AI Runtime Security
Create Model Groups for Customized Protections
Table of Contents
Create Model Groups for Customized Protections
Create
Model Groups
to group the AI models to apply specific App protection,
AI model protection, and AI data protection.This page helps you to create
Model Groups
to group the AI models to apply
specific application protection, AI model protection, and AI data protection. You can
add a model group to an existing AI security profile or a new AI security profile.
Where Can I Use This? | What Do I Need? |
|---|---|
|
- Log in to Strata Cloud Manager (SCM).
- SelectManage→ Configuration→ NGFW and Prisma Access→ Security Services→ AI Security→ Add Profile.
- SelectAdd Model Group.The security profile has a default model group defining the behavior of models not assigned to any specific group. If a supported AI model isn't part of a designated group, the default model group’s protection settings will apply.
![]()
- Enter aName.
- Choose the AI models supported by the cloud provider in theTarget Modelssection. SeeAI Models on Public Clouds Support Tablelist for reference.
- Set theAccess ControlasAlloworBlockfor the model group.When you select theAllowaccess control, you can configure the protection settings for request and response traffic.When you block the access control for a model group, the protection settings are also disabled. This means any traffic to this model will be blocked for this profile.
- Configure the followingProtection Settingsfor theRequestandResponsetraffic:RequestResponseAI Model Protection-Enable Prompt injection detectionand set it to Alert or BlockN/AAI Application Protection- Set the defaultURL securitybehavior to Allow, Alert, or BlockAI Application Protection- Set the defaultURL securitybehavior to Allow, Alert, or BlockAI Data Protection- Select the predefined or customDLP rules.AI Data Protection- Select the predefined or customDLP rules.The URL filtering monitors the AI traffic passing to AI data by monitoring the model request, and response payloads.You can also copy and import request and response configurations for the common protection settings including AI application protection and AI data protection.
- SelectAddto create the model group and add this security profile toSecurity Profile Groups.
- SelectManage > Operations > Push Configand push the security configurations for the security rule from SCM toAI Runtime Securityinstance.As the user interacts with the app, and the app makes requests to an AI model, the AI security logs are generated for each one of these policy rules. Check the specific logs in the AI Security Report under AI Security Log Viewer.
Edit Model Groups
- In AI Security profile, select aModel group.
- Update theTarget Modelsin a model group.Each model can only be associated with a unique model group. Select the AI models from the AWS, Azure, and GCP cloud providers. Refer to AI Models on Public Clouds Support Table for a complete list of supported public cloud provider pre-trained models.Select theModel Namefrom the available models.
- Updateto save the model group changes.You can then add this security profile with customized model group protections to a security profile group.What’s Next: Configure theSecurity Profile Groupsand add the AI Security profile to the profile group. You can then attach this profile group to a security policy rule.