A bank's risk team walks into a quarterly review with a clean Wiz dashboard. Zero critical posture findings across the AWS estate. No public S3 buckets. No unencrypted volumes. No overprivileged IAM roles. The CISO signs off. Two weeks later, an internal audit on the AI platform team finds that the production loan-decisioning workflow has been silently calling a different Claude model version than the one that passed the eval regression suite, the Bedrock guardrail with the PII-redaction policy was disabled three sprints ago to fix a latency complaint, and an agent in the same account is invoking the Bedrock Converse API against a foundation model the procurement-approved list does not include.
None of those findings showed up in Wiz. They were not supposed to. Cloud Security Posture Management was built to catch infrastructure misconfiguration, not AI workload misconfiguration. The controls that matter on a generative AI workload are a different control surface — one the leading CSPM vendors are extending into, slowly and unevenly, while the workloads themselves are now the largest line item on many cloud bills.
This is the gap. Naming it matters because the gap is what determines whether your AI posture is real or theatre. The category emerging to close it has a working name — AI-SPM, or AI Workload Posture Management — and the leading CNAPP vendors have announced their first iterations. Wiz now markets AI-SPM as a control plane across Bedrock, Azure OpenAI, and Vertex AI. Prisma Cloud's AI-SPM is generally available. Microsoft Defender for Cloud ships AI security posture management in preview, with discovery, threat protection, and an AI Bill of Materials. The category is moving. But the eight controls below are the ones that matter on a production AI workload, and most are not yet covered end-to-end by any single vendor. Enterprise teams that wait for the suites to converge will run that gap for the next eighteen to twenty-four months.
Key takeaways
- CSPM was built for IAM, network, encryption and storage primitives — not for the controls that decide whether a generative AI workload behaves the way it was approved to behave. A clean Wiz dashboard tells you nothing about model-version pinning, prompt-cache integrity, or eval-gate enforcement.
- Eight controls define a credible AI Workload Posture Management practice: model-version pinning, prompt-cache integrity, eval-gate enforcement, foundation-model egress posture, agent-action policy, training-data lineage, guardrail-configuration drift, and audit-trail completeness.
- Eval-gate enforcement is the single most consequential AI posture control today and the one CSPM vendors have least visibility into — the eval registry is application-layer state, where CSPM has historically not gone.
- The AIWPM architecture mirrors CSPM: four registries (model, prompt, eval, agent) as source of truth, a posture rule engine running rules-as-code, continuous dev-versus-prod drift detection, and audit-trail integration into the same SIEM pipeline as CSPM findings.
- AIWPM extends CSPM rather than replacing it. Posture tooling has always lagged new workload categories by 18-36 months — containers, Kubernetes, serverless all arrived ahead of their posture tooling. The teams that ran those workloads responsibly built their own controls in the interim, and AIWPM is the same play.
What CSPM does well, and where it stops
The traditional CSPM thesis is sound. The cloud control plane is a sprawling API. Human operators misconfigure it. Misconfiguration is the dominant root cause of cloud breaches. A tool that continuously reads the control plane, compares it to a known-good baseline, and flags drift is genuinely useful.
The thesis was infrastructure-first. The control surface was IAM, network, encryption, identity, and the storage and compute primitives. The vendors got very good at it. They added agentless workload scanning. They added attack-path analysis. They added IaC scanning to push posture left into Terraform and CloudFormation. The category matured into CNAPP, the cloud-native application protection platform.
Then generative AI workloads arrived. Inference traffic against foundation models became the largest single category of cloud API calls on many accounts. The control surface shifted underneath the CSPM thesis. The new control surface is model-level — model version, prompt configuration, guardrail policy, eval-gate state, agent-action policy, training-data lineage. CSPM rules read IAM and network. They do not, by default, read the AI-specific controls that determine whether the workload behaves the way it was approved to behave.
The eight controls CSPM does not yet read
These are the controls a credible AI Workload Posture Management practice needs to enforce continuously. None of them are theoretical. Each maps to a production incident I have seen or that has been publicly disclosed.
1. Model-version pinning
The model version that passed your eval suite is not necessarily the model version running in production tomorrow. Foundation-model providers ship silent rolling updates to aliased model IDs. A workload that calls anthropic.claude-3-5-sonnet without a date suffix gets whatever Anthropic ships under that alias. The behaviour changes. The eval regression that passed last week is now testing a different model.
The posture rule is straightforward: every production AI workload must call a pinned, date-suffixed model ID, and the pinned version must match the version that passed the eval gate. CSPM does not read this. The IAM role looks fine. The network looks fine. The model ID lives inside the application code or the inference configuration, not in the IaC the CSPM scans.
2. Prompt-cache integrity
Prompt caching cuts inference cost meaningfully — sometimes ninety percent off the input-token bill — and most production AI workloads now use it. Caches expire. Caches also drift. A cached system prompt that was approved by red-team review two months ago may have been edited to add a new tool, change a refusal policy, or insert a hardcoded user identifier. If the cache key did not rotate, the production workload is now serving a system prompt that no one signed off on.
The posture rule: the system-prompt hash in the production cache must equal the system-prompt hash in the approved prompt registry. Drift triggers a posture finding. CSPM reads neither registry.
3. Eval-gate enforcement
The eval regression suite is the AI equivalent of a unit-test gate. A new model version, a new system prompt, or a new tool definition must pass the suite before it deploys. The control rule is: production deploys without a green eval pipeline are posture violations. Most AI platforms run the eval suite but do not gate the deploy on it. The team running the launch sees a yellow signal and ships. The CSPM has no idea the deploy happened — it sees the same Lambda or container image hash deploying with the same IAM role.
This is the single most consequential AI posture control today. It is also the one the existing CSPM vendors have the least visibility into. The eval registry is application-layer state. The CSPM lives below it.
4. Foundation-model egress posture
Bedrock calls leave the VPC. Azure OpenAI calls leave the VNet. The endpoint is typically a private endpoint or a VPC endpoint, but the egress posture is what determines whether prompts containing PII leave through an interface the data-protection officer has approved. CSPM does read VPC endpoint configuration, but not at the granularity that matters here: which foundation models the workload is allowed to call, whether the call traverses a private link, and whether the call lands on a region the data-residency posture permits.
The posture rule: every Bedrock invocation in a regulated account must traverse a VPC endpoint, must target a model on the approved list, and must land in a permitted region. The data plane events live in CloudTrail, but only if data-plane logging is explicitly enabled — and it is not on by default.
5. Agent-action policy
Agentic AI workloads execute tools. Tools call APIs. APIs touch data. The agent inherits its execution role's permissions, which means an under-scoped IAM policy and a sufficiently clever prompt produce data exfiltration, unauthorised writes, or privilege escalation. The posture rule: the agent's effective action surface must equal the action surface its principal was authorised for, and no broader.
As of mid-2026, no vendor reads agent-action policy with the precision the control demands.
6. Training-data lineage
A fine-tuned model is only as trustworthy as the data it was trained on. The posture rule is provenance: every fine-tuned model in production must trace back to a documented dataset, a documented preprocessing pipeline, and a documented approval. The EU AI Act Article 53 obligation on GPAI providers is the regulatory expression of this control. For downstream deployers, the practical control is the same: the model in production must trace back to data the organisation can defend.
CSPM does not read fine-tuned-model lineage. It does not need to. The control sits in the model registry, the dataset registry, and the training pipeline metadata — three systems CSPM was not designed to know about.
7. Guardrail-configuration drift
Amazon Bedrock Guardrails, Azure AI Content Safety, and Vertex AI Safety filters are configuration objects. They can be edited. CloudTrail records CreateGuardrail, UpdateGuardrail, DeleteGuardrail, AttachGuardrail, and DetachGuardrail events on Bedrock. GuardDuty has added detections for the specific case of a user removing Bedrock Guardrails. The instrumentation exists. The posture rule is to use it: the guardrail attached to a production workload must equal the guardrail approved by the AI risk committee, and any drift — disabled PII filter, modified denied-topics list, lowered confidence threshold — triggers a finding.
8. Audit-trail completeness
Model invocations must land in an audit trail. CloudTrail data-plane logging for Bedrock InvokeModel and Converse is opt-in. If it is not enabled, the workload has no record of who called which model with which prompt. Article 12 of the EU AI Act requires high-risk AI systems to be designed with automatic event logging, with a six-month minimum retention. A workload that calls a foundation model without data-plane logging enabled is non-compliant with the spirit of Article 12 and indefensible in any post-incident investigation.
The posture rule: every account hosting an AI workload has Bedrock data-plane logging enabled, with logs landing in a tamper-evident store the workload's IAM principal cannot delete.
The AIWPM architecture pattern
The eight controls above need a system to enforce them. The architecture pattern is the same shape as CSPM — inventory, rules, drift detection, audit-trail integration — applied to the AI-specific control surface.
Inventory layer. Four registries: model registry (which foundation models, which fine-tunes, which versions), prompt registry (which system prompts, which hash, which version), eval registry (which suites, which thresholds, which last-passed version), agent registry (which agents, which tools, which scopes). The registries are the source of truth the posture engine compares against.
Posture rule engine. Rules expressed as code. "No production deploy without an eval-suite-green signal in the last twenty-four hours." "Every Bedrock invocation in a regulated account targets a model on the approved list." "Every guardrail attached to a production workload matches the approved baseline." "Every fine-tuned model has provenance metadata pointing to an approved dataset." The rules run on a schedule against the registries and the cloud control plane. They produce findings in the same shape as CSPM findings — severity, resource, control, recommended remediation.
Drift detection. Continuous comparison of dev versus prod. The system prompt in dev should equal the system prompt in prod modulo a documented promotion. The model version in dev should equal the model version in prod. The guardrail attached in dev should equal the guardrail attached in prod. Drift is the leading indicator of every posture failure I have seen on a production AI workload.
Audit-trail integration. The AI-specific event streams — CloudTrail Bedrock data-plane events, Azure AI inference logs, Vertex AI prediction logs — merge into the same audit pipeline as the CSPM logs. The SIEM does not care whether the event is a posture finding from CSPM or AIWPM.
How this relates to existing posture practice
AIWPM extends CSPM. It does not replace it. The CSPM controls — IAM, network, encryption, public exposure — still matter. They matter more on an AI workload, not less, because the blast radius of a compromised foundation-model invocation is larger than a compromised microservice. AIWPM adds the controls CSPM does not yet read.
The vendor roadmaps converge here over the next eighteen to twenty-four months. The first iterations cover inventory and some misconfiguration detection. The harder controls — eval-gate enforcement, prompt-cache integrity, training-data lineage — sit at the application layer and the registry layer, where CSPM has historically not gone. The vendors will get there. The question is whether your AI workload runs ungoverned until they do.
The regulatory framing
The AI Act Article 53 obligation on general-purpose AI model providers and the Article 12 obligation on high-risk AI systems both push toward the controls above. Article 53 requires technical documentation of training data, computational resources, capabilities and limitations. Article 12 requires automatic event logging with six-month minimum retention. The NIS2 incident-reporting obligation kicks in when an AI workload misconfiguration causes a security event with significant impact on essential or important entities. The Nigerian regulatory picture is less explicit on AI, but the NDPA principles on data minimisation, purpose limitation, and accountability map directly onto the AIWPM controls.
For organisations subject to either regime, the AIWPM control set is not an optional security uplift. It is the operating posture that makes the regulatory documentation defensible.
What this teaches us about enterprise scaling
The pattern under this gap is older than AI. Every new workload category arrives ahead of its posture tooling. Containers arrived ahead of container posture. Kubernetes arrived ahead of Kubernetes posture. Serverless arrived ahead of serverless posture. The vendors caught up in each case, but the teams that ran the workload responsibly built their own controls in the interim.
The enterprise scaling lesson is the same as it always was: the posture tooling lags the workload by eighteen to thirty-six months. The control surface you need to read is determined by the workload, not by the vendor's product backlog. Build the registry, write the rules, integrate the audit stream, and treat AIWPM as an extension of the existing CSPM practice rather than a future product category. By the time the vendors converge on the full eight-control surface, your practice is the spec they are catching up to.
FAQs
Why isn't a clean CSPM dashboard enough for AI workloads?
Because the control surface shifted. CSPM reads IAM, network, encryption, and storage primitives — the things that matter on a generic cloud workload. AI workloads are governed by model-level controls: model version, prompt configuration, guardrail policy, eval-gate state, agent-action policy, training-data lineage. The CSPM rules don't read these by default. A workload can pass the CSPM dashboard while calling an unapproved model version against a disabled guardrail with no eval gate.
Which of the eight controls matters most?
Eval-gate enforcement. New model versions, new system prompts, and new tool definitions need to pass the eval regression suite before they deploy, and production deploys without a green eval pipeline are posture violations. Most AI platforms run the suite but do not gate the deploy on it. The team sees a yellow signal and ships. The CSPM has no idea — it sees the same Lambda or container image hash deploying with the same IAM role.
Should we wait for Wiz, Prisma Cloud, and Defender to catch up?
Eighteen to twenty-four months of uncovered posture is the cost of waiting. The first vendor iterations cover inventory and some misconfiguration detection. The harder controls — eval-gate enforcement, prompt-cache integrity, training-data lineage — sit at the application and registry layers, where CSPM has historically not gone. The pattern that scales is to build the registry, write the rules, integrate the audit stream, and treat AIWPM as an extension of existing CSPM practice. By the time vendors converge, your practice is the spec they are catching up to.
What goes in the inventory layer?
Four registries that are the source of truth the posture engine compares against. Model registry: which foundation models, which fine-tunes, which versions. Prompt registry: which system prompts, which hash, which version. Eval registry: which suites, which thresholds, which last-passed version. Agent registry: which agents, which tools, which scopes. Drift between dev and prod across these registries is the leading indicator of every posture failure we have seen on a production AI workload.
How does this map to the EU AI Act?
Article 53's obligation on general-purpose AI model providers to document training data, computational resources, capabilities and limitations maps to the training-data lineage control. Article 12's obligation on high-risk AI systems to enable automatic event logging with six-month minimum retention maps to audit-trail completeness — a workload calling a foundation model without Bedrock data-plane logging enabled is non-compliant with the spirit of Article 12 and indefensible in any post-incident investigation. For organisations under either regime, the AIWPM control set is the operating posture that makes regulatory documentation defensible.
Companion content
- Agent Code Execution: MicroVM vs Container
- Air-Gapped LLM Deployments on AWS Bedrock
- Security, Guardrails, and Observability on Bedrock
- AWS Security Posture for AI Workloads
- Mitigating Non-Deterministic AI Failures: The Day-Two Problem
- Why Enterprise AI Pilots Fail at Deployment
How to engage
If you are running a generative AI workload in production and your posture review still reads from a CSPM-only baseline, you have a gap. Talk to us at creativeminds.dev/contact.