Reskill · DAT
Data Security
Someone pasted a customer record into a prompt, and your DLP never saw it leave.
What an AI reads and writes is a data flow your controls do not watch yet.
Start with these skills
- Encrypt AI data in transit and at rest
- Choose and defend the encryption algorithms in use
- Manage encryption changes without breaking service
- Weigh encryption changes by risk and cost
- Assess encryption risk where AI concentrates data
The rung you have to reach
Data Security
Managing the security, privacy and ownership of data across the AI service supply chain and deployment types (self-hosted, PaaS, API/SaaS). Includes provenance, lineage, input/output sanitization, privacy, and security controls. Focuses on training data, RAG, vector data stores, inference output and other data repositories and workflows used in AI models and applications.
L1 · Initial
AI data repositories (training data, vector stores, RAG sources) rely on general-purpose data security controls. No differentiation between AI and other data assets. Data provenance for training and fine-tuning for self-trained models not tracked. Vector databases deployed with default access controls. No validation of data sources used for grounding or retrieval.
L2 · Repeatable
AI-specific data risks identified (poisoning, RAG leakage). Training and fine-tuning data sources documented for critical models. Basic access controls on vector databases. Basic validation (source approval, format checks) for external sources used in RAG. Sensitive data handling requirements documented for AI contexts but inconsistently applied.
L3 · Defined
AI data security requirements documented by data type (training, fine-tuning, RAG, embeddings). Data ingestion restricted to approved, documented sources with format validation before use. Vector databases use tenant or application isolation to prevent cross-context access. Sensitive data filtering applied to training and grounding sources (e.g. PII scanning). Initial data versioning for critical AI systems.
L4 · Capable
Data sources and transformations documented and auditable for production AI systems. Automated data validation integrated into AI pipelines where applicable. Permission-aware retrieval implemented for RAG tool calls (query results filtered based on user access to source data). Comprehensive data versioning with ability to trace data changes over time.
L5 · Efficient
Data lineage integrated with model inventory for end-to-end traceability (for training). Permission-aware retrieval standard across RAG deployments. Scanning for detection of potential data poisoning or adversarial patterns in training/RAG. AI data security controls updated proactively as new attack vectors emerge.
our model · calibrated to SAE J3016
Your syllabus
The plays that climb the rung.
Policy / DPIA drafting & mapping
Draft privacy and AI-impact assessments and policies; map them to the obligations they serve.
Moves: Drafting time per assessment ↓
Show the exact control IDs (for your security & GRC team)
L2 DSP-09, DSP-01, DSP-17 · L3 GRC-15, DSP-08, LOG-16 · L4 LOG-12, IAM-18
Autonomy must not outrun maturity. The gate holds each rung until its controls are evidenced. The gate framework: eight gates, three lanes →