 1 Generic IR plan covers it
   • 2 AI-specific plan in development
   • 3 AI-specific IR plan tested in tabletop
5. Do you have audit logging on AI usage for compliance and forensics?
   • 0 No logging
   • 1 Identified the need
   • 2 Partial logging
   • 3 Comprehensive logging with retention aligned to compliance