Skip to content

Control 1.21: Adversarial Input Logging

Control ID: 1.21 Pillar: Security Regulatory Reference: FFIEC CAT 2025, GLBA 501(b), FINRA 4511, OCC 2011-12 Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

Objective

Implement detection and logging capabilities for adversarial inputs targeting AI agents, including prompt injection attacks, jailbreaking attempts, and encoding-based evasion techniques to provide early warning of manipulation attempts and support incident response.

Why This Matters for FSI

  • FFIEC CAT 2025: Provides AI-specific threat detection for cybersecurity assessment
  • GLBA 501(b): Administrative safeguards through security event detection and logging
  • FINRA 4511: Preserves evidence of attack attempts in books and records
  • OCC 2011-12: Addresses manipulation attempts on AI models for model risk management

Control Description

This control establishes adversarial detection through:

  1. Pattern Detection - Identify known adversarial patterns (prompt injection, jailbreaking, role manipulation)
  2. Encoding Analysis - Detect obfuscated inputs (Base64, Unicode lookalikes, zero-width characters)
  3. Behavioral Logging - Log suspicious interaction patterns for investigation
  4. Real-Time Alerting - Alert SOC on high-confidence attack attempts
  5. Forensic Preservation - Preserve attack evidence for analysis and regulatory response
  6. Zone-Based Response - Configure logging, alerting, or blocking based on zone risk

Key Configuration Points

  • Enable Copilot interaction logging via Purview Audit (Control 1.7)
  • Deploy Defender for Cloud Apps AI monitoring policies
  • Configure KQL detection queries for adversarial patterns ("ignore previous", "DAN mode", "system prompt")
  • Create Sentinel analytics rules with 5-minute detection windows
  • Configure Base64 and Unicode obfuscation detection
  • Set zone-specific responses: Zone 1 log-only, Zone 2 alert, Zone 3 block
  • Preserve attack evidence per retention schedule (6+ years)

Zone-Specific Requirements

Zone Requirement Rationale
Zone 1 (Personal) Logging only; weekly review; no blocking Low risk, avoid disruption
Zone 2 (Team) Alert on high-confidence attacks; optional soft blocking; weekly review Balanced approach for shared agents
Zone 3 (Enterprise) Full detection including encoding; automatic blocking; real-time SOC alerts; quarterly red team Maximum protection for customer-facing agents

Roles & Responsibilities

Role Responsibility
Entra Security Admin Configure detection rules, manage Sentinel integration
Security Operations Respond to alerts, investigate detected attacks
AI Governance Lead Policy decisions on blocking vs. logging
Compliance Officer Evidence retention requirements, regulatory reporting
Control Relationship
1.7 - Audit Logging Provides underlying audit infrastructure
1.8 - Runtime Protection Complementary threat detection
1.24 - Defender for AI Services GA threat protection for AI workloads — detects adversarial prompt attacks, credential theft, and data exfiltration targeting Azure OpenAI and other AI services
3.4 - Incident Reporting Incident response for detected attacks
3.9 - Sentinel Integration Advanced analytics and correlation

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Verification Criteria

Confirm control effectiveness by verifying:

  1. Test adversarial prompt ("ignore previous instructions") is logged in audit
  2. Sentinel rule triggers alert/incident on pattern match
  3. Base64 encoded malicious input is detected by encoding analysis
  4. Zone 3 blocking helps prevent execution of detected attacks
  5. Detection report generates with summary statistics

Additional Resources

Updated: January 2026 | Version: v1.2 | UI Verification Status: Current