Start here
Using AI safely at work
The short version, in plain English. A starting point, not your company’s policy.
- Keep private things private. Don’t paste customer data, personal details, passwords, or anything you wouldn’t email outside the company into an AI tool that isn’t approved for it.
- Treat answers as a draft, not a fact. AI can sound confident and still be wrong. Check before you act on it or send it on.
- Watch what you paste in. Text from an email, web page, or document can carry hidden instructions the AI will follow. Don’t feed it untrusted content without a reason.
- If the AI can do things, slow down. When a tool can send, post, buy, or change records on its own, confirm before it acts.
Not sure if something’s allowed? Ask it in plain English →·When in doubt, check with your security team.
Heads up: from 2026, EU rules expect anyone who uses AI at work to have had basic AI training. If you have not, ask for it.
The reference tags on the cards below (like “OWASP LLM01”) are for your security team. You can ignore them.
AI tricked into ignoring its rules
Prompt injection
What could go wrong
An attacker hides instructions inside the input — directly or via a document the AI reads — and gets the AI to act against its own policy.
Your part
Be careful pasting text from untrusted emails, web pages, or documents into an AI tool. It can carry hidden instructions the AI will follow.
Owner
Shared — both sides hold a piece
Fitted control
Input + output guardrails: a classifier on the way in, a policy filter on the way out, and an attack-class corpus the guard is fitted to.
OWASP LLM01MITRE ATLAS AML.T0051
Autonomy note · AI-CMM tie
Risk widens as the AI gains tool scopes — a hijacked prompt at L4 (Autonomous) can act on real systems.
AI coaxed into revealing its secret instructions
System-prompt leakage
What could go wrong
The hidden instructions that shape the AI’s behaviour — and any keys, policies, or scopes embedded with them — get exposed to the user.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Shared — both sides hold a piece
Fitted control
Extraction detection on outputs + the working assumption that the system prompt will eventually leak (no secrets in it).
OWASP LLM07MITRE ATLAS AML.T0054
AI talked past its safety limits
Jailbreak
What could go wrong
Role-play, scenario-build, or character framing convinces the AI to produce content its own safety rules would refuse.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Shared — both sides hold a piece
Fitted control
Same guardrail stack as prompt injection — fitted against a corpus of jailbreak attack classes, with regression on a held-out set.
OWASP LLM01
What could go wrong
Customer data, code, secrets, or personal information passed into a prompt or surfaced via retrieval ends up in another user’s output.
Your part
Don’t put customer data, secrets, or personal information into an AI tool that isn’t approved for it.
Owner
Shared — both sides hold a piece
Fitted control
Data-loss prevention on inputs + output filtering for PII/secrets + tenant-scope checks on retrieval.
Status
Control defined · skill in progress
OWASP LLM02EU AI Act Art. 10
Training data tampered to corrupt behaviour
Data and model poisoning
What could go wrong
An attacker plants malicious or biased data in the training set — or in the RAG corpus — so the deployed model behaves the way they want.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Shared — both sides hold a piece
Fitted control
Data-governance + provenance gate: every dataset has a documented source, integrity check, and acceptance review before it touches a model.
Status
Control defined · skill in progress
OWASP LLM04MITRE ATLAS AML.T0010NIST MAP-2
What could go wrong
A model, library, or dataset pulled from a public registry ships with a vulnerability or hidden backdoor that lands in your app at build time.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Deployer — yours to own end-to-end
Fitted control
Software-composition analysis on every dependency + an AI-BOM extending SBOM to models, datasets, prompts, and tools.
OWASP LLM03
What could go wrong
An AI coding assistant emits an `import` of a package that doesn’t exist — an attacker registers that exact name and ships a malicious payload.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Deployer — yours to own end-to-end
Fitted control
Hallucinated-dependency gate in CI: every new package is verified to exist with adequate age, downloads, and reputation before it’s allowed into the lockfile.
OWASP LLM03
Autonomy note · AI-CMM tie
Risk scales with AI authoring volume — an L3 copilot writes hundreds of imports per week.
What could go wrong
The training or RAG data is wrong, stale, or unrepresentative — the model speaks fluently and is just confidently wrong.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Deployer — yours to own end-to-end
Fitted control
Data-quality controls: source-of-truth definition, freshness SLA, representativeness audit, and a feedback loop from production back to the corpus.
Status
Control defined · skill in progress
NIST MAP-2NIST MEASURE-2.11
An AI agent does more than it should
Excessive agency
What could go wrong
An AI agent given a tool, an API key, or a deployment scope takes actions outside its intent — sends emails, modifies data, calls paid APIs at scale.
Your part
If a tool can act on its own (send, post, buy, or change records), confirm before you let it.
Owner
Deployer — yours to own end-to-end
Fitted control
Least-privilege tool scopes + approval gates on irreversible actions + a kill switch the SOC can flip without a redeploy.
OWASP LLM06NIST MANAGE-2.4
Autonomy note · AI-CMM tie
This IS the autonomy frontier. Each AI-CMM rung up means a narrower scope per action and a louder attestation trail.
Runaway cost, denial of wallet
Unbounded consumption
What could go wrong
A loop, a prompt-injection-driven cascade, or a malicious user runs the inference bill into the ground before anyone notices.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Deployer — yours to own end-to-end
Fitted control
Rate + cost guardrails on every model endpoint, alerting on cost-anomaly, and a hard ceiling per tenant per window.
Status
Control defined · skill in progress
OWASP LLM10
What could go wrong
Operators trust the AI’s output reflexively — a wrong recommendation, an unsafe action, or a fabricated fact ships because the human in the loop has stopped being one.
Your part
Keep checking the AI’s work. Treat answers as a draft, and don’t let it make important calls unchecked.
Owner
Deployer — yours to own end-to-end
Fitted control
Human-oversight design: review thresholds tiered by risk, mandatory rationale on approvals, anti-rubber-stamp UI patterns.
Status
Control defined · skill in progress
EU AI Act Art. 14NIST MANAGE-2.3
What could go wrong
Attacker-controlled content reaches the agent’s planning loop, not just a single response, so the agent re-plans toward the attacker’s objective across several tool calls before anyone notices.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Shared — both sides hold a piece
Fitted control
Input validation + prompt differentiation on every planning step, not only the first turn, so a manipulated instruction can’t ride along inside a later observation.
OWASP LLM01CSA AICM AIS-09CSA AICM AIS-15
Autonomy note · AI-CMM tie
The gate exists for exactly this: as autonomy climbs past L2 (Assisted), a manipulated goal has more steps to compound before a human sees it.
What could go wrong
An attacker plants false or malicious content in the store an agent treats as ground truth, so future decisions build on a poisoned foundation instead of a single bad output.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Shared — both sides hold a piece
Fitted control
Poisoning detection + integrity checks on the memory/RAG store, with behavioral baselining to catch the drift once poisoned content starts steering actions.
CSA AICM DSP-21CSA AICM DSP-23
Autonomy note · AI-CMM tie
A persistent memory store is itself a feature of higher autonomy; the gate ties memory-write access to the same tier review as a tool scope.
What could go wrong
An agent holding a broad tool scope deletes, overwrites, or transfers something outside its intended task, and no approval gate catches it before the action lands.
Your part
If an AI agent asks to act on your behalf (send, post, buy, delete), confirm before it does. Don’t approve a blanket “always allow.”
Owner
Deployer — yours to own end-to-end
Fitted control
Least-privilege scopes + a policy-enforcement point on every tool call + human approval on anything irreversible, re-checked continuously rather than granted once.
OWASP LLM06CSA AICM AIS-11CSA AICM IAM-05
Autonomy note · AI-CMM tie
This IS the gate: autonomy tier and tool scope must move together, or a wider scope silently ships with the next capability upgrade.
What could go wrong
An agent — or an attacker steering it — alters, deletes, or omits the log entries that would reveal an unauthorized action, or routes around a control it knows is being watched.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Shared — both sides hold a piece
Fitted control
Tamper-evident logging with alerting on gaps or edits + mutual authentication between agents so a spoofed peer can’t feed a false audit trail.
CSA AICM LOG-03CSA AICM LOG-05
Autonomy note · AI-CMM tie
Detection depends on trusting the log; the gate requires the logging layer to sit outside the agent’s own write scope.
What could go wrong
A looping agent, a runaway sub-agent spawn, or an attacker-triggered cascade consumes compute, API budget, or rate limit until the system degrades for everyone else.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Deployer — yours to own end-to-end
Fitted control
Capacity and resource planning with hard per-agent ceilings + behavioral baselining that quarantines an agent the moment its consumption pattern breaks from normal.
OWASP LLM10CSA AICM I&S-02
Autonomy note · AI-CMM tie
Cost and capacity ceilings should tighten, not loosen, with autonomy tier until the gate confirms the agent’s consumption pattern is understood.
AI treats groups unfairly
Bias and discrimination
What could go wrong
The model performs differently for different groups defined by protected attributes — denying access, mispricing risk, or scoring outcomes unevenly.
Your part
Don’t rely on AI alone for decisions about people, like hiring, credit, or access. A human should review.
Owner
Deployer — yours to own end-to-end
Fitted control
Fairness metric selection + disparate-impact tests + training-data representation audit; intersectional checks, not just single-axis.
NIST MEASURE-2.11EU AI Act Art. 10
What could go wrong
A model affects a person and neither the operator nor the affected person can say why — a regulator, a court, or the press asks and there is no answer.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Deployer — yours to own end-to-end
Fitted control
Explainability instrumentation (SHAP / LIME for the model type) + a versioned model card + a user-facing explanation path.
EU AI Act Art. 13NIST MEASURE-2.8
What could go wrong
The model invents a citation, a name, a number, or a fact — and presents it with the same tone as something it actually retrieved.
Your part
AI can state false things confidently. Verify facts before you act on them or pass them on.
Owner
Shared — both sides hold a piece
Fitted control
Retrieval grounding on high-impact paths + a faithfulness check that scores each claim against the cited source.
OWASP LLM09NIST MEASURE-2.7
What could go wrong
A persuasive AI persona steers a vulnerable user toward a financial, emotional, or political decision they would not have made on their own.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Deployer — yours to own end-to-end
Fitted control
Human-oversight design for vulnerable-user contexts + a contestation and appeal mechanism that actually reverses decisions when warranted.
Status
Control defined · skill in progress
EU AI Act Art. 5NIST AI 100-1 (Harm to People)
Personal data mishandled by AI
Privacy / PII exposure
What could go wrong
Personal data is collected, used for training, retained, or revealed in a way that breaks the lawful basis or the data-minimisation expectation.
Your part
Don’t put people’s personal data into AI tools that aren’t approved to handle it.
Owner
Deployer — yours to own end-to-end
Fitted control
DPIA scoped to the ML pipeline + data-minimisation at every stage + a retention regime that survives the model lifecycle.
GDPR Art. 35DPDP Act 2023EU AI Act Art. 26
What could go wrong
An embedded AI feature inside a SaaS tool — or a model API from a third party — handles your data, your decisions, or your customers, and the regulator still asks you, not them.
Your part
Owned by your security team, not a day-to-day habit for you.
Owner
Deployer — yours to own end-to-end
Fitted control
Vendor due diligence (Art. 28 DPA + AI-CAIQ) + cert acceptance with explicit gap notes + an inventory + toggle of every embedded AI feature.
EU AI Act Art. 25CSA AICM (SSRM)
What could go wrong
The law moves under you — EU AI Act, ISO 42001, sector rules — and last quarter’s posture no longer satisfies this quarter’s audit.
Your part
When you’re unsure whether an AI use is allowed, ask before you do it.
Owner
Deployer — yours to own end-to-end
Fitted control
Framework crosswalk maintained as living documentation + an assurance cadence that produces evidence on demand, not in a pre-audit scramble.
EU AI ActISO/IEC 42001
What could go wrong
Employees adopt consumer AI tools at speed; sensitive content flows into them daily; the org has no inventory, no policy, and no training plan.
Your part
Use the AI tools your company has approved, and ask before bringing in a new one.
Owner
Deployer — yours to own end-to-end
Fitted control
Discovery of embedded + adopted AI features + a literacy programme (EU AI Act Art. 4 obligation) + an IDE / DLP control on the assistant traffic itself.
EU AI Act Art. 4