AWS Certified AI Practitioner · AIF-C01

Security, Compliance &
Governance for AI

Domain 5 — Comprehensive Study Guide
Task Statements 5.1 · 5.2

14% of Exam Score

Domain 5 OverviewWhat You Need to Know

Task 5.1 — Securing AI Systems
  • AWS security services: IAM, encryption, Macie, PrivateLink
  • Shared Responsibility Model applied to AI
  • Bedrock AgentCore Identity & Policy
  • Data lineage, cataloging, Model Cards
  • Secure data engineering best practices
  • AI-specific threats: prompt injection, data leakage, toxicity
  • Hallucination detection and grounding (RAG)
Task 5.2 — Governance & Compliance
  • AWS governance services: Config, Inspector, Audit Manager, Artifact, CloudTrail, Trusted Advisor
  • Data governance strategies
  • Governance protocols and frameworks
  • GenAI Security Scoping Matrix
  • Transparency standards & team training
📋 Exam Weight

Domain 5 is 14% of scored content — approximately 9 questions. Questions focus on matching AWS security/governance services to AI-specific problems, and understanding shared responsibility in AI contexts.

5.1

Securing
AI Systems

AWS Security Services · Shared Responsibility · Data Lineage · Threats · Grounding

Task 5.1 — Security ServicesAWS Services to Secure AI Systems

🔑 Identity & Access IAM Roles, Policies, Permissions Least-privilege access to SageMaker, Bedrock, S3. Service roles for training jobs and endpoints. Resource-based policies for cross-account access.
🔐 Encryption AWS KMS, S3 SSE, TLS Encrypt training data and model artifacts at rest (KMS-managed keys). TLS in transit for all API calls. Customer-managed keys (CMK) for regulated workloads.
🌐 Network Isolation AWS PrivateLink, VPC Endpoints Route Bedrock and SageMaker traffic over private AWS network — never traverses public internet. Critical for sensitive data and compliance requirements.
🔍 Data Discovery Amazon Macie Automatically discovers and classifies sensitive data (PII, credentials) in S3 buckets used for AI training data. Alerts on unexpected exposure or access patterns.
🤖 Agent Security Bedrock AgentCore Identity & Policy Manages authentication and fine-grained authorisation for agentic AI applications — controls which tools, APIs, and data sources an agent can access.
🛡️ Output Safety Bedrock Guardrails Filters harmful content, redacts PII in outputs, detects grounding failures, enforces topic deny-lists at inference time across all Bedrock-hosted models.

Task 5.1 — Shared ResponsibilityAWS Shared Responsibility Model for AI

🏗️ AWS Responsibility — Security OF the Cloud
  • Physical data centre security
  • Hypervisor, compute, storage, network infrastructure
  • Managed service software (SageMaker platform, Bedrock API layer)
  • Pre-trained FM safety testing and responsible deployment
  • Global infrastructure availability and fault tolerance
  • Encryption key management infrastructure (HSMs)
🔧 Customer Responsibility — Security IN the Cloud
  • IAM roles, policies, and least-privilege access
  • Encrypting your training data and model artifacts
  • Securing your training datasets and prompts
  • Configuring VPC, PrivateLink, and network controls
  • Guardrails configuration for your FM applications
  • Monitoring model outputs and drift in production
  • Data governance, lineage, and retention policies
  • Auditing AI interactions via CloudTrail logging
⚡ Exam Note

AWS secures the infrastructure; you secure your data, access controls, model configurations, and outputs. For Bedrock: AWS maintains the FM; you configure Guardrails, IAM, VPC, and manage prompt safety.

Task 5.1 — Data LineageSource Citation, Data Lineage & Cataloging

Data Lineage
  • Tracks the full journey of data: origin → transformations → model
  • Enables root-cause analysis when model quality degrades
  • Required for regulatory audits (GDPR, HIPAA, financial)
  • SageMaker ML Lineage Tracking records experiment artifacts
Data Cataloging
  • Central inventory of datasets with metadata
  • AWS Glue Data Catalog — schema, location, access controls
  • Enables discoverability and governance across teams
  • Tags datasets with classification (PII, confidential, public)
SageMaker Model Cards
  • Documents: training data sources, intended use, evaluation results
  • Records known limitations and risk assessments
  • Supports source citation — which data trained this model?
  • Audit trail artifact for compliance and transparency
Why Source Citation Matters for AI
  • GenAI models may reproduce training data verbatim — attribution required
  • RAG systems must cite retrieved sources to enable verification
  • Provenance documentation defends against IP infringement claims
  • Regulators increasingly require explainable data provenance
Data Quality Assessment
  • Validate completeness, accuracy, consistency before training
  • Profile data distributions to detect skew and drift
  • SageMaker Data Wrangler and Clarify for pre-training analysis
  • Poor data quality = compounded model failures downstream

Task 5.1 — Data EngineeringSecure Data Engineering Best Practices

Data Access & Privacy

Data Access Control
  • S3 bucket policies + IAM roles — least privilege per workload
  • Lake Formation row/column-level security for fine-grained access
  • Separate dev, staging, and production data environments
  • Resource tags to enforce policy boundaries
Privacy-Enhancing Technologies
  • Differential Privacy — add noise to protect individual records
  • Federated Learning — train on distributed data without centralising it
  • Data Anonymisation — remove or mask PII before training
  • Tokenisation — replace sensitive fields with non-sensitive tokens

Integrity & Protection

Data Integrity
  • Checksums/hashing to detect tampering of training datasets
  • Versioning (S3 versioning, DVC) to track dataset changes
  • Immutable audit logs of all data access and modifications
  • Validation pipelines before data enters training
Data Leakage Prevention
  • Prevent PII from appearing in model outputs via Guardrails
  • Amazon Macie scans S3 for inadvertent sensitive data exposure
  • Output filtering and validation before response delivery
  • VPC endpoints prevent data exfiltration over public network

Task 5.1 — ThreatsAI-Specific Security Threats & Mitigations

🎯 Prompt Injection Malicious input overrides system instructions. Mitigation: input validation, Guardrails, sandboxed execution, avoid including untrusted text in privileged prompt positions.
☠️ Data Poisoning Adversarial examples injected into training data corrupt model behaviour. Mitigation: data provenance tracking, curated sources, anomaly detection in training pipelines.
🔓 Model Inversion Attacker queries model to reconstruct training data. Mitigation: differential privacy, output rate limiting, access controls on model endpoints.
📤 Data Leakage Sensitive info from prompts or training data appears in outputs. Mitigation: Guardrails PII redaction, output filtering, Macie on data stores.
☣️ Toxicity / Harmful Output Model generates harmful, offensive, or dangerous content. Mitigation: Bedrock Guardrails content filters, human review (A2I), regular output audits.
🛡️ Infrastructure Attacks Vulnerabilities in ML infrastructure (notebooks, endpoints). Mitigation: VPC isolation, Inspector scanning, patch management, least-privilege IAM.
📋 Audit Trail Gaps No record of AI interactions for compliance. Mitigation: CloudTrail for API calls, application logging of prompts/responses, S3 access logs.
⚡ Exam Note

Prompt injection and data leakage are the most-tested AI-specific threats. Know that Guardrails addresses output-layer threats; IAM + VPC address infrastructure threats; Macie addresses data-at-rest exposure.

Task 5.1 — GroundingHallucination Detection & Grounding Techniques

RAG Grounding
  • Retrieval-Augmented Generation anchors answers in retrieved facts
  • Model cites source documents — verifiable by users
  • Knowledge base updated independently of model weights
  • Bedrock Knowledge Bases implements managed RAG
  • Significantly reduces hallucination rate on factual queries
Output Validation
  • Post-processing checks on model responses
  • Cross-reference against authoritative data sources
  • Structured output schemas enforce format compliance
  • Bedrock Guardrails grounding check flags off-context responses
  • Human-in-the-loop (A2I) for high-stakes validation
Confidence Scoring
  • Model outputs a probability or confidence alongside its answer
  • Low-confidence responses routed to human review
  • Calibration: confidence score should correlate with accuracy
  • LLM-as-judge can score response quality as a second pass
  • Thresholds trigger escalation workflows automatically
⚡ Exam Note

Three layers of hallucination control: (1) RAG prevents them at generation time; (2) output validation/Guardrails catches them post-generation; (3) confidence scoring + A2I escalates uncertain cases to humans. Know all three for the exam.

5.2

Governance &
Compliance for AI

AWS Governance Services · Data Governance · Protocols · GenAI Scoping Matrix

Task 5.2 — Governance ServicesAWS Services for Governance & Compliance

ServiceWhat it doesAI use case
AWS CloudTrail Logs all AWS API calls with who, what, when, from where Audit trail of all Bedrock/SageMaker calls; required for compliance investigations
AWS Config Continuous configuration compliance; detects drift from policy baselines Enforce required encryption, VPC settings on SageMaker/Bedrock resources
Amazon Inspector Automated vulnerability scanning of EC2, containers, Lambda Scan ML infrastructure (notebooks, training instances) for CVEs and misconfigs
AWS Audit Manager Continuously collects evidence to map AWS usage to compliance frameworks Map AI workloads to GDPR, HIPAA, SOC 2 controls; generate audit reports
AWS Artifact On-demand access to AWS compliance reports (SOC, ISO, PCI DSS, FedRAMP) Download AWS attestations to prove underlying infra compliance to auditors
AWS Trusted Advisor Real-time guidance on cost, security, fault tolerance, and performance Identifies over-permissive IAM policies and security gaps in AI workloads
⚡ Exam Note

CloudTrail = who did what (logs). Config = are resources compliant (drift). Inspector = are there vulnerabilities (scanning). Audit Manager = evidence collection for frameworks. Artifact = AWS compliance documents. Trusted Advisor = recommendations.

Task 5.2 — Data GovernanceData Governance Strategies for AI

Data Lifecycle Management
  • Define stages: collect → process → train → archive → delete
  • S3 Lifecycle Policies automate transitions and expiry
  • Retain training datasets linked to deployed models for audit
  • Delete personal data per GDPR right-to-erasure requests
Data Residency
  • Ensure data stays in required geographic region
  • AWS Region selection enforces physical data location
  • Bedrock regional endpoints keep inference data in-region
  • Required for EU GDPR, Australian Privacy Act, etc.
Logging, Monitoring & Retention
  • Log all prompts and responses for AI interactions (CloudWatch)
  • Define retention periods — how long are logs kept?
  • Monitor access patterns with CloudTrail + Macie alerts
  • SageMaker Model Monitor for ongoing model quality surveillance
Observation & Observability
  • Capture inputs, outputs, latency, errors for all AI endpoints
  • CloudWatch dashboards for real-time AI health monitoring
  • Distributed tracing (X-Ray) through agentic AI pipelines
  • Alerts on anomalies: unusual query volumes, output quality degradation
Data Classification & Tagging
  • Tag datasets: PII, confidential, public, regulated
  • AWS Resource Tags + Lake Formation labels enforce access policies
  • Amazon Macie auto-classifies S3 data by sensitivity
  • Classification informs retention, access control, and audit scope

Task 5.2 — ProtocolsGovernance Protocols & Frameworks

Governance Processes

Policies & Review Cadence
  • Define acceptable use policies for AI tools and data
  • Scheduled model risk reviews (quarterly or after significant updates)
  • Change management for model versions and prompt changes
  • Incident response plan for AI-related failures or misuse
Review Strategies
  • Red teaming — adversarial testing of AI systems for safety gaps
  • Ethics board review for high-impact AI applications
  • Legal review of training data licensing and output IP
  • External audit for regulated industry deployments

Standards & Frameworks

GenAI Security Scoping Matrix
  • AWS framework for scoping security controls to GenAI use cases
  • Maps GenAI deployment patterns (API, fine-tuned, self-hosted) to required controls
  • Helps teams determine which security measures apply at each layer
  • Distinguishes consumer apps, enterprise internal, and custom-model scenarios
Transparency Standards & Team Training
  • Publish AI use policies and limitations to end users
  • Disclose when users are interacting with AI (EU AI Act requirement)
  • Regular training: responsible AI principles, data handling, security
  • Role-specific training: data scientists, product managers, legal, ops

Quick Review &
Exam Checklist

Domain 5 · Key Points to Lock In

Exam ChecklistCan You Answer These?

Task 5.1 — Must Know
  • IAM least-privilege + resource policies for Bedrock & SageMaker
  • PrivateLink keeps AI traffic off public internet
  • Macie discovers PII in S3 training data
  • Bedrock AgentCore Identity controls agent tool access
  • Shared Responsibility: AWS secures infra; customer secures data + config
  • Data lineage = tracks data from origin → model; SageMaker ML Lineage Tracking
  • Model Cards = source citation + audit documentation
  • Prompt injection, data poisoning, data leakage, toxicity — know each + mitigation
  • Grounding layers: RAG → output validation → confidence scoring + A2I
Task 5.2 — Must Know
  • CloudTrail → API audit logs (who did what)
  • Config → resource compliance & drift detection
  • Inspector → vulnerability scanning of ML infra
  • Audit Manager → compliance evidence collection (GDPR, HIPAA)
  • Artifact → AWS compliance reports/attestations
  • Trusted Advisor → security recommendations
  • Data residency → AWS Region selection + Bedrock regional endpoints
  • GenAI Security Scoping Matrix → maps deployment patterns to required controls
  • Governance: policies + review cadence + red teaming + team training
Security Service → Job
  • IAM → access control
  • KMS → encryption
  • PrivateLink → network isolation
  • Macie → PII discovery
  • Guardrails → output safety
  • AgentCore → agent auth
Governance Service → Job
  • CloudTrail → audit logs
  • Config → compliance drift
  • Inspector → CVE scanning
  • Audit Manager → evidence
  • Artifact → AWS certs
  • Trusted Advisor → guidance
Hallucination Defence Layers
  • Prevent: RAG grounding
  • Detect: Guardrails grounding check
  • Route: confidence scoring → A2I
  • Document: CloudTrail + app logs
  • Cite: source attribution in RAG
Domain 5 Complete — All Domains Covered

You're ready for the
AIF-C01 Exam

Security, Compliance & Governance for AI — Domain 5
All five domains now in your toolkit.

D1 · AI/ML Fundamentals 20%
D2 · GenAI Fundamentals 24%
D3 · FM Applications 28%
D4 · Responsible AI 14%
D5 · Security & Governance 14%