diff --git a/checklists/genailz_checklist.en.json b/checklists/genailz_checklist.en.json new file mode 100644 index 00000000..ad4fd137 --- /dev/null +++ b/checklists/genailz_checklist.en.json @@ -0,0 +1,917 @@ +{ + "$schema": "checklist.schema.json", + "items": [ + { + "category": "Network Topology and Connectivity ", + "subcategory": "Azure AI Foundry", + "text": "Configure the AI managed network and use private endpoints.", + "waf": "Security", + "guid": "e3a78016-e8d8-4598-9cbf-02599ff12e3d", + "id": "GenAILZ.01", + "service": "Azure AI Foundry", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-studio/how-to/configure-managed-network" + }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Azure OpenAI", + "text": "Restrict access to select virtual networks or use private endpoints.", + "waf": "Security", + "guid": "c9635b24-65e0-41c9-a442-53f320f2054f", + "id": "GenAILZ.02", + "service": "Azure OpenAI", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-studio/how-to/configure-managed-network" + }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Azure AI Services (Speech, Bing, Translator etc.)", + "text": "Restrict access to select virtual networks or use private endpoints.", + "waf": "Security", + "guid": "bdd4c29c-da1f-4632-b8ac-b48f713981b1", + "id": "GenAILZ.03", + "service": "Azure AI Services", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-studio/how-to/configure-managed-network" + }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Azure Machine Learning", + "text": "Restrict network access to Azure Machine Learning resources.", + "waf": "Security", + "guid": "d0675476-5676-4392-b98e-953c2720554d", + "id": "GenAILZ.04", + "service": "Azure Machine Learning", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/machine-learning/concept-network-isolation-configurations" + }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Azure AI Services", + "text": "Configure data loss prevention for Azure AI services.", + "waf": "Security", + "guid": "b0ffe298-2f44-4af0-94c6-250e732b3e28", + "id": "GenAILZ.05", + "service": "Azure AI Services", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/cognitive-services-data-loss-prevention?branch=main&tabs=azure-cli" + }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Azure AI Foundry", + "text": "Limit outbound traffic from your AI resources.", + "waf": "Security", + "guid": "fa191645-9897-4e46-82a7-d30aa352f7d2", + "id": "GenAILZ.06", + "service": "Azure AI Foundry", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-studio/how-to/configure-managed-network?branch=main&tabs=portal" + }, + { + "category": "Network Topology and Connectivity", + "subcategory": "Azure Machine Learning", + "text": "Allow only approved network outbound mode.", + "waf": "Security", + "guid": "3b85ba90-0f99-4b74-ab1f-40ca251f3706", + "id": "GenAILZ.07", + "service": "Azure Machine Learning", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/machine-learning/how-to-network-isolation-planning?view=azureml-api-2&branch=main" + }, + { + "category": "Network Topology and Connectivity", + "subcategory": "API Gateway", + "text": "Deploy a API Gateway solution like API-Management to load balance requests, rate limit tokens, keyless authentication and monitor AI usage.", + "waf": "Security", + "guid": "129b5c68-132e-4839-ac3a-ebe7c14bc08e", + "id": "GenAILZ.08", + "service": "Azure API Management", + "severity": "high", + "link": "https://github.com/Azure/apim-landing-zone-accelerator/blob/main/scenarios/workload-genai/README.md" + }, + { + "category": "Governance and Security", + "subcategory": "Threat Protection", + "text": "Implement threat protection for all AI models.", + "waf": "Security", + "guid": "77f9dffe-09a6-4a2d-bc87-6598564d80aa", + "id": "GenAILZ.09", + "service": "Microsoft Defender for Cloud", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/ai-threat-protection" + }, + { + "category": "Governance and Security", + "subcategory": "Threat Protection", + "text": "Regularly inspect AI model output to detect and mitigate risks associated with malicious or unpredictable user prompts.", + "waf": "Security", + "guid": "3b5bf58d-c4b8-440d-b0fc-0ddb452bbc27", + "id": "GenAILZ.10", + "service": "Azure AI Content Safety", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/content-safety/concepts/jailbreak-detection" + }, + { + "category": "Governance and Security", + "subcategory": "Threat Protection", + "text": "Establish company-wide verification mechanisms to ensure all AI models in use are legitimate and secure.", + "waf": "Security", + "guid": "ae9acafb-9675-4b4d-a2b5-03d809535fa7", + "id": "GenAILZ.11", + "service": "NA", + "severity": "high", + "link": "" + }, + { + "category": "Governance and Security", + "subcategory": "Access Management", + "text": "Use distinct workspaces to organize and manage AI artifacts like datasets, models, and experiments.", + "waf": "Security", + "guid": "888d6799-0028-49bb-ab5f-e62541d6d364", + "id": "GenAILZ.12", + "service": "Azure AI Foundry", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-studio/concepts/ai-resources" + }, + { + "category": "Identity and Access Management", + "subcategory": "Authentication", + "text": "Wherever possible, eliminate static API keys in favor of Microsoft Entra ID for authentication.", + "waf": "Security", + "guid": "10c1532e-5f7f-4d63-9887-44e219ab130a", + "id": "GenAILZ.13", + "service": "Azure OpenAI", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/managed-identity" + }, + { + "category": "Identity and Access Management", + "subcategory": "Authentication", + "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", + "waf": "Security", + "guid": "a7e20682-1bcf-4bde-927d-2bafd295bbc1", + "id": "GenAILZ.14", + "service": "Microsoft Entra", + "severity": "high", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks" + }, + { + "category": "Identity and Access Management", + "subcategory": "Authentication", + "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", + "waf": "Security", + "guid": "aae9d9e3-9ab0-4e30-b5da-184742112664", + "id": "GenAILZ.15", + "service": "Microsoft Entra", + "severity": "high", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure" + }, + { + "category": "Identity and Access Management", + "subcategory": "Authentication", + "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", + "waf": "Security", + "guid": "2daf1eb6-7084-4e03-8cdf-ee6d64bb4936", + "id": "GenAILZ.16", + "service": "Microsoft Entra", + "severity": "high", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview" + }, + { + "category": "Identity and Access Management", + "subcategory": "Authentication", + "text": "Use Azure RBAC to manage data plane access to resources, if possible. E.g. Data Operations across Key Vault, Storage Account and Database Services.", + "waf": "Security", + "guid": "6091840f-0bcd-4238-acbe-17f7f66bf78a", + "id": "GenAILZ.17", + "service": "Azure RBAC", + "severity": "high", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones" + }, + { + "category": "Identity and Access Management", + "subcategory": "Authentication", + "text": "Use Microsoft Entra ID PIM access reviews to periodically validate resource entitlements.", + "waf": "Security", + "guid": "c51df970-509c-4110-960a-601dd2348dbf", + "id": "GenAILZ.18", + "service": "Microsoft Entra", + "severity": "high", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review" + }, + { + "category": "Identity and Access Management", + "subcategory": "Authentication", + "text": "Require clients to authenticate using Entra ID when accessing AI model endpoints.", + "waf": "Security", + "guid": "21f656e3-7ba4-4d23-be79-02a6264a1942", + "id": "GenAILZ.19", + "service": "Azure API Management", + "severity": "high", + "link": "https://github.com/Azure/apim-landing-zone-accelerator/blob/main/scenarios/workload-genai/README.md" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Use Dynamic Sessions in Azure Container Apps, to ensure each code execution occurs in a fresh, isolated environment that is destroyed after use.", + "waf": "Security", + "guid": "be2ade6f-bea6-4092-9dab-49e8f8c2ddb7", + "id": "GenAILZ.20", + "service": "Azure Container Apps", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/container-apps/sessions?tabs=azure-cli" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Set resource limits (CPU, memory, disk usage) for code execution environments to prevent any single execution from consuming excessive resources.", + "waf": "Security", + "guid": "2ba176b3-5d95-4caf-a870-0b0ecd65c3af", + "id": "GenAILZ.21", + "service": "NA", + "severity": "medium", + "link": "" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Use MITRE ATLAS, OWASP Machine Learning risk, and OWASP Generative AI risk to regularly evaluate risks across all AI workloads.", + "waf": "Security", + "guid": "2e76dec8-e54f-47b0-8b08-939e34611c6f", + "id": "GenAILZ.22", + "service": "NA", + "severity": "medium", + "link": "https://genai.owasp.org/llm-top-10/" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Assess insider risk to sensitive data, across all AI workloads", + "waf": "Security", + "guid": "8c243a35-7a57-438a-8b48-73a7b2ce6a20", + "id": "GenAILZ.23", + "service": "Microsoft Purview", + "severity": "low", + "link": "https://learn.microsoft.com/en-us/purview/insider-risk-management" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Perform AI threat modeling using frameworks like STRIDE to assess potential attack vectors for all AI workloads.", + "waf": "Security", + "guid": "2fee0018-807e-44de-807c-e4a1aaecabba", + "id": "GenAILZ.24", + "service": "Microsoft Threat Modeling Tool", + "severity": "medium", + "link": "https://www.microsoft.com/securityengineering/sdl/threatmodeling" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Conduct red-team testing against generative AI models and nongenerative models to assess their vulnerability to attacks.", + "waf": "Security", + "guid": "c3566fc0-e457-4324-b61d-56f89403f895", + "id": "GenAILZ.25", + "service": "Azure OpenAI", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/red-teaming" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Maintaining a detailed and up-to-date inventory of your AI workload resources", + "waf": "Security", + "guid": "de4b110e-eeb0-4cbf-b7e3-fa5cf40674b0", + "id": "GenAILZ.26", + "service": "Microsoft Defender for Cloud", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/identify-ai-workload-model" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Create a data sensitivity change management plan. Track data sensitivity levels as they can change over time.", + "waf": "Security", + "guid": "818a1055-9179-4a54-85f9-aaa2fc5cc993", + "id": "GenAILZ.27", + "service": "NA", + "severity": "medium", + "link": "" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Safeguard sensitive data when required by using duplicates, local copies, or subsets that contain only the necessary information.", + "waf": "Security", + "guid": "05f2a394-f90b-4dd3-9402-248f3720fcf6", + "id": "GenAILZ.28", + "service": "NA", + "severity": "high", + "link": "" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Conduct rigorous tests to determine if sensitive data can be leaked or coerced through AI systems.", + "waf": "Security", + "guid": "f320b81e-cceb-47f9-b6bb-7bd6f45e0732", + "id": "GenAILZ.29", + "service": "Azure AI Services", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/language-service/personally-identifiable-information/concepts/entity-categories" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Provide AI-focused employee training and awareness emphasizing the importance of data security and AI development best practices and deployment.", + "waf": "Security", + "guid": "b77c0824-c933-49ed-a9e1-41b5668c04fd", + "id": "GenAILZ.30", + "service": "NA", + "severity": "medium", + "link": "" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Develop and maintain an incident response plan for AI security incidents.", + "waf": "Security", + "guid": "2fe19fb3-860a-403a-94e6-3b5eab341ff8", + "id": "GenAILZ.31", + "service": "NA", + "severity": "high", + "link": "" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Regularly evaluate emerging threats and vulnerabilities specific to AI through risk assessments and impact analyses.", + "waf": "Security", + "guid": "eafa85b5-ef4e-4bed-806a-96b09f0d0f29", + "id": "GenAILZ.32", + "service": "NA", + "severity": "high", + "link": "" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Enforce Customer Managed Keys for data at rest encryption via Azure Policy", + "waf": "Security", + "guid": "91c2b50a-3f81-480a-99b1-7e1ee9561712", + "id": "GenAILZ.33", + "service": "NA", + "severity": "medium", + "link": "https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK.html" + }, + { + "category": "Governance and Security", + "subcategory": "Risk Mitigation", + "text": "Disable inferencing via Azure AI Foundry to prevent API Gateway bypass.", + "waf": "Security", + "guid": "0fc6d1b2-cee1-4851-9a89-ab61a9802682", + "id": "GenAILZ.34", + "service": "Azure AI Foundry", + "severity": "medium", + "link": "" + }, + { + "category": "Operations", + "subcategory": "Monitoring", + "text": "Implement a monitoring system to ensure that AI workloads remain aligned with KPIs.", + "waf": "Performance", + "guid": "988b2b85-208c-44f9-9b0d-e81327060c25", + "id": "GenAILZ.35", + "service": "Azure AI Foundry", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-studio/concepts/evaluation-approach-gen-ai" + }, + { + "category": "Operations", + "subcategory": "Monitoring", + "text": "Proactively identify performance bottlenecks and anomalies.", + "waf": "Performance", + "guid": "48a9f4af-7ab1-45c3-9d62-e06d9df08986", + "id": "GenAILZ.36", + "service": "Azure AI Foundry", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-studio/how-to/develop/trace-local-sdk" + }, + { + "category": "Operations", + "subcategory": "Monitoring", + "text": "Include service and resource health events as part of the overall platform monitoring solution.", + "waf": "Operations", + "guid": "6181f3aa-1b06-4ece-b0fe-b373f2ca30d9", + "id": "GenAILZ.37", + "service": "Azure Service Health", + "severity": "high", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal" + }, + { + "category": "Operations", + "subcategory": "Monitoring", + "text": "Deploy AMBA to establish monitoring for platform components of your landing zone.", + "waf": "Operations", + "guid": "b49dd9e6-e189-4fc5-a02d-d5cc04583d1d", + "id": "GenAILZ.38", + "service": "Azure Monitor", + "severity": "medium", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-monitor" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Track retirement for pretrained models avoids performance issues when vendor support ends.", + "waf": "Operations", + "guid": "d71bb244-4ec4-4f61-9ff1-cfdffc0c8036", + "id": "GenAILZ.39", + "service": "Azure AI Services", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/model-retirements" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Schedule regular retraining based on model performance or business needs to ensure the AI system stays relevant.", + "waf": "Operations", + "guid": "e0572cb0-cd12-450c-950c-b007c0fc2afb", + "id": "GenAILZ.40", + "service": "Azure AI Foundry", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-foundry/model-inference/concepts/model-versions" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Establish model promotion process to promote trained, fine-tuned, and retrained models to higher environments based on performance criteria.", + "waf": "Operations", + "guid": "b73836e9-356c-4aaf-8a2d-af4cd51dfcc1", + "id": "GenAILZ.41", + "service": "Azure AI Foundry", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/fine-tuning-deploy?tabs=portal" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Standardize compute management for Azure AI Foundry.", + "waf": "Operations", + "guid": "79eca34e-0aeb-4160-9fe8-0ff5c647e1c7", + "id": "GenAILZ.42", + "service": "Azure AI Foundry", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/azure/ai-studio/how-to/create-manage-compute" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Standardize compute management for Azure Machine Learning.", + "waf": "Operations", + "guid": "a35efa79-4227-4c84-a038-e19d8b8c365f", + "id": "GenAILZ.43", + "service": "Azure Machine Learning", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/azure/machine-learning/how-to-create-attach-compute-studio" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Use resource locks to prevent accidental deletion of critical shared services.", + "waf": "Operations", + "guid": "200a5d55-e0be-450c-83c1-4af6c44fd4bd", + "id": "GenAILZ.44", + "service": "Azure Resource Manager", + "severity": "high", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Enforce recommended guardrails for Azure Open AI.", + "waf": "Security", + "guid": "c4a479ba-3007-4ef8-b845-c15febd3c3e3", + "id": "GenAILZ.45", + "service": "Azure Open AI", + "severity": "medium", + "link": "https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-OpenAI.html" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Enforce recommended guardrails for Machine Learning.", + "waf": "Security", + "guid": "2355aba7-e21a-4bb0-b89a-99597783f4b2", + "id": "GenAILZ.46", + "service": "Azure Machine Learning", + "severity": "medium", + "link": "https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MachineLearning.html" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Enforce recommended guardrails for Azure AI Services.", + "waf": "Security", + "guid": "12ff613a-8408-4ac5-915f-5f46cf7fd970", + "id": "GenAILZ.47", + "service": "Azure AI Services", + "severity": "medium", + "link": "https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-CognitiveServices.html" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Enforce recommended guardrails for API Management", + "waf": "Security", + "guid": "65a0e89a-d016-4eda-b366-af816f1344d6", + "id": "GenAILZ.48", + "service": "Azure API Management", + "severity": "medium", + "link": "https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-APIM.html" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Ensure high-quality data in the correct format, and likely chunked, enriched, and embedded for AI model consumption.", + "waf": "Operations", + "guid": "86617182-f039-4f35-ad77-25419a3c98df", + "id": "GenAILZ.49", + "service": "Azure AI Search", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/architecture/ai-ml/guide/rag/rag-solution-design-and-evaluation-guide" + }, + { + "category": "Operations", + "subcategory": "Operations", + "text": "Manage model versioning and detect drift and set alerts when model predictions or LLM responses start to deviate from expected behavior.", + "waf": "Operations", + "guid": "2181bc5a-da1e-4b2e-b83b-4398398f34c2", + "id": "GenAILZ.50", + "service": "Azure AI Foundry", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/azure/ai-studio/concepts/evaluation-approach-gen-ai" + }, + { + "category": "BC and DR", + "subcategory": "Data Protection", + "text": "Implement multi-region deployments to ensure high availability and resiliency for Azure AI Foundry.", + "waf": "Reliability", + "guid": "79157dd1-32b2-4b9f-9cf6-bf2704733a00", + "id": "GenAILZ.51", + "service": "Azure AI Foundry", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/azure/ai-studio/how-to/disaster-recovery" + }, + { + "category": "BC and DR", + "subcategory": "Data Protection", + "text": "Implement multi-region deployments to ensure high availability and resiliency for Azure Machine Learning.", + "waf": "Reliability", + "guid": "96326612-1e4f-44f6-9d49-2c68234eb64d", + "id": "GenAILZ.52", + "service": "Azure Machine Learning", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/azure/machine-learning/how-to-high-availability-machine-learning" + }, + { + "category": "BC and DR", + "subcategory": "Data Protection", + "text": "Implement multi-region deployments to ensure high availability and resiliency for Azure Open AI.", + "waf": "Reliability", + "guid": "0a597728-1c21-4e11-9294-10c134ddd388", + "id": "GenAILZ.53", + "service": "Azure Open AI", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/business-continuity-disaster-recovery" + }, + { + "category": "Governance and Security", + "subcategory": "Operations", + "text": "Use tools like Defender for Cloud to discover Gen AI workloads and explore AI artifacts risks such as vulnerable images & code repositories.", + "waf": "Security", + "guid": "2db05c38-8c93-481e-84b0-8aa28b3bf7b2", + "id": "GenAILZ.54", + "service": "Microsoft Defender for Cloud", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/identify-ai-workload-model" + }, + { + "category": "Governance and Security", + "subcategory": "Operations", + "text": "Use Azure AI Content Safety to define a baseline content filter for your approved AI models.", + "waf": "Security", + "guid": "570e9d31-44ea-409e-a5a9-83bee922204d", + "id": "GenAILZ.55", + "service": "Azure AI Content Safety", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/content-safety/overview" + }, + { + "category": "Governance and Security", + "subcategory": "Operations", + "text": "Test the effectiveness of grounding by using tools like prompt flow.", + "waf": "Performance", + "guid": "6f50ef6a-2bb1-4aec-a633-96ad271cb42f", + "id": "GenAILZ.56", + "service": "Azure AI Foundry", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/azure/ai-studio/how-to/prompt-flow" + }, + { + "category": "Governance and Security", + "subcategory": "Operations", + "text": "Enable recommended alert rules to receive notifications of deviations that indicate a decline in workload health.", + "waf": "Operations", + "guid": "ecfc0860-f3a8-4bef-98f2-8660c4eaca34", + "id": "GenAILZ.57", + "service": "Azure AI Search", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/search/monitor-azure-cognitive-search" + }, + { + "category": "Governance and Security", + "subcategory": "Operations", + "text": "Use Azure Policy to control which services can be provisioned at the subscription/management group level.", + "waf": "Operations", + "guid": "5cf51132-180a-488b-b6c6-4f905b2dc1b1", + "id": "GenAILZ.58", + "service": "Microsoft cloud security benchmark", + "severity": "medium", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management" + }, + { + "category": "Governance and Security", + "subcategory": "Security", + "text": "Limit client access to your AI service by enforcing security protocols like network controls, keys, and role-based access control (RBAC).", + "waf": "Security", + "guid": "3e73d1c2-cc01-4953-95c5-2ec43cd9beed", + "id": "GenAILZ.59", + "service": "Azure AI Services", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/policy-reference" + }, + { + "category": "Cost Governance", + "subcategory": "Cost Management", + "text": "Verify PTU cost savings vs pay as you pricing for Azure OpenAI and OpenAI models.", + "waf": "Cost", + "guid": "4bfd472f-6860-4b27-a90c-a34b36b296cb", + "id": "GenAILZ.60", + "service": "Azure OpenAI", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/provisioned-throughput" + }, + { + "category": "Cost Governance", + "subcategory": "Cost Management", + "text": "Ensure the right and cost effective model is in use, unless the use case demands a more expensive model.", + "waf": "Cost", + "guid": "d59e6d68-eaa3-4eec-b2c9-f7bf55bea7f6", + "id": "GenAILZ.61", + "service": "Azure OpenAI", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?branch=main&tabs=python-secure" + }, + { + "category": "Cost Governance", + "subcategory": "Cost Management", + "text": "Allocate provisioning quotas for each model based on expected workloads to prevent unnecessary costs.", + "waf": "Cost", + "guid": "ec8f4d8c-98b0-4507-9213-3cafc4c2217e", + "id": "GenAILZ.62", + "service": "Azure OpenAI", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/quota?tabs=rest&branch=main" + }, + { + "category": "Cost Governance", + "subcategory": "Cost Management", + "text": "Use the right deployment type, global deployment offers lower cost-per-token pricing on certain GPT models.", + "waf": "Cost", + "guid": "3847ab4c-ce03-478f-bd89-caf0ec11b781", + "id": "GenAILZ.63", + "service": "Azure OpenAI", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/deployment-types" + }, + { + "category": "Cost Governance", + "subcategory": "Cost Management", + "text": "Choose the right hosting infrastructure, depending on your solution's needs e.g. managed endpoints, AKS or Azure App Service.", + "waf": "Cost", + "guid": "dfe64294-9fc5-4b98-a3dc-7cc7b07621c0", + "id": "GenAILZ.64", + "service": "NA", + "severity": "medium", + "link": "" + }, + { + "category": "Cost Governance", + "subcategory": "Cost Management", + "text": "Define and enforce a policy to automatically shutdown Azure AI Foundry and Azure Machine Learning compute instances.", + "waf": "Cost", + "guid": "187edf80-5592-41ca-b65c-c804e56f7394", + "id": "GenAILZ.65", + "service": "Azure AI Foundry", + "severity": "low", + "link": "https://github.com/Azure/Community-Policy/tree/main/policyDefinitions/Compute/deploy-vm-auto-shutdown" + }, + { + "category": "Cost Governance", + "subcategory": "Cost Management", + "text": "Configure 'Actual' and 'Forecasted' Budget Alerts.", + "waf": "Cost", + "guid": "15912c2a-babb-4b9f-9dc3-73c1489472dd", + "id": "GenAILZ.66", + "service": "Azure Cost Management", + "severity": "medium", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json" + }, + { + "category": "Governance and Security", + "subcategory": "Compliance", + "text": "Use Microsoft Purview Compliance Manager to assess and manage compliance across cloud environments.", + "waf": "Security", + "guid": "f28b4c3f-efd7-423c-9d5f-6aa8234690eb", + "id": "GenAILZ.67", + "service": "Microsoft Purview", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-overview" + }, + { + "category": "Governance and Security", + "subcategory": "Compliance", + "text": "Use standards, such as ISO/IEC 23053:2022 to audit policies that are applied to your AI workloads.", + "waf": "Security", + "guid": "87288dca-d802-49fb-9c92-d027a9ffe90f", + "id": "GenAILZ.68", + "service": "NA", + "severity": "high", + "link": "" + }, + { + "category": "Governance and Security", + "subcategory": "Data Classification", + "text": "Use a tool like Microsoft Purview to implement a unified data catalog and classification system across your organization.", + "waf": "Security", + "guid": "6dc4dce7-5233-480f-8b24-1fa035682c97", + "id": "GenAILZ.69", + "service": "Microsoft Purview", + "severity": "medium", + "link": "https://learn.microsoft.com/en-us/purview/unified-catalog?branch=main" + }, + { + "category": "Governance and Security", + "subcategory": "Data Classification", + "text": "Ensure that any data ingested into AI models is classified and vetted according to centralized standards.", + "waf": "Security", + "guid": "0ab50b4d-a903-4dc0-9437-3c075877fad8", + "id": "GenAILZ.70", + "service": "NA", + "severity": "medium", + "link": "" + }, + { + "category": "Governance and Security", + "subcategory": "Data Classification", + "text": "Use a content filtering system like Protected material detection in Azure AI Content Safety to filter out copyrighted material.", + "waf": "Security", + "guid": "001bbabe-364c-4b0f-a667-760f47791726", + "id": "GenAILZ.71", + "service": "Azure AI Content Safety", + "severity": "high", + "link": "https://learn.microsoft.com/en-us/azure/ai-services/content-safety/concepts/protected-material?branch=main&tabs=text" + }, + { + "category": "Application Deployment", + "subcategory": "Data Classification", + "text": "Establish a version control process for grounding data, for example, in RAG.", + "waf": "Operations", + "guid": "20a734fb-ca83-4ce0-b3a7-935a00b2e9b9", + "id": "GenAILZ.72", + "service": "Azure DevOps", + "severity": "low", + "link": "" + }, + { + "category": "Application Deployment", + "subcategory": "DevOps", + "text": "Use a CI/CD pipeline to deploy IaC artifacts and ensure the quality of your deployment and Azure environments.", + "waf": "Operations", + "guid": "9af60e0a-1111-4885-82e2-f9575581673f", + "id": "GenAILZ.73", + "service": "Azure DevOps", + "severity": "medium", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" + }, + { + "category": "Application Deployment", + "subcategory": "DevOps", + "text": "Include unit tests for IaC and application code as part of your build process.", + "waf": "Operations", + "guid": "004a958f-9f9b-4e05-bcb3-d58369936a80", + "id": "GenAILZ.74", + "service": "NA", + "severity": "low", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle" + }, + { + "category": "Application Deployment", + "subcategory": "DevOps", + "text": "Leverage Declarative Infrastructure as Code Tools such as Azure Bicep, ARM Templates or Terraform to maintain your Azure AI Landing Zone.", + "waf": "Operations", + "guid": "244b82ee-0144-429a-bb80-412941090968", + "id": "GenAILZ.75", + "service": "NA", + "severity": "low", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/infrastructure-as-code" + } + ], + "categories": [ + { + "name": "Identity and Access Management" + }, + { + "name": "Network Topology and Connectivity" + }, + { + "name": "BC and DR" + }, + { + "name": "Governance and Security" + }, + { + "name": "Cost Governance" + }, + { + "name": "Operations" + }, + { + "name": "Application Deployment" + } + ], + "waf": [ + { + "name": "Reliability" + }, + { + "name": "Security" + }, + { + "name": "Cost" + }, + { + "name": "Operations" + }, + { + "name": "Performance" + } + ], + "status": [ + { + "name": "Not verified", + "description": "This check has not been looked at yet" + }, + { + "name": "Open", + "description": "There is an action item associated to this check" + }, + { + "name": "Fulfilled", + "description": "This check has been verified, and there are no further action items associated to it" + }, + { + "name": "Not required", + "description": "Recommendation understood, but not needed by current requirements" + }, + { + "name": "N/A", + "description": "Not applicable for current design" + } + ], + "severities": [ + { + "name": "High" + }, + { + "name": "Medium" + }, + { + "name": "Low" + } + ], + "yesno": [ + { + "name": "Yes" + }, + { + "name": "No" + } + ], + "metadata": { + "name": "Azure AKS Review", + "state": "GA", + "waf": "all", + "timestamp": "February 20, 2024" + } +}