ai · security · skills

For the AI Security Engineer

Who contains a rogue agent when the board asks?

The pipeline engineer ships the model. You secure what it can do once it runs.

Prompt injection, agent tool-scope, poisoned training data, a silent model swap — none of that is a lint rule.

When the board asks who contains a rogue agent, this is the role that answers.

26 controls

across 5 skill groups — secure the model, attack it before they do, contain the agent, guard the runtime, defend the training data — are the ones this role owns on the CSA spine.

the Track 2 reskilling master list — authored persona attribution over AICM v1.1.0

You are not replacing the SOC or the AppSec pipeline. You are the net-new discipline those roles cannot fold into.

The path is a mastery climb on the controls you own: direction, not a complete how-to, proved on a live app when the guard is fitted.

What do I reskill into — and how do I prove it before production trusts me?

Own the model-security controls. Attack them first. Contain the agent. Prove the fitted guard.

Three beats: the skill groups you own, the fence with DevSecAIOps, and the prove.

Your curriculum

Five skill groups on the controls you own.

Secure the model, attack it before they do, contain the agent, guard the runtime, defend the training data — each group rolls up the AICM controls attributed to this role.

13 of those controls also gate the org’s autonomy climb (Model Security). Closing them is how you keep adoption from outrunning governance.

The application / DevSec track those controls land on →

The fence

Pipeline is theirs. Model and agent are yours.

DevSecAIOps owns the gates that catch AI failure modes in CI. You own adversarial ML, prompt differentiation, agent boundaries, model integrity, and training-data defense.

Compliance maps the regimes; you do not absorb their register work. Practitioner hunts and responds; you harden what they hunt against.

See the pipeline gates (the other side of the fence) →

The prove

Fit a guard. Measure it. Then trust it.

A shipped children’s-app guard caught just over half of its own attack classes; fitted to them, all of them — held-out included. That is the prove beat for this discipline.

Modeled on a fixed corpus, every number labeled — direction you can reproduce, not a black-box cert.

The StoryBond prove — fitted, modeled, held-out →

Your reskilling list

26 controls have your name on them.

The groups from the story above, now control by control, with the gate marked.

1 to build · 8 to coordinate with a provider · 17 to verify, not build. Nobody reskills for what the provider already owns.

Secure the model

8 controls · 8 gate the climb

Attack it before they do

5 controls · 3 gate the climb

Contain the agent

5 controls

Guard the runtime

4 controls · 2 gate the climb

Defend the training data

4 controls

This is the same spine the assessment reads. Run the function diagnostic and every gap in its answers lands here: the named skill, the group it belongs to, and who learns it.

Run the diagnostic. Your gaps land on this list →

53% → 100% catch on a fitted guard.

26 controls on your primary list; prove on StoryBond before the pipeline trusts the gate.

See the skills this role ownsRead the StoryBond prove
Every number above has a method page behind it: each piece opened up as inputs → mechanism → outputs, with provenance — and the deeper tables named, content owner-gated.The method, piece by piece →

Not your role?

Each role has its own way in. Here is where the others start.