ASCEND 12-Layer Security Architecture
Executive Summary
ASCEND implements a defense-in-depth security model with 12 distinct security layers. Every layer is designed with FAIL SECURE behavior, meaning any error condition defaults to DENY. This architecture ensures that even if multiple layers fail, remaining layers continue to protect the system.
Key Security Properties
- All layers fail secure - Default to DENY on any error
- Defense in depth - Each layer operates independently
- Zero trust - Every request verified at multiple checkpoints
- Immutable audit trail - All decisions logged with hash-chaining
- Multi-tenant isolation - Complete data segregation between organizations
Architecture Overview
ASCEND 12-LAYER SECURITY ARCHITECTURE
══════════════════════════════════════
┌─────────────────────────────────────────────────────────────────────────────┐
│ INCOMING REQUEST │
└─────────────────────────────────────┬───────────────────────────────────────┘
│
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 1: RATE LIMITING [FAIL → DENY] │
│ Redis-backed sliding window • Per-org/agent/endpoint limits │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 2: PROMPT SECURITY [FAIL → BLOCK] │
│ 20 detection patterns • Injection/jailbreak/encoding attacks │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 3: CODE ANALYSIS [FAIL → BLOCK] │
│ 20 patterns • CWE mappings • Secrets detection │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 4: ACTION GOVERNANCE [FAIL → DENY] │
│ 7-step pipeline • CVSS v3.1 scoring • Policy evaluation │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 5: AUTHENTICATION [FAIL → DENY] │
│ JWT (RS256) • API Keys • AWS Cognito MFA │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 6: AUTHORIZATION (RBAC) [FAIL → DENY] │
│ 6-level role hierarchy • Separation of Duties │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 7: MULTI-TENANT ISOLATION [FAIL → DENY] │
│ PostgreSQL RLS • Per-org Cognito pools • organization_id enforcement │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 8: APPROVAL WORKFLOWS [FAIL → BLOCK] │
│ Multi-stage approval • SLA tracking • Risk-based escalation │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 9: KILL SWITCH [FAIL → BLOCK] │
│ Circuit breaker • Sub-100ms termination • SNS/SQS messaging │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 10: AUDIT TRAIL [FAIL → BLOCK] │
│ WORM design • SHA-256 hash-chaining • 7-year retention │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 11: BYOK ENCRYPTION [FAIL → BLOCK] │
│ Envelope encryption • AWS KMS • Customer-managed keys │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ LAYER 12: INPUT VALIDATION [FAIL → REJECT] │
│ Pydantic schemas • Type enforcement • Sanitization │
└─────────────────────────────────────┬───────────────────────────────────────┘
│ PASS
┌─────────────────────────────────────▼───────────────────────────────────────┐
│ BUSINESS LOGIC │
└─────────────────────────────────────────────────────────────────────────────┘
Layer 1: Rate Limiting
Purpose: DDoS protection, abuse prevention, resource management
Implementation
| Aspect | Details |
|---|
| Technology | Redis-backed with ElastiCache |
| Algorithm | Sliding window (O(log N) Redis sorted sets) |
| Granularity | Per-organization, per-agent, per-endpoint |
Code Locations
| Component | File Path |
|---|
| IP-based limiter | security/rate_limiter.py |
| Agent-based limiter | services/agent_rate_limiter.py |
| Data models | models_rate_limits.py |
| Migration | alembic/versions/20251218_behav001_rate_limits.py |
Configuration
RATE_LIMITS = {
"auth_login": "5/minute",
"auth_refresh": "10/minute",
"auth_password_change": "3/minute",
"api_read": "100/minute",
"api_write": "30/minute",
"default": "60/minute"
}
agent_actions_per_minute: 100
agent_actions_per_hour: 5000
priority_tiers = {
"standard": 1.0,
"elevated": 2.0,
"critical": 5.0
}
FAIL SECURE Behavior
if self.redis is None:
logger.error("BEHAV-001: Redis unavailable, DENYING action (fail-closed)")
return RateLimitResult(
allowed=False,
reason="Rate limiting service unavailable",
retry_after=60
)
Test Evidence
tests/e2e/test_05_rate_limiting.py - Rate limiting behavior verificationtests/e2e/test_21_fail_secure.py - Fail-secure layer verification
Compliance Mapping
| Framework | Control |
|---|
| NIST 800-53 | SC-5 (Denial of Service Protection) |
| PCI-DSS | 6.5.10 |
| SOC 2 | A1.1 (Availability) |
Layer 2: Prompt Security
Purpose: Detect and block prompt injection attacks against AI agents
Implementation
| Aspect | Details |
|---|
| Patterns | 20 global detection patterns |
| Categories | Injection, jailbreak, encoding, role manipulation, data exfiltration |
| Architecture | Database-driven (no hardcoded values) |
Code Locations
| Component | File Path |
|---|
| Detection service | services/prompt_security_service.py |
| Data models | models_prompt_security.py |
| Pattern seed | alembic/versions/20251218_phase10_002_seed_prompt_patterns.py |
| Routes | routes/prompt_security_routes.py |
Detection Patterns
| Pattern ID | Category | Severity | Description |
|---|
| PROMPT-001 | prompt_injection | CRITICAL | Direct instruction override ("ignore previous instructions") |
| PROMPT-002 | prompt_injection | CRITICAL | New instruction injection ("from now on") |
| PROMPT-004 | jailbreak | CRITICAL | Known jailbreak modes (DAN, STAN) |
| PROMPT-008 | role_manipulation | CRITICAL | Evil AI roleplay attempts |
| PROMPT-011 | encoding_attack | HIGH | Base64 encoded payloads |
| PROMPT-012 | encoding_attack | HIGH | Unicode smuggling |
| PROMPT-016 | prompt_injection | CRITICAL | Fake system/admin tags |
| PROMPT-018 | data_exfiltration | CRITICAL | System prompt extraction |
| PROMPT-020 | chain_attack | CRITICAL | LLM chain injection |
FAIL SECURE Behavior
if mode == "enforce" and risk_score >= block_threshold:
return PromptAnalysisResult(
blocked=True,
reason=f"Blocked: {pattern.description}",
risk_score=risk_score
)
Test Evidence
tests/e2e/test_06_prompt_security.py - Detection verificationtests/validation/test_prompt_injection.py - Attack payload testing
Compliance Mapping
| Framework | Control |
|---|
| MITRE ATT&CK | T1059 (Command and Scripting Interpreter) |
| CWE | CWE-77, CWE-94 (Code Injection) |
| OWASP LLM | LLM01 (Prompt Injection) |
Layer 3: Code Analysis
Purpose: Detect dangerous code patterns before execution
Implementation
| Aspect | Details |
|---|
| Patterns | 20 detection patterns |
| Languages | SQL, Python, Shell, JavaScript |
| CWE Coverage | 16 unique CWE identifiers |
Code Locations
| Component | File Path |
|---|
| Analysis service | services/code_analysis_service.py |
| Pattern seed | alembic/versions/20251217_phase9_002_seed_global_patterns.py |
| Security mappings | security_mappings.py |
Detection Patterns
| Pattern ID | Category | Severity | CWE |
|---|
| SQL-001 | data_destruction | CRITICAL | CWE-89, CWE-1321 |
| SQL-006 | injection | CRITICAL | CWE-89, CWE-943 |
| PY-001 | code_execution | CRITICAL | CWE-94, CWE-95 |
| PY-002 | code_execution | CRITICAL | CWE-78, CWE-77 |
| PY-005 | sandbox_escape | CRITICAL | CWE-94 |
| SH-001 | data_destruction | CRITICAL | CWE-73 |
| SH-002 | code_execution | CRITICAL | CWE-94, CWE-829 |
| CRED-001 | credential_exposure | CRITICAL | CWE-798, CWE-259 |
FAIL SECURE Behavior
if max_risk_score >= effective_threshold:
return CodeAnalysisResult(
blocked=True,
reason="Critical code pattern detected"
)
Test Evidence
tests/e2e/test_07_code_analysis.py - Pattern detection verification
Compliance Mapping
| Framework | Control |
|---|
| NIST 800-53 | SI-10 (Information Input Validation) |
| PCI-DSS | 6.5.1 (Injection Flaws) |
| OWASP | A03:2021 (Injection) |
Layer 4: Action Governance
Purpose: Risk-based decision making for AI agent actions
Implementation
| Aspect | Details |
|---|
| Pipeline | 7-step governance pipeline |
| Risk Framework | CVSS v3.1 with 50+ action type mappings |
| Decisions | ALLOW, DENY, REQUIRE_APPROVAL |
Code Locations
| Component | File Path |
|---|
| Action routes | routes/actions_v1_routes.py |
| Policy evaluation | services/unified_policy_evaluation_service.py |
| CVSS mapping | services/cvss_auto_mapper.py |
| Risk assessment | services/enterprise_risk_calculator_v2.py |
7-Step Governance Pipeline
1. ENRICHMENT → Add context and detect patterns
2. CVSS CALCULATION → Risk score (0.0-10.0)
3. POLICY EVALUATION → ALLOW/DENY/REQUIRE_APPROVAL
4. SMART RULES → Custom rule evaluation
5. ALERT GENERATION → Create alerts for high-risk actions
6. WORKFLOW ROUTING → Route to approval workflows
7. AUDIT LOGGING → Immutable audit trail
Risk Categories
| Risk Level | CVSS Range | Example Actions |
|---|
| LOW | 0.0-3.9 | Read operations, analytics queries |
| MEDIUM | 4.0-6.9 | Database writes, file writes |
| HIGH | 7.0-8.9 | Delete operations, data export |
| CRITICAL | 9.0-10.0 | Privilege escalation, code execution |
FAIL SECURE Behavior
except Exception as e:
logger.error(f"Failed to evaluate action: {e}")
return {
'decision': 'DENY',
'status': 'FAILED',
'risk_score': 100,
'risk_level': 'CRITICAL',
'reason': f'Governance evaluation failed: {str(e)}'
}
logger.warning(f"Unknown action type '{action_type}' - defaulting to HIGH risk")
return "unknown_action"
Test Evidence
tests/e2e/test_04_action_evaluation.py - Governance pipeline verification
Compliance Mapping
| Framework | Control |
|---|
| NIST AI RMF | GOVERN, MAP, MEASURE, MANAGE |
| SOC 2 | CC6.1 (Access Control) |
| ISO 27001 | A.9 (Access Control) |
Layer 5: Authentication
Purpose: Verify identity of users and agents
Implementation
| Aspect | Details |
|---|
| Methods | JWT (RS256), API Keys, AWS Cognito |
| Token Lifetime | 60 minutes (access), 30 days (refresh) |
| MFA | Supported via Cognito |
Code Locations
| Component | File Path |
|---|
| JWT manager | jwt_manager.py |
| Cognito integration | dependencies_cognito.py |
| API key validation | dependencies_api_keys.py |
| Multi-pool validator | services/multi_pool_jwt_validator.py |
Authentication Flow
1. Extract token from Authorization header or cookie
2. Validate JWT signature (RS256)
3. Verify claims (iss, aud, exp, nbf)
4. Check token revocation status
5. Set RLS context with organization_id
6. Return authenticated user context
Security Features
| Feature | Implementation |
|---|
| Algorithm | RS256 (asymmetric) |
| Key storage | AWS Secrets Manager |
| API key hashing | SHA-256 + salt |
| Timing attacks | Constant-time comparison |
| Brute force | 5 attempts/15 min (IP), 10/15 min (email) |
FAIL SECURE Behavior
if not self.private_key or not self.public_key:
if environment == "production":
raise ValueError("JWT keys not configured in production!")
options = {
"verify_signature": True,
"verify_exp": True,
"require_exp": True,
"verify_aud": True,
}
Test Evidence
tests/e2e/test_01_authentication.py - Authentication verification
Compliance Mapping
| Framework | Control |
|---|
| NIST 800-53 | IA-2 (Identification and Authentication) |
| NIST 800-63B | Authentication Assurance |
| PCI-DSS | 8.1, 8.2 (User Identification) |
Layer 6: Authorization (RBAC)
Purpose: Enforce role-based access control
Implementation
| Aspect | Details |
|---|
| Hierarchy | 6-level role system |
| Scopes | Platform tier + Tenant tier |
| SoD | Separation of Duties enforcement |
Code Locations
| Component | File Path |
|---|
| RBAC manager | rbac_manager.py |
| Permission service | services/permission_service.py |
| RBAC dependencies | dependencies_rbac.py |
Role Hierarchy
| Level | Role | Permissions |
|---|
| 5 | EXECUTIVE | All + emergency override |
| 4 | ADMIN | Full access except override |
| 3 | MANAGER | Approval (low/medium risk) |
| 2 | POWER | Analytics + acknowledgement |
| 1 | BASIC | Dashboard view |
| 0 | RESTRICTED | None (suspended) |
Tenant Roles
| Role | Access Level |
|---|
| Owner | Full organization access |
| Admin | Full (no billing) |
| Approver | Approval workflows |
| Operator | Create/manage resources |
| Viewer | Read-only |
FAIL SECURE Behavior
async def has_permission(...):
try:
except Exception as e:
logger.error(f"Permission check error: {e}")
return False
Test Evidence
tests/e2e/test_02_authorization.py - RBAC verification
Compliance Mapping
| Framework | Control |
|---|
| NIST 800-53 | AC-2, AC-3, AC-5 |
| SOC 2 | CC6.2, CC6.3 |
| PCI-DSS | 7.1 (Access Control) |
Layer 7: Multi-Tenant Isolation
Purpose: Ensure complete data segregation between organizations
Implementation
| Aspect | Details |
|---|
| Database | PostgreSQL Row-Level Security (RLS) |
| Authentication | Per-organization Cognito user pools |
| Enforcement | organization_id on all tenant tables |
Code Locations
| Component | File Path |
|---|
| RLS activation | dependencies.py |
| Tenant context | services/unified_auth/tenant_context.py |
| RLS migration | alembic/versions/20251205_sec082_multi_tenant_isolation.py |
| Auth lookup | alembic/versions/20251209_sec_rls_002_auth_lookup_function.py |
Isolation Mechanisms
| Layer | Implementation |
|---|
| Database | RLS policies, organization_id FK |
| Application | TenantContext (frozen dataclass) |
| API | All endpoints scoped to organization |
| Authentication | Per-org Cognito pools |
| Encryption | Per-org BYOK keys |
RLS Activation
def get_db_with_rls(current_user: dict) -> Session:
"""SEC-082: Activate Row-Level Security context"""
db.execute(
text("SET LOCAL app.current_organization_id = :org_id"),
{"org_id": str(org_id)}
)
FAIL SECURE Behavior
@dataclass(frozen=True)
class TenantContext:
org_id: UUID
tenant_id: str
user_id: UUID
Test Evidence
tests/e2e/test_18_multi_tenant.py - Isolation verification
Compliance Mapping
| Framework | Control |
|---|
| NIST 800-53 | AC-4 (Information Flow Enforcement) |
| SOC 2 | CC6.1, CC6.3 |
| PCI-DSS | 7.1 |
Layer 8: Approval Workflows
Purpose: Human-in-the-loop for high-risk actions
Implementation
| Aspect | Details |
|---|
| Stages | Multi-stage with SLA tracking |
| Escalation | Automatic backup assignment |
| Levels | 5 approval levels based on risk |
Code Locations
| Component | File Path |
|---|
| Workflow service | services/workflow_approver_service.py |
| Approval routes | routes/approval_routes.py |
Approval Levels
| Level | Risk Range | Approver | SLA |
|---|
| 1 | 0-30 | No approval | - |
| 2 | 30-50 | Peer review | 10 min |
| 3 | 50-70 | Department head | 15 min |
| 4 | 70-80 | Senior management | 30 min |
| 5 | 80+ | Executive | 60 min |
FAIL SECURE Behavior
- Missing approver → DENY
- Expired SLA → Escalate to backup
- Invalid workflow → DENY
Test Evidence
tests/e2e/test_09_approval_workflows.py - Workflow verification
Compliance Mapping
| Framework | Control |
|---|
| NIST 800-53 | AC-3 (Access Enforcement) |
| SOC 2 | CC5.2 |
Layer 9: Kill Switch
Purpose: Emergency termination of AI agent activity
Implementation
| Aspect | Details |
|---|
| Pattern | Circuit breaker state machine |
| Latency | Sub-100ms termination |
| Messaging | SNS/SQS infrastructure |
Code Locations
| Component | File Path |
|---|
| Circuit breaker | services/circuit_breaker_service.py |
| Kill switch routes | routes/kill_switch_routes.py |
State Machine
CLOSED (healthy) ─failure_threshold─→ OPEN (blocked)
↑ │
│ timeout
│ │
└─────── recovery ─────────── HALF_OPEN (testing)
failure│
↓
OPEN (blocked)
Capabilities
| Feature | Details |
|---|
| Block individual agent | Immediate effect |
| Block all org agents | Organization-wide |
| Manual override | Force open/close with audit |
| Propagation | SNS/SQS messaging |
FAIL SECURE Behavior
if state == CircuitState.OPEN:
return CircuitResult(allowed=False, reason="Circuit breaker OPEN")
Test Evidence
tests/e2e/test_12_kill_switch.py - Kill switch verification
Compliance Mapping
| Framework | Control |
|---|
| NIST 800-53 | IR-4 (Incident Handling) |
| SOC 2 | CC7.3 (Incident Response) |
| NIST AI RMF | MANAGE |
Layer 10: Audit Trail
Purpose: Immutable logging for compliance and forensics
Implementation
| Aspect | Details |
|---|
| Design | WORM (Write-Once-Read-Many) |
| Integrity | SHA-256 hash-chaining |
| Retention | 7 years (configurable per framework) |
Code Locations
| Component | File Path |
|---|
| Audit service | services/immutable_audit_service.py |
| Audit models | models_audit.py |
| Audit routes | routes/audit_routes.py |
Hash-Chaining
Log Entry N:
content_hash = SHA-256(event_content)
previous_hash = Log Entry N-1.chain_hash
chain_hash = SHA-256(content_hash + previous_hash)
Retention Periods
| Framework | Retention |
|---|
| SOX | 7 years |
| HIPAA | 6 years |
| PCI-DSS | 1 year |
| GDPR | 6 years |
| CCPA | 3 years |
FAIL SECURE Behavior
try:
await audit_service.log_event(event)
except Exception:
raise HTTPException(status_code=500, detail="Audit logging failed")
Test Evidence
tests/e2e/test_17_audit_trail.py - Audit verification
Compliance Mapping
| Framework | Control |
|---|
| NIST 800-53 | AU-2, AU-3, AU-9 |
| PCI-DSS | 10.1, 10.2, 10.3, 10.5 |
| HIPAA | 164.312(b) |
| SOC 2 | CC7.2 |
Layer 11: BYOK Encryption
Purpose: Customer-controlled encryption keys
Implementation
| Aspect | Details |
|---|
| Pattern | Envelope encryption |
| KMS | AWS KMS integration |
| Algorithm | AES-256-GCM |
Code Locations
| Component | File Path |
|---|
| BYOK service | services/encryption/byok_service.py |
| BYOK routes | routes/byok_routes.py |
| BYOK health | services/encryption/byok_health.py |
| Exceptions | services/encryption/byok_exceptions.py |
Envelope Encryption
Customer's CMK (AWS KMS Account)
↓
Encrypts DEK (Data Encryption Key)
↓
DEK encrypts actual data (AES-256-GCM)
↓
If customer revokes CMK → Data becomes unreadable (by design)
Features
| Feature | Details |
|---|
| Customer-managed keys | Full customer control |
| Key rotation | Automatic detection (BYOK-011) |
| Health monitoring | 15-minute validation cycles |
| Encryption context | Per-tenant binding |
FAIL SECURE Behavior
if byok_config["status"] != "active":
raise DataAccessBlocked(
f"Encryption key is not active (status: {byok_config['status']})"
)
except KeyAccessDenied:
raise KeyAccessDenied(f"Encryption key access revoked")
Test Evidence
tests/e2e/test_13_byok_encryption.py - BYOK verification
Compliance Mapping
| Framework | Control |
|---|
| NIST 800-53 | SC-12, SC-13 |
| PCI-DSS | 3.5, 3.6 |
| HIPAA | 164.312(a)(2)(iv) |
| FedRAMP | SC-12, SC-13 |
Purpose: Ensure data integrity and prevent malformed input
Implementation
| Aspect | Details |
|---|
| Framework | Pydantic v2 |
| Validation | Type, format, size, content |
| Sanitization | HTML, SQL, command injection |
Code Locations
| Component | File Path |
|---|
| Request schemas | schemas/*.py |
| Validation middleware | (integrated in FastAPI) |
Validation Types
| Type | Description |
|---|
| Type enforcement | Strong typing via Pydantic |
| Required fields | Non-nullable validation |
| Format validation | Email, UUID, URL, etc. |
| Size limits | Max length, max items |
| Pattern matching | Regex validation |
| Sanitization | XSS, injection prevention |
FAIL SECURE Behavior
class ActionRequest(BaseModel):
action_type: str = Field(..., min_length=1, max_length=100)
agent_id: UUID
@field_validator("action_type")
def validate_action_type(cls, v):
if not v or not v.strip():
raise ValueError("action_type cannot be empty")
return v.strip()
Test Evidence
- Covered across all test suites via Pydantic validation
Compliance Mapping
| Framework | Control |
|---|
| NIST 800-53 | SI-10 |
| CWE | CWE-20 (Improper Input Validation) |
| OWASP | A03:2021 (Injection) |
Defense-in-Depth Verification
Each layer operates independently. Failure of one layer does not compromise others:
| Failure Scenario | Layers Still Protecting |
|---|
| Redis down | Layers 2-12 (Layer 1 fails secure) |
| Auth bypass attempt | Layers 1, 6-12 |
| Injection attack | Layers 1, 4-12 |
| Code execution attempt | Layers 1-2, 4-12 |
| Tenant escape attempt | Layers 1-6, 8-12 |
| Key compromise | Layers 1-10, 12 |
Test Coverage Summary
| Layer | Test Suite | Tests | Pass Rate |
|---|
| 1 | test_05_rate_limiting | 15 | 100% |
| 2 | test_06_prompt_security | 30 | 100% |
| 3 | test_07_code_analysis | 20 | 100% |
| 4 | test_04_action_evaluation | 23 | 100% |
| 5 | test_01_authentication | 16 | 100% |
| 6 | test_02_authorization | 21 | 100% |
| 7 | test_18_multi_tenant | 29 | 100% |
| 8 | test_09_approval_workflows | 18 | 100% |
| 9 | test_12_kill_switch | 32 | 100% |
| 10 | test_17_audit_trail | 28 | 100% |
| 11 | test_13_byok_encryption | 12 | 100% |
| 12 | (integrated) | - | 100% |
| TOTAL | test_21_fail_secure | 36 | 100% |
Compliance Framework Summary
| Framework | Layers Covered |
|---|
| SOC 2 Type II | All 12 layers |
| PCI-DSS v4.0 | Layers 1, 3, 5-7, 10-12 |
| HIPAA | Layers 5-7, 10-11 |
| FedRAMP | Layers 1, 5-7, 10-11 |
| NIST 800-53 | All 12 layers |
| NIST AI RMF | Layers 2-4, 8-10 |
| OWASP LLM Top 10 | Layers 2-3 |
Document ID: ASCEND-SECURITY-ARCH-2024-001
Classification: Enterprise Confidential