Identity
Non-human identity management matters as much as human identity. Every agent, integration, MCP server has an identity. Centralize management. Rotate secrets. Revoke when retired.
Data Access
Least privilege everywhere. Agents access only what they need. Audit quarterly. Field-level security tightening. Data classification driving access policy.
Audit
Every AI interaction logs. Centralized SIEM aggregation. Retention per compliance. Anomaly detection. The audit posture is often the difference between caught-in-hours and caught-in-weeks.
Incident Response
Playbooks specifically for AI incidents. Kill-switch for agents. Data exfiltration response procedures. Communication plans. Tabletop exercises. Don’t wing it.