This repository publishes the public SAFE-K8S security control catalog for Kubernetes and AI systems. It includes the public control set, knowledge area structure, and framework crosswalks under SAFE-K8S-* identifiers.
- Publish a public SAFE-K8S control catalog for external use
- Preserve traceability between controls and mapped frameworks
- Support review, reuse, and downstream publication without internal-only fields
- YAML source files for domains, knowledge areas, controls, and crosswalks
- Generated markdown pages for controls and reverse mappings by framework
- Domains: 10
- Knowledge areas: 55
- Controls: 593
- Crosswalk rows: 4723
safe_k8s_domains.yamlsafe_k8s_knowledge_areas.yamlsafe_k8s_controls.yamlsafe_k8s_crosswalks.yaml
markdown/controls/contains one markdown page per control with related mappingsmarkdown/frameworks/contains reverse-mapping pages by framework and requirement
- EU AI Act 2024/1689
- NIST SP 800-53 Revision 5 5.2.0
- NIST AI Risk Management Framework 1.0
- NIST SP 800-218: Secure Software Development Framework (SSDF) Version 1.1 1.1
- Crosswalk pages keep
framework_mapping_notesbecause they carry useful interpretive context. strength_reason_noteis intentionally not published in this export.
- 1.1 - Kubernetes API Server Security
- 1.2 - etcd and Cluster State Protection
- 1.3 - Controller-Manager, Scheduler, and Cloud Controller Security
- 1.4 - CIS Benchmarks and Patch Management
- 2.1 - Kubelet and Node Configuration Hardening
- 2.2 - Container Runtime Security
- 2.3 - Host OS and Kernel Hardening
- 2.4 - Runtime Threat Detection
- 2.5 - kube-proxy and Node Networking Security
- 3.1 - Pod Security Standards and Admission
- 3.2 - Security Contexts and Capabilities
- 3.3 - Mandatory Access Controls
- 3.4 - Secure Defaults and Resource Constraints
- 4.1 - Role-Based Access Control (RBAC)
- 4.2 - Service Accounts and Workload Identity
- 4.3 - Secrets Management
- 4.4 - Certificate Management
- 4.5 - Identity Abuse Detection and Mitigation
- 5.1 - Network Policies
- 5.2 - CNI Plugins and Pod Networking Security
- 5.3 - Ingress, Egress, and DNS Hardening
- 5.4 - Zero Trust Architecture and Service Mesh
- 5.5 - API Server and Service Exposure Protection
- 6.1 - Container Image and Registry Security
- 6.2 - Image Signing and Admission Enforcement
- 6.3 - Attestation, Provenance, and Cryptographic Assurance
- 6.4 - SBOMs and Vulnerability Intelligence
- 6.5 - Admission Control
- 6.6 - CI/CD and GitOps Pipeline Security
- 7.1 - Persistent Storage Security
- 7.2 - Namespace Isolation and Multi-Tenancy
- 7.3 - Resource Governance and Priority
- 7.4 - Cloud Provider Security Integration
- 8.1 - GPU Device Plugins and Resource Allocation
- 8.2 - GPU Driver, Library, and Toolkit Security
- 8.3 - High-Performance Interconnect Security
- 8.4 - Confidential Computing for AI Workloads
- 8.5 - GPU Workload Auditing and Monitoring
- 9.1 - Distributed Training Workload Security
- 9.2 - Inference Server and Model Serving Security
- 9.3 - Inference Resilience, Adversarial Defense, and Resource Controls
- 9.4 - AI Pipeline Orchestration and Experimentation Security
- 9.5 - AI Supply Chain and Model Lifecycle
- 9.6 - Training Data Integrity and Poisoning Defense
- 9.7 - Feature Store Security and Data Access Controls
- 9.8 - Model Abuse and Extraction Prevention
- 9.9 - RAG Infrastructure Security
- 9.10 - Multi-Cluster and Federated AI Security
- 10.1 - Logging and Audit
- 10.2 - Monitoring, Metrics, and Tracing
- 10.3 - Threat Modeling Methodologies
- 10.4 - AI and Supply Chain Threat Taxonomy
- 10.5 - Incident Response for Kubernetes
- 10.6 - Compliance and Governance
- 10.7 - Cluster Lifecycle and Asset Inventory
- Domain: D01 - Control Plane and Cluster Hardening
- Maturity: Foundational
- Controls: 14
This knowledge area focuses on: Encryption at rest for Secrets and sensitive API resources, Streaming connection idle timeout enforcement, API server request rate limiting and API Priority and Fairness, API server audit policy coverage and event detail, and API server TLS enforcement. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0101-003 | Encryption at rest for Secrets and sensitive API resources | Foundational | baseline |
| SAFE-K8S-0101-005 | Streaming connection idle timeout enforcement | Foundational | baseline |
| SAFE-K8S-0101-007 | API server request rate limiting and API Priority and Fairness | Practitioner | ai-specific |
| SAFE-K8S-0101-008 | API server audit policy coverage and event detail | Foundational | baseline |
| SAFE-K8S-0101-012 | API server TLS enforcement | Foundational | baseline |
| SAFE-K8S-0101-013 | API server certificate rotation and validation | Foundational | baseline |
| SAFE-K8S-0101-014 | API server authorization mode baseline enforcement | Foundational | baseline |
| SAFE-K8S-0101-015 | API server webhook authorizer endpoint trust controls | Foundational | baseline |
| SAFE-K8S-0101-016 | API server audit log backend delivery and durable storage | Foundational | baseline |
| SAFE-K8S-0101-017 | API server audit log retention enforcement | Foundational | baseline |
| SAFE-K8S-0101-018 | API server anonymous authentication disablement | Foundational | baseline |
| SAFE-K8S-0101-019 | API server AlwaysAllow prohibition | Foundational | baseline |
| SAFE-K8S-0101-020 | API server profiling and debug exposure disablement | Foundational | baseline |
| SAFE-K8S-0101-021 | API server approved admission controller chain configuration | Foundational | baseline |
- Domain: D01 - Control Plane and Cluster Hardening
- Maturity: Foundational
- Controls: 16
This knowledge area focuses on: etcd storage-layer disk encryption with externally managed keys, etcd encryption key rotation scheduling and verification, etcd backup storage encryption, etcd backup integrity verification and restore assurance, and etcd health monitoring and alerting. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0102-001 | etcd storage-layer disk encryption with externally managed keys | Foundational | baseline |
| SAFE-K8S-0102-006 | etcd encryption key rotation scheduling and verification | Foundational | baseline |
| SAFE-K8S-0102-007 | etcd backup storage encryption | Foundational | baseline |
| SAFE-K8S-0102-008 | etcd backup integrity verification and restore assurance | Foundational | baseline |
| SAFE-K8S-0102-012 | etcd health monitoring and alerting | Foundational | baseline |
| SAFE-K8S-0102-013 | etcd compaction and periodic defragmentation | Foundational | baseline |
| SAFE-K8S-0102-014 | etcd certificate rotation coverage and execution | Practitioner | baseline |
| SAFE-K8S-0102-015 | etcd certificate rotation testing and recovery validation | Practitioner | baseline |
| SAFE-K8S-0102-018 | etcd client and peer certificate authentication | Foundational | baseline |
| SAFE-K8S-0102-019 | etcd endpoint network isolation from worker and workload traffic | Foundational | baseline |
| SAFE-K8S-0102-020 | etcd certificate maximum validity period enforcement | Practitioner | baseline |
| SAFE-K8S-0102-021 | etcd certificate expiration monitoring and lead-time alerting | Practitioner | baseline |
| SAFE-K8S-0102-022 | etcd backup repository least-privilege access restriction | Foundational | baseline |
| SAFE-K8S-0102-023 | etcd backup break-glass authorization governance | Foundational | baseline |
| SAFE-K8S-0102-024 | etcd backup repository access audit logging | Foundational | baseline |
| SAFE-K8S-0102-025 | etcd backup repository access review and alerting | Foundational | baseline |
- Domain: D01 - Control Plane and Cluster Hardening
- Maturity: Practitioner
- Controls: 13
This knowledge area focuses on: Controller-manager service account token hardening, Pod garbage collection threshold configuration, Profiling endpoint disablement for controller-manager and scheduler, Cloud controller-manager deployment isolation, and Leader election configuration and lease object RBAC. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0103-001 | Controller-manager service account token hardening | Foundational | baseline |
| SAFE-K8S-0103-005 | Pod garbage collection threshold configuration | Foundational | ai-specific |
| SAFE-K8S-0103-006 | Profiling endpoint disablement for controller-manager and scheduler | Foundational | baseline |
| SAFE-K8S-0103-008 | Cloud controller-manager deployment isolation | Practitioner | baseline |
| SAFE-K8S-0103-010 | Leader election configuration and lease object RBAC | Practitioner | baseline |
| SAFE-K8S-0103-012 | Cloud controller-manager cloud IAM least-privilege scoping | Practitioner | baseline |
| SAFE-K8S-0103-013 | Cloud controller-manager workload identity and credential rotation | Practitioner | baseline |
| SAFE-K8S-0103-014 | Scheduler API and decision endpoint access restriction | Practitioner | baseline |
| SAFE-K8S-0103-015 | Scheduler extender authentication and custom scheduler approval | Practitioner | baseline |
| SAFE-K8S-0103-016 | Controller-manager and scheduler loopback bind-address enforcement | Foundational | baseline |
| SAFE-K8S-0103-017 | Controller-manager and scheduler insecure-port disablement and non-public health-metrics exposure | Foundational | baseline |
| SAFE-K8S-0103-018 | Control-plane replica distribution and etcd quorum topology | Practitioner | baseline |
| SAFE-K8S-0103-019 | API server load-balancer health-check failover | Practitioner | baseline |
- Domain: D01 - Control Plane and Cluster Hardening
- Maturity: Foundational
- Controls: 14
This knowledge area focuses on: Control plane configuration file permissions, Emergency Kubernetes patch deployment procedures, Feature gate lifecycle transition tracking across Kubernetes upgrades, Kubernetes upgrade strategy, validation, and rollback planning, and Recurring CIS Kubernetes Benchmark scan execution. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0104-005 | Control plane configuration file permissions | Foundational | baseline |
| SAFE-K8S-0104-007 | Emergency Kubernetes patch deployment procedures | Foundational | baseline |
| SAFE-K8S-0104-009 | Feature gate lifecycle transition tracking across Kubernetes upgrades | Practitioner | baseline |
| SAFE-K8S-0104-013 | Kubernetes upgrade strategy, validation, and rollback planning | Foundational | baseline |
| SAFE-K8S-0104-014 | Recurring CIS Kubernetes Benchmark scan execution | Foundational | baseline |
| SAFE-K8S-0104-015 | CIS Benchmark result retention and posture trend reporting | Foundational | baseline |
| SAFE-K8S-0104-016 | CIS Benchmark remediation workflow tracking | Foundational | baseline |
| SAFE-K8S-0104-017 | CIS Benchmark exception approval and re-review governance | Foundational | baseline |
| SAFE-K8S-0104-018 | Kubernetes security advisory and provider bulletin monitoring | Foundational | baseline |
| SAFE-K8S-0104-019 | Kubernetes CVE risk prioritization framework | Foundational | baseline |
| SAFE-K8S-0104-020 | Kubernetes supported version window compliance | Foundational | baseline |
| SAFE-K8S-0104-021 | Kubernetes component version skew compliance | Foundational | baseline |
| SAFE-K8S-0104-022 | Non-default feature gate inventory for production clusters | Practitioner | baseline |
| SAFE-K8S-0104-023 | Stage-based approval and risk assessment for production feature gates | Practitioner | baseline |
- Domain: D02 - Node, Runtime, and OS Security
- Maturity: Foundational
- Controls: 11
This knowledge area focuses on: Kubelet hostname override governance, Node system and kube reserved resource allocations, Node eviction threshold tuning for workload pressure, Kubelet configuration and credential file ownership and permissions, and Kubelet systemd unit hardening. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0201-005 | Kubelet hostname override governance | Foundational | baseline |
| SAFE-K8S-0201-006 | Node system and kube reserved resource allocations | Foundational | baseline |
| SAFE-K8S-0201-007 | Node eviction threshold tuning for workload pressure | Foundational | baseline |
| SAFE-K8S-0201-008 | Kubelet configuration and credential file ownership and permissions | Foundational | baseline |
| SAFE-K8S-0201-009 | Kubelet systemd unit hardening | Foundational | baseline |
| SAFE-K8S-0201-011 | Kubelet webhook authentication and authorization enforcement | Foundational | baseline |
| SAFE-K8S-0201-012 | Kubelet anonymous access and read-only port lockdown | Foundational | baseline |
| SAFE-K8S-0201-013 | Kubelet client certificate rotation via TLS bootstrap | Foundational | baseline |
| SAFE-K8S-0201-014 | Kubelet serving certificate trust and expiry enforcement | Foundational | baseline |
| SAFE-K8S-0201-015 | Node-level kubelet audit rule coverage | Foundational | baseline |
| SAFE-K8S-0201-016 | Node audit log forwarding and centralized reviewability | Foundational | baseline |
- Domain: D02 - Node, Runtime, and OS Security
- Maturity: Foundational
- Controls: 8
This knowledge area focuses on: RuntimeClass configuration for workload-appropriate isolation, Container runtime patching and version management, Runtime socket mount prevention, Container runtime user namespace isolation, and Container runtime socket root-only protection. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0202-002 | RuntimeClass configuration for workload-appropriate isolation | Foundational | ai-specific |
| SAFE-K8S-0202-003 | Container runtime patching and version management | Foundational | baseline |
| SAFE-K8S-0202-004 | Runtime socket mount prevention | Foundational | baseline |
| SAFE-K8S-0202-007 | Container runtime user namespace isolation | Foundational | baseline |
| SAFE-K8S-0202-008 | Container runtime socket root-only protection | Foundational | baseline |
| SAFE-K8S-0202-009 | Container runtime secure baseline settings and debug endpoint disablement | Foundational | baseline |
| SAFE-K8S-0202-010 | Node default seccomp profile enforcement | Foundational | baseline |
| SAFE-K8S-0202-011 | Node mandatory access control activation for container workloads | Foundational | baseline |
- Domain: D02 - Node, Runtime, and OS Security
- Maturity: Foundational
- Controls: 10
This knowledge area focuses on: Kernel parameter hardening via sysctl, Secure boot and verified boot chain enforcement, Pod metadata endpoint network path blocking, Workload identity replacement for cloud API access, and Minimal purpose-built node OS baseline. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0203-002 | Kernel parameter hardening via sysctl | Foundational | baseline |
| SAFE-K8S-0203-004 | Secure boot and verified boot chain enforcement | Foundational | baseline |
| SAFE-K8S-0203-008 | Pod metadata endpoint network path blocking | Foundational | baseline |
| SAFE-K8S-0203-009 | Workload identity replacement for cloud API access | Foundational | baseline |
| SAFE-K8S-0203-010 | Minimal purpose-built node OS baseline | Foundational | baseline |
| SAFE-K8S-0203-011 | Immutable node root filesystem enforcement | Foundational | baseline |
| SAFE-K8S-0203-012 | Kernel module restriction and approved module whitelisting | Foundational | baseline |
| SAFE-K8S-0203-013 | Kernel lockdown mode enforcement for runtime integrity | Foundational | baseline |
| SAFE-K8S-0203-014 | Authenticated cloud metadata service mode enforcement | Foundational | baseline |
| SAFE-K8S-0203-015 | Cloud metadata endpoint restriction settings | Foundational | baseline |
- Domain: D02 - Node, Runtime, and OS Security
- Maturity: Practitioner
- Controls: 4
This knowledge area focuses on: Runtime security tool deployment for syscall and network monitoring, Kubernetes-specific runtime detection rules, Container filesystem drift detection, and Forensic capture capabilities for container incident investigation.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0204-001 | Runtime security tool deployment for syscall and network monitoring | Practitioner | baseline |
| SAFE-K8S-0204-002 | Kubernetes-specific runtime detection rules | Practitioner | baseline |
| SAFE-K8S-0204-003 | Container filesystem drift detection | Practitioner | baseline |
| SAFE-K8S-0204-004 | Forensic capture capabilities for container incident investigation | Practitioner | baseline |
- Domain: D02 - Node, Runtime, and OS Security
- Maturity: Practitioner
- Controls: 8
This knowledge area focuses on: NodePort and HostPort restriction policies, eBPF-based kernel-level network policy enforcement, eBPF program integrity verification and loading monitoring, Node firewall compatibility validation with CNI and network policy, and kube-proxy or service proxy mode selection governance. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0205-002 | NodePort and HostPort restriction policies | Practitioner | baseline |
| SAFE-K8S-0205-004 | eBPF-based kernel-level network policy enforcement | Practitioner | baseline |
| SAFE-K8S-0205-005 | eBPF program integrity verification and loading monitoring | Practitioner | baseline |
| SAFE-K8S-0205-007 | Node firewall compatibility validation with CNI and network policy | Practitioner | baseline |
| SAFE-K8S-0205-008 | kube-proxy or service proxy mode selection governance | Practitioner | baseline |
| SAFE-K8S-0205-009 | Service proxy path hardening for kube-proxy or replacements | Practitioner | baseline |
| SAFE-K8S-0205-010 | Node-level firewall rule restriction for cluster communication | Practitioner | baseline |
| SAFE-K8S-0205-011 | Node firewall audit and change governance | Practitioner | baseline |
- Domain: D03 - Workload and Pod Security
- Maturity: Foundational
- Controls: 5
This knowledge area focuses on: Pod Security Standards level assignment, Pod Security Admission configuration and version pinning, PodSecurityPolicy to PSA migration, PSA exemption register and justification tracking, and Scoped PSA exception enforcement and compensating controls.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0301-001 | Pod Security Standards level assignment | Foundational | baseline |
| SAFE-K8S-0301-002 | Pod Security Admission configuration and version pinning | Foundational | baseline |
| SAFE-K8S-0301-003 | PodSecurityPolicy to PSA migration | Foundational | baseline |
| SAFE-K8S-0301-005 | PSA exemption register and justification tracking | Foundational | ai-specific |
| SAFE-K8S-0301-006 | Scoped PSA exception enforcement and compensating controls | Foundational | ai-specific |
- Domain: D03 - Workload and Pod Security
- Maturity: Foundational
- Controls: 6
This knowledge area focuses on: Pod and container security context enforcement, Linux capability drop-all and least-privilege add-back, Host namespace isolation enforcement, AI workload security context hardening profiles, and No-new-privileges execution enforcement. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0302-001 | Pod and container security context enforcement | Foundational | baseline |
| SAFE-K8S-0302-002 | Linux capability drop-all and least-privilege add-back | Foundational | ai-specific |
| SAFE-K8S-0302-004 | Host namespace isolation enforcement | Foundational | baseline |
| SAFE-K8S-0302-005 | AI workload security context hardening profiles | Foundational | ai-specific |
| SAFE-K8S-0302-006 | No-new-privileges execution enforcement | Foundational | baseline |
| SAFE-K8S-0302-007 | Safe fsGroup and supplementalGroups volume ownership | Foundational | baseline |
- Domain: D03 - Workload and Pod Security
- Maturity: Practitioner
- Controls: 7
This knowledge area focuses on: Seccomp profile enforcement, SELinux context assignment and multi-tenancy isolation, MAC profile generation from runtime behavior, MAC profile pre-enforcement audit-mode validation, and MAC profile iterative refinement cycle. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0303-001 | Seccomp profile enforcement | Practitioner | baseline |
| SAFE-K8S-0303-003 | SELinux context assignment and multi-tenancy isolation | Practitioner | baseline |
| SAFE-K8S-0303-004 | MAC profile generation from runtime behavior | Practitioner | baseline |
| SAFE-K8S-0303-005 | MAC profile pre-enforcement audit-mode validation | Practitioner | baseline |
| SAFE-K8S-0303-006 | MAC profile iterative refinement cycle | Practitioner | baseline |
| SAFE-K8S-0303-007 | AppArmor profile distribution and node readiness | Practitioner | baseline |
| SAFE-K8S-0303-008 | AppArmor workload profile assignment and unconfined-mode restriction | Practitioner | baseline |
- Domain: D03 - Workload and Pod Security
- Maturity: Foundational
- Controls: 10
This knowledge area focuses on: Cloud Native 8 secure defaults enforcement, QoS class assignment for workload stability, Ephemeral container security context enforcement, Host volume mount restriction, and Service account token automount opt-out. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0304-001 | Cloud Native 8 secure defaults enforcement | Foundational | baseline |
| SAFE-K8S-0304-003 | QoS class assignment for workload stability | Foundational | baseline |
| SAFE-K8S-0304-004 | Ephemeral container security context enforcement | Foundational | baseline |
| SAFE-K8S-0304-006 | Host volume mount restriction | Foundational | baseline |
| SAFE-K8S-0304-007 | Service account token automount opt-out | Foundational | baseline |
| SAFE-K8S-0304-009 | Temporary checkpoint storage encryption, integrity, and access control | Foundational | ai-specific |
| SAFE-K8S-0304-010 | Pod resource requests and limits specification | Foundational | baseline |
| SAFE-K8S-0304-011 | Namespace LimitRange and ResourceQuota enforcement | Foundational | baseline |
| SAFE-K8S-0304-012 | Training scratch volume size limits and ephemeral-storage quotas | Foundational | baseline |
| SAFE-K8S-0304-013 | Tmpfs-backed handling for sensitive training intermediates | Foundational | baseline |
- Domain: D04 - Identity, Access, and Secrets Management
- Maturity: Foundational
- Controls: 6
This knowledge area focuses on: RBAC least-privilege design, RBAC permission audit and analysis, Aggregated ClusterRole governance, RBAC for AI operator custom resources, and Organizational role separation for ML, platform, and security functions. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0401-001 | RBAC least-privilege design | Foundational | baseline |
| SAFE-K8S-0401-002 | RBAC permission audit and analysis | Foundational | baseline |
| SAFE-K8S-0401-003 | Aggregated ClusterRole governance | Foundational | baseline |
| SAFE-K8S-0401-004 | RBAC for AI operator custom resources | Foundational | ai-specific |
| SAFE-K8S-0401-006 | Organizational role separation for ML, platform, and security functions | Foundational | ai-specific |
| SAFE-K8S-0401-007 | GPU resource governance permission boundaries | Foundational | ai-specific |
- Domain: D04 - Identity, Access, and Secrets Management
- Maturity: Practitioner
- Controls: 18
This knowledge area focuses on: Inactive service account and stale credential remediation, Service account identifier exposure prevention, Workload identity attribute integrity, Cloud workload identity federation for AI services, and OIDC authentication integration. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0402-002 | Inactive service account and stale credential remediation | Practitioner | baseline |
| SAFE-K8S-0402-003 | Service account identifier exposure prevention | Practitioner | baseline |
| SAFE-K8S-0402-004 | Workload identity attribute integrity | Practitioner | baseline |
| SAFE-K8S-0402-006 | Cloud workload identity federation for AI services | Practitioner | ai-specific |
| SAFE-K8S-0402-007 | OIDC authentication integration | Practitioner | baseline |
| SAFE-K8S-0402-008 | Distinct identity assignment for AI workload types | Practitioner | ai-specific |
| SAFE-K8S-0402-010 | Cross-cluster and cross-cloud cryptographic identity federation | Advanced | ai-specific |
| SAFE-K8S-0402-011 | Cross-environment static credential prohibition | Advanced | ai-specific |
| SAFE-K8S-0402-012 | Ephemeral training job credential expiration | Practitioner | ai-specific |
| SAFE-K8S-0402-013 | Ephemeral training job credential rotation | Practitioner | ai-specific |
| SAFE-K8S-0402-014 | Ephemeral training job credential revocation on completion | Practitioner | ai-specific |
| SAFE-K8S-0402-015 | Legacy service account token secret removal | Foundational | baseline |
| SAFE-K8S-0402-018 | Default service account disablement and token automount hardening | Foundational | baseline |
| SAFE-K8S-0402-019 | Dedicated workload service accounts and least-privilege assignment | Foundational | baseline |
| SAFE-K8S-0402-020 | Projected service account token issuance path enforcement | Foundational | baseline |
| SAFE-K8S-0402-021 | Workload token explicit audience binding | Foundational | baseline |
| SAFE-K8S-0402-022 | Projected service account token lifetime bounds enforcement | Foundational | baseline |
| SAFE-K8S-0402-023 | Long-lived workload token exception governance and retirement tracking | Foundational | baseline |
- Domain: D04 - Identity, Access, and Secrets Management
- Maturity: Foundational
- Controls: 20
This knowledge area focuses on: External secrets management integration, Approved secret injection pattern standards, Secret rotation and expiration enforcement, AI pipeline secret leakage prevention, and Per-workload credential scoping for AI jobs. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0403-002 | External secrets management integration | Foundational | baseline |
| SAFE-K8S-0403-003 | Approved secret injection pattern standards | Foundational | baseline |
| SAFE-K8S-0403-004 | Secret rotation and expiration enforcement | Foundational | baseline |
| SAFE-K8S-0403-005 | AI pipeline secret leakage prevention | Foundational | ai-specific |
| SAFE-K8S-0403-006 | Per-workload credential scoping for AI jobs | Practitioner | ai-specific |
| SAFE-K8S-0403-011 | Secrets KMS key rotation and re-encryption verification | Foundational | baseline |
| SAFE-K8S-0403-017 | AI platform key-domain hierarchy and envelope encryption architecture | Foundational | baseline |
| SAFE-K8S-0403-018 | AI platform cryptographic key access domain separation | Foundational | baseline |
| SAFE-K8S-0403-019 | Kubernetes Secrets external KMS provider integration | Foundational | baseline |
| SAFE-K8S-0403-020 | Kubernetes Secrets KMS key least-privilege access policy | Foundational | baseline |
| SAFE-K8S-0403-021 | Automated AI workload credential inventory | Practitioner | ai-specific |
| SAFE-K8S-0403-022 | Orphaned AI workload credential detection and remediation | Practitioner | ai-specific |
| SAFE-K8S-0403-023 | Credential scope drift monitoring for AI workloads | Practitioner | ai-specific |
| SAFE-K8S-0403-024 | Credential lifecycle metrics publication and governance | Practitioner | ai-specific |
| SAFE-K8S-0403-025 | Automated secret leak detection coverage across development and runtime surfaces | Practitioner | baseline |
| SAFE-K8S-0403-026 | Secret leak prevention gate and enforcement controls | Practitioner | baseline |
| SAFE-K8S-0403-027 | Secret leak incident triage and containment workflow | Practitioner | baseline |
| SAFE-K8S-0403-028 | Exposed credential revocation and replacement execution | Practitioner | baseline |
| SAFE-K8S-0403-029 | Environment variable secret injection prohibition enforcement | Foundational | baseline |
| SAFE-K8S-0403-030 | Environment variable secret injection exception governance | Foundational | baseline |
- Domain: D04 - Identity, Access, and Secrets Management
- Maturity: Practitioner
- Controls: 7
This knowledge area focuses on: cert-manager deployment and Issuer configuration, TLS provisioning for webhooks, API aggregation, and internal services, mTLS for service-to-service authentication, Automated certificate rotation before expiry, and Certificate expiry monitoring and alerting. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0404-001 | cert-manager deployment and Issuer configuration | Practitioner | baseline |
| SAFE-K8S-0404-002 | TLS provisioning for webhooks, API aggregation, and internal services | Practitioner | baseline |
| SAFE-K8S-0404-003 | mTLS for service-to-service authentication | Practitioner | baseline |
| SAFE-K8S-0404-007 | Automated certificate rotation before expiry | Practitioner | baseline |
| SAFE-K8S-0404-008 | Certificate expiry monitoring and alerting | Practitioner | baseline |
| SAFE-K8S-0404-009 | Compromised certificate revocation and re-issuance execution | Practitioner | baseline |
| SAFE-K8S-0404-010 | Post-compromise certificate recovery validation | Practitioner | baseline |
- Domain: D04 - Identity, Access, and Secrets Management
- Maturity: Practitioner
- Controls: 16
This knowledge area focuses on: Privilege escalation detection and monitoring, Kubeconfig security and hygiene, Security awareness for Kubernetes and GPU administrators, Attribute-based access control for AI artifacts, and Authentication endpoint availability and DoS protection. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0405-002 | Privilege escalation detection and monitoring | Practitioner | baseline |
| SAFE-K8S-0405-003 | Kubeconfig security and hygiene | Practitioner | baseline |
| SAFE-K8S-0405-004 | Security awareness for Kubernetes and GPU administrators | Practitioner | baseline |
| SAFE-K8S-0405-006 | Attribute-based access control for AI artifacts | Advanced | ai-specific |
| SAFE-K8S-0405-007 | Authentication endpoint availability and DoS protection | Practitioner | baseline |
| SAFE-K8S-0405-009 | API impersonation RBAC restriction | Practitioner | baseline |
| SAFE-K8S-0405-010 | API impersonation audit logging and alerting | Practitioner | baseline |
| SAFE-K8S-0405-012 | Privileged MFA enforcement for cluster administration | Practitioner | baseline |
| SAFE-K8S-0405-017 | Credential policy baseline requirements | Practitioner | baseline |
| SAFE-K8S-0405-018 | Secure credential storage and lifecycle governance | Practitioner | baseline |
| SAFE-K8S-0405-019 | Break-glass recovery procedure definition | Practitioner | baseline |
| SAFE-K8S-0405-020 | Break-glass recovery exercise validation | Practitioner | baseline |
| SAFE-K8S-0405-021 | Break-glass activation multi-party approval enforcement | Practitioner | baseline |
| SAFE-K8S-0405-022 | Tenant-scoped break-glass credential boundary enforcement | Practitioner | baseline |
| SAFE-K8S-0405-023 | Break-glass access audit logging coverage | Practitioner | baseline |
| SAFE-K8S-0405-024 | Break-glass credential automatic expiration and revocation enforcement | Practitioner | baseline |
- Domain: D05 - Network Security and Communication
- Maturity: Foundational
- Controls: 8
This knowledge area focuses on: Default deny ingress and egress network policies, Namespace network isolation patterns, Workload egress controls, CNI-specific network policy extensions, and Multi-cluster network segmentation for federated AI workloads. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0501-001 | Default deny ingress and egress network policies | Foundational | baseline |
| SAFE-K8S-0501-002 | Namespace network isolation patterns | Foundational | baseline |
| SAFE-K8S-0501-003 | Workload egress controls | Foundational | baseline |
| SAFE-K8S-0501-004 | CNI-specific network policy extensions | Practitioner | baseline |
| SAFE-K8S-0501-006 | Multi-cluster network segmentation for federated AI workloads | Practitioner | ai-specific |
| SAFE-K8S-0501-007 | East-west AI workload traffic monitoring | Practitioner | ai-specific |
| SAFE-K8S-0501-008 | AI workload type network microsegmentation | Foundational | ai-specific |
| SAFE-K8S-0501-009 | Model download path isolation from training data paths | Foundational | ai-specific |
- Domain: D05 - Network Security and Communication
- Maturity: Practitioner
- Controls: 8
This knowledge area focuses on: CNI plugin security selection criteria, Pod-to-pod traffic encryption, CNI plugin hardening and lifecycle management, AI workload data path encryption in transit, and Kubernetes pod IP anti-spoofing enforcement and validation. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0502-001 | CNI plugin security selection criteria | Practitioner | baseline |
| SAFE-K8S-0502-002 | Pod-to-pod traffic encryption | Practitioner | baseline |
| SAFE-K8S-0502-004 | CNI plugin hardening and lifecycle management | Practitioner | baseline |
| SAFE-K8S-0502-005 | AI workload data path encryption in transit | Practitioner | ai-specific |
| SAFE-K8S-0502-007 | Kubernetes pod IP anti-spoofing enforcement and validation | Practitioner | baseline |
| SAFE-K8S-0502-008 | Network policy design for AI-specific traffic patterns | Practitioner | ai-specific |
| SAFE-K8S-0502-009 | Kubernetes CNI IPAM capacity sizing | Practitioner | baseline |
| SAFE-K8S-0502-010 | Kubernetes CNI IP pool exhaustion monitoring and alerting | Practitioner | baseline |
- Domain: D05 - Network Security and Communication
- Maturity: Practitioner
- Controls: 11
This knowledge area focuses on: Internal load balancer annotation enforcement, DNS exfiltration detection, Cloud load balancer security group configuration, Ingress TLS termination and boundary configuration hardening, and CoreDNS and upstream resolver hardening. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0503-004 | Internal load balancer annotation enforcement | Practitioner | baseline |
| SAFE-K8S-0503-005 | DNS exfiltration detection | Practitioner | baseline |
| SAFE-K8S-0503-006 | Cloud load balancer security group configuration | Practitioner | baseline |
| SAFE-K8S-0503-007 | Ingress TLS termination and boundary configuration hardening | Practitioner | baseline |
| SAFE-K8S-0503-009 | CoreDNS and upstream resolver hardening | Practitioner | baseline |
| SAFE-K8S-0503-011 | External traffic policy mode selection and tradeoff governance | Practitioner | baseline |
| SAFE-K8S-0503-012 | Client source IP preservation for external services | Practitioner | baseline |
| SAFE-K8S-0503-013 | Ingress web application firewall integration and request filtering | Practitioner | baseline |
| SAFE-K8S-0503-014 | Ingress rate limiting and abuse throttling | Practitioner | baseline |
| SAFE-K8S-0503-015 | Approved DNS resolution path enforcement | Practitioner | baseline |
| SAFE-K8S-0503-016 | Namespace-scoped DNS service discovery restriction | Practitioner | baseline |
- Domain: D05 - Network Security and Communication
- Maturity: Practitioner
- Controls: 7
This knowledge area focuses on: Zero trust networking principles for Kubernetes, Service mesh mTLS and authorization policies, Service mesh tuning for AI workloads, SPIFFE/SPIRE workload identity issuance and lifecycle management, and SPIFFE trust domain scoping and cross-cluster federation governance. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0504-001 | Zero trust networking principles for Kubernetes | Practitioner | baseline |
| SAFE-K8S-0504-002 | Service mesh mTLS and authorization policies | Practitioner | baseline |
| SAFE-K8S-0504-005 | Service mesh tuning for AI workloads | Practitioner | ai-specific |
| SAFE-K8S-0504-006 | SPIFFE/SPIRE workload identity issuance and lifecycle management | Advanced | baseline |
| SAFE-K8S-0504-007 | SPIFFE trust domain scoping and cross-cluster federation governance | Advanced | baseline |
| SAFE-K8S-0504-008 | L7 service authorization policy enforcement | Practitioner | baseline |
| SAFE-K8S-0504-009 | API-aware request contract validation | Practitioner | baseline |
- Domain: D05 - Network Security and Communication
- Maturity: Practitioner
- Controls: 6
This knowledge area focuses on: LoadBalancer, NodePort, and ExternalIP restriction policies, Internal service endpoint protection, API server audit log analysis for network-based attack detection, Identity-based internal service access control, and API server private endpoint and authorized network enforcement. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0505-002 | LoadBalancer, NodePort, and ExternalIP restriction policies | Practitioner | baseline |
| SAFE-K8S-0505-003 | Internal service endpoint protection | Practitioner | baseline |
| SAFE-K8S-0505-004 | API server audit log analysis for network-based attack detection | Practitioner | baseline |
| SAFE-K8S-0505-005 | Identity-based internal service access control | Practitioner | baseline |
| SAFE-K8S-0505-006 | API server private endpoint and authorized network enforcement | Practitioner | baseline |
| SAFE-K8S-0505-007 | Administrative API server access path via bastion or VPN | Practitioner | baseline |
- Domain: D06 - Supply Chain, Images, and Admission Control
- Maturity: Practitioner
- Controls: 14
This knowledge area focuses on: AI GPU and ML framework base image validation, CI/CD build-time container image vulnerability scanning, Artifact retention period and lifecycle enforcement, Integrity metadata co-retention with software artifacts, and Container image runtime hardening with non-root and read-only filesystem. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0601-007 | AI GPU and ML framework base image validation | Practitioner | ai-specific |
| SAFE-K8S-0601-008 | CI/CD build-time container image vulnerability scanning | Practitioner | ai-specific |
| SAFE-K8S-0601-010 | Artifact retention period and lifecycle enforcement | Practitioner | baseline |
| SAFE-K8S-0601-011 | Integrity metadata co-retention with software artifacts | Practitioner | baseline |
| SAFE-K8S-0601-014 | Container image runtime hardening with non-root and read-only filesystem | Practitioner | ai-specific |
| SAFE-K8S-0601-015 | Inference image minimal composition with GPU runtime-only dependencies | Practitioner | ai-specific |
| SAFE-K8S-0601-016 | Approved minimal base image catalog enforcement | Practitioner | ai-specific |
| SAFE-K8S-0601-017 | Multi-stage build and stripped runtime image minimization | Practitioner | ai-specific |
| SAFE-K8S-0601-018 | Registry push-time container image vulnerability rescanning | Practitioner | ai-specific |
| SAFE-K8S-0601-019 | Runtime container vulnerability exposure monitoring and exception governance | Practitioner | ai-specific |
| SAFE-K8S-0601-020 | Container registry authentication and role-based authorization | Practitioner | baseline |
| SAFE-K8S-0601-021 | Container registry trusted-source network restriction | Practitioner | baseline |
| SAFE-K8S-0601-022 | Kubernetes image pull secret distribution and external secret integration | Practitioner | baseline |
| SAFE-K8S-0601-023 | Image pull credential automatic rotation and expiry reduction | Practitioner | baseline |
- Domain: D06 - Supply Chain, Images, and Admission Control
- Maturity: Advanced
- Controls: 5
This knowledge area focuses on: Sigstore/cosign keyless signing and Rekor transparency logging, Notary v2 trust policy and signing identity governance, Notary v2 OCI signature artifact registry integration, Fail-closed admission enforcement of image signature verification, and Admission signature bypass and emergency break-glass governance.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0602-001 | Sigstore/cosign keyless signing and Rekor transparency logging | Practitioner | baseline |
| SAFE-K8S-0602-004 | Notary v2 trust policy and signing identity governance | Practitioner | baseline |
| SAFE-K8S-0602-005 | Notary v2 OCI signature artifact registry integration | Practitioner | baseline |
| SAFE-K8S-0602-006 | Fail-closed admission enforcement of image signature verification | Practitioner | baseline |
| SAFE-K8S-0602-007 | Admission signature bypass and emergency break-glass governance | Practitioner | baseline |
- Domain: D06 - Supply Chain, Images, and Admission Control
- Maturity: Advanced
- Controls: 10
This knowledge area focuses on: Cryptographic agility and post-quantum readiness, FIPS 140 cryptographic module validation, TUF-based secure software update systems, Build environment and process attestations per NIST SP 800-204D, and Build materials and artifact attestations per NIST SP 800-204D. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0603-004 | Cryptographic agility and post-quantum readiness | Advanced | ai-specific |
| SAFE-K8S-0603-005 | FIPS 140 cryptographic module validation | Practitioner | baseline |
| SAFE-K8S-0603-006 | TUF-based secure software update systems | Advanced | baseline |
| SAFE-K8S-0603-007 | Build environment and process attestations per NIST SP 800-204D | Advanced | baseline |
| SAFE-K8S-0603-008 | Build materials and artifact attestations per NIST SP 800-204D | Advanced | baseline |
| SAFE-K8S-0603-009 | In-toto and SLSA provenance attestation generation | Advanced | baseline |
| SAFE-K8S-0603-010 | SBOM attestation binding to image digests | Advanced | baseline |
| SAFE-K8S-0603-011 | Attestation policy definition, signing, and change governance | Advanced | baseline |
| SAFE-K8S-0603-013 | Lifecycle attestation chain verification across build, promote, and deploy | Advanced | baseline |
| SAFE-K8S-0603-014 | Fail-closed admission enforcement for attestation requirements | Advanced | baseline |
- Domain: D06 - Supply Chain, Images, and Admission Control
- Maturity: Practitioner
- Controls: 11
This knowledge area focuses on: SBOM generation for container and AI artifacts, ML-BOM (ML Bill of Materials) generation, SBOM storage and distribution as OCI artifacts, VEX (Vulnerability Exploitability eXchange) publication, and Third-party component security requirements documentation. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0604-001 | SBOM generation for container and AI artifacts | Practitioner | ai-specific |
| SAFE-K8S-0604-002 | ML-BOM (ML Bill of Materials) generation | Practitioner | ai-specific |
| SAFE-K8S-0604-003 | SBOM storage and distribution as OCI artifacts | Practitioner | baseline |
| SAFE-K8S-0604-004 | VEX (Vulnerability Exploitability eXchange) publication | Practitioner | baseline |
| SAFE-K8S-0604-007 | Third-party component security requirements documentation | Practitioner | baseline |
| SAFE-K8S-0604-008 | AI workload vulnerability exposure classification | Practitioner | ai-specific |
| SAFE-K8S-0604-009 | AI workload vulnerability prioritization and remediation SLAs | Practitioner | ai-specific |
| SAFE-K8S-0604-010 | Automated AI workload rebuild and redeployment patch pipelines | Practitioner | ai-specific |
| SAFE-K8S-0604-011 | SLSA provenance generation and target-level governance | Practitioner | baseline |
| SAFE-K8S-0604-013 | Hermetic build execution and pinned dependency input control | Practitioner | baseline |
| SAFE-K8S-0604-014 | Source-to-artifact integrity linkage for built images | Practitioner | baseline |
- Domain: D06 - Supply Chain, Images, and Admission Control
- Maturity: Practitioner
- Controls: 8
This knowledge area focuses on: OPA/Gatekeeper policies for Kubernetes and AI workloads, Kyverno admission policies, Kubewarden WebAssembly-based admission policies, Pod Security Admission enforcement for AI workload namespaces, and Admission webhook fail-closed enforcement and timeout bounds. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0605-001 | OPA/Gatekeeper policies for Kubernetes and AI workloads | Practitioner | ai-specific |
| SAFE-K8S-0605-002 | Kyverno admission policies | Practitioner | baseline |
| SAFE-K8S-0605-003 | Kubewarden WebAssembly-based admission policies | Practitioner | baseline |
| SAFE-K8S-0605-006 | Pod Security Admission enforcement for AI workload namespaces | Practitioner | baseline |
| SAFE-K8S-0605-007 | Admission webhook fail-closed enforcement and timeout bounds | Practitioner | baseline |
| SAFE-K8S-0605-008 | Admission webhook TLS rotation and high-availability resilience | Practitioner | baseline |
| SAFE-K8S-0605-009 | AI custom resource validation and policy constraint enforcement | Practitioner | ai-specific |
| SAFE-K8S-0605-010 | AI custom resource webhook abuse resistance and resource hardening | Practitioner | ai-specific |
- Domain: D06 - Supply Chain, Images, and Admission Control
- Maturity: Practitioner
- Controls: 22
This knowledge area focuses on: CI/CD build environment hardening, CI/CD build activity monitoring, SSDF v1.1 alignment for secure development practices, CI build-time security gate enforcement, and CNCF lifecycle phase security coverage. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0606-002 | CI/CD build environment hardening | Practitioner | baseline |
| SAFE-K8S-0606-007 | CI/CD build activity monitoring | Practitioner | baseline |
| SAFE-K8S-0606-009 | SSDF v1.1 alignment for secure development practices | Practitioner | baseline |
| SAFE-K8S-0606-011 | CI build-time security gate enforcement | Practitioner | baseline |
| SAFE-K8S-0606-017 | CNCF lifecycle phase security coverage | Practitioner | baseline |
| SAFE-K8S-0606-018 | Zero-trust CI/CD handoff verification and independent evidence generation | Practitioner | baseline |
| SAFE-K8S-0606-019 | Helm chart provenance and signature verification | Practitioner | baseline |
| SAFE-K8S-0606-020 | Helm values override restriction and dependency integrity governance | Practitioner | baseline |
| SAFE-K8S-0606-021 | Kubernetes manifest cryptographic signing before deployment | Advanced | baseline |
| SAFE-K8S-0606-022 | Admission-time verification of Kubernetes manifest signatures | Advanced | baseline |
| SAFE-K8S-0606-023 | IaC security scanning gate enforcement for deployment platforms | Practitioner | baseline |
| SAFE-K8S-0606-024 | Policy-as-code and runtime configuration integrity governance | Practitioner | baseline |
| SAFE-K8S-0606-025 | Artifact freshness limit enforcement for CI/CD promotion | Practitioner | baseline |
| SAFE-K8S-0606-026 | Automated SCM security posture assessment before promotion reliance | Practitioner | baseline |
| SAFE-K8S-0606-027 | GitOps repository access restriction and least-privilege deploy credentials | Practitioner | baseline |
| SAFE-K8S-0606-028 | GitOps commit signing and protected deployment branch governance | Practitioner | baseline |
| SAFE-K8S-0606-029 | GitOps deployed package and version metadata retention | Practitioner | baseline |
| SAFE-K8S-0606-030 | GitOps configuration revision and deployment history traceability | Practitioner | baseline |
| SAFE-K8S-0606-031 | GitOps reconciliation health and integrity monitoring | Practitioner | baseline |
| SAFE-K8S-0606-032 | GitOps drift detection and automated resync or notification | Practitioner | baseline |
| SAFE-K8S-0606-033 | Git-only production deployment path enforcement | Practitioner | baseline |
| SAFE-K8S-0606-034 | Emergency direct-access audit logging and justification governance | Practitioner | baseline |
- Domain: D07 - Storage, Multi-tenancy, and Resource Governance
- Maturity: Practitioner
- Controls: 8
This knowledge area focuses on: PersistentVolume and PersistentVolumeClaim access mode enforcement, CSI driver security and privilege restriction, Encryption at rest for persistent volumes, PV reclaim policy enforcement for AI data volumes, and Dual authorization for retained AI data volume destruction. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0701-001 | PersistentVolume and PersistentVolumeClaim access mode enforcement | Practitioner | ai-specific |
| SAFE-K8S-0701-002 | CSI driver security and privilege restriction | Practitioner | baseline |
| SAFE-K8S-0701-003 | Encryption at rest for persistent volumes | Foundational | baseline |
| SAFE-K8S-0701-004 | PV reclaim policy enforcement for AI data volumes | Practitioner | ai-specific |
| SAFE-K8S-0701-006 | Dual authorization for retained AI data volume destruction | Advanced | ai-specific |
| SAFE-K8S-0701-007 | High-performance AI storage backend hardening | Advanced | ai-specific |
| SAFE-K8S-0701-008 | Training data and model artifact version tracking for reproducibility | Advanced | ai-specific |
| SAFE-K8S-0701-009 | Immutable storage protection for training data and model artifacts | Advanced | ai-specific |
- Domain: D07 - Storage, Multi-tenancy, and Resource Governance
- Maturity: Practitioner
- Controls: 20
This knowledge area focuses on: LimitRange enforcement for containers and pods, Label and annotation schema definition for AI workload classification, Admission control enforcement of workload classification label requirements, Virtual cluster deployment for high-isolation multi-tenant Kubernetes environments, and Tenant default-deny inter-namespace network isolation. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0702-003 | LimitRange enforcement for containers and pods | Foundational | baseline |
| SAFE-K8S-0702-005 | Label and annotation schema definition for AI workload classification | Practitioner | ai-specific |
| SAFE-K8S-0702-009 | Admission control enforcement of workload classification label requirements | Practitioner | ai-specific |
| SAFE-K8S-0702-010 | Virtual cluster deployment for high-isolation multi-tenant Kubernetes environments | Advanced | baseline |
| SAFE-K8S-0702-013 | Tenant default-deny inter-namespace network isolation | Practitioner | baseline |
| SAFE-K8S-0702-016 | Classification metadata preservation across model lifecycle stages | Practitioner | ai-specific |
| SAFE-K8S-0702-018 | Namespace tenant boundary model and isolation limitation documentation | Practitioner | baseline |
| SAFE-K8S-0702-019 | Supplementary namespace isolation control enforcement for multi-tenant AI clusters | Practitioner | baseline |
| SAFE-K8S-0702-020 | Namespace ResourceQuota enforcement for GPU and AI workloads | Practitioner | ai-specific |
| SAFE-K8S-0702-021 | Namespace quota utilization monitoring and exhaustion alerting for GPU and AI workloads | Practitioner | ai-specific |
| SAFE-K8S-0702-022 | Virtual cluster isolation guarantee and residual risk documentation | Advanced | baseline |
| SAFE-K8S-0702-023 | Virtual cluster tenant isolation validation and host-cluster access review | Advanced | baseline |
| SAFE-K8S-0702-024 | Tenant namespace-scoped RBAC boundary enforcement | Practitioner | baseline |
| SAFE-K8S-0702-025 | Tenant admission boundary enforcement for cross-tenant resource isolation | Practitioner | baseline |
| SAFE-K8S-0702-026 | Pipeline data classification taxonomy definition | Practitioner | ai-specific |
| SAFE-K8S-0702-027 | Pipeline classification label application, propagation, and coverage verification | Practitioner | ai-specific |
| SAFE-K8S-0702-028 | Classification-driven admission policy enforcement for pipeline resources | Practitioner | ai-specific |
| SAFE-K8S-0702-029 | Classification-driven storage and network restriction enforcement | Practitioner | ai-specific |
| SAFE-K8S-0702-030 | Promotion-time automatic classification uplift and reclassification execution | Practitioner | ai-specific |
| SAFE-K8S-0702-031 | Production promotion gate enforcement on validated classification metadata | Practitioner | ai-specific |
- Domain: D07 - Storage, Multi-tenancy, and Resource Governance
- Maturity: Practitioner
- Controls: 17
This knowledge area focuses on: Pod Disruption Budgets for workload availability, AI workload resource exhaustion guardrails, Fair-share GPU queue management for multi-tenant clusters, Idle GPU detection and resource reclamation, and GPU spending limits and budget enforcement. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0703-002 | Pod Disruption Budgets for workload availability | Foundational | baseline |
| SAFE-K8S-0703-005 | AI workload resource exhaustion guardrails | Practitioner | ai-specific |
| SAFE-K8S-0703-007 | Fair-share GPU queue management for multi-tenant clusters | Practitioner | ai-specific |
| SAFE-K8S-0703-008 | Idle GPU detection and resource reclamation | Practitioner | ai-specific |
| SAFE-K8S-0703-009 | GPU spending limits and budget enforcement | Practitioner | ai-specific |
| SAFE-K8S-0703-010 | Host-level resource isolation for AI workload nodes | Practitioner | ai-specific |
| SAFE-K8S-0703-012 | Node affinity rules, taints, and tolerations for AI workload isolation | Practitioner | ai-specific |
| SAFE-K8S-0703-013 | Topology-aware scheduling for GPU locality with blast-radius containment | Practitioner | ai-specific |
| SAFE-K8S-0703-014 | EDoS spending guardrails and autoscaling limits for AI resources | Advanced | ai-specific |
| SAFE-K8S-0703-015 | Chaos engineering validation for AI resource governance controls | Advanced | ai-specific |
| SAFE-K8S-0703-016 | AI workload PriorityClass hierarchy and preemption protection | Practitioner | ai-specific |
| SAFE-K8S-0703-017 | PriorityClass assignment restriction and admission enforcement | Practitioner | ai-specific |
| SAFE-K8S-0703-018 | GPU cost attribution metering and billing correlation | Practitioner | ai-specific |
| SAFE-K8S-0703-019 | GPU chargeback and showback reporting accountability | Practitioner | ai-specific |
| SAFE-K8S-0703-021 | GPU admission enforcement against unauthorized access and quota bypass | Practitioner | ai-specific |
| SAFE-K8S-0703-022 | GPU abuse pattern monitoring and detection for Kubernetes AI workloads | Practitioner | ai-specific |
| SAFE-K8S-0703-023 | Investigation and termination of confirmed unauthorized GPU workloads | Practitioner | ai-specific |
- Domain: D07 - Storage, Multi-tenancy, and Resource Governance
- Maturity: Practitioner
- Controls: 14
This knowledge area focuses on: VPC and security group integration with Kubernetes network policies, IMDSv2 enforcement on Kubernetes nodes, Restricted use policies for non-organizationally owned systems and external AI services, Cloud provider contingency plans for managed Kubernetes services, and Cloud-to-Kubernetes event correlation for incident investigation. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0704-002 | VPC and security group integration with Kubernetes network policies | Practitioner | baseline |
| SAFE-K8S-0704-004 | IMDSv2 enforcement on Kubernetes nodes | Foundational | baseline |
| SAFE-K8S-0704-005 | Restricted use policies for non-organizationally owned systems and external AI services | Practitioner | ai-specific |
| SAFE-K8S-0704-006 | Cloud provider contingency plans for managed Kubernetes services | Practitioner | ai-specific |
| SAFE-K8S-0704-008 | Cloud-to-Kubernetes event correlation for incident investigation | Practitioner | baseline |
| SAFE-K8S-0704-011 | Network-level blocking of cloud metadata endpoint access for pods | Foundational | baseline |
| SAFE-K8S-0704-013 | Unified cloud and Kubernetes audit source onboarding | Practitioner | baseline |
| SAFE-K8S-0704-014 | Managed Kubernetes audit log retention enforcement | Practitioner | baseline |
| SAFE-K8S-0704-015 | Cloud IAM to Kubernetes RBAC entitlement mapping definition | Practitioner | baseline |
| SAFE-K8S-0704-016 | Cloud IAM to Kubernetes RBAC mapping review and drift remediation | Practitioner | baseline |
| SAFE-K8S-0704-017 | Least-privilege cloud-to-cluster privileged access boundary enforcement | Practitioner | baseline |
| SAFE-K8S-0704-018 | Break-glass cloud identity governance for Kubernetes administration | Practitioner | baseline |
| SAFE-K8S-0704-019 | Per-workload cloud identity binding for managed Kubernetes workloads | Foundational | baseline |
| SAFE-K8S-0704-020 | Node-level cloud identity restriction for managed Kubernetes workloads | Foundational | baseline |
- Domain: D08 - GPU, Accelerator, and Confidential Computing
- Maturity: Advanced
- Controls: 10
This knowledge area focuses on: GPU device plugin security configuration and hardening, MIG partitioning for hardware-enforced GPU isolation, vGPU virtualization security controls, GPU memory clearing between workload transitions, and GPU topology metadata protection and node label visibility restriction. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0801-001 | GPU device plugin security configuration and hardening | Practitioner | ai-specific |
| SAFE-K8S-0801-002 | MIG partitioning for hardware-enforced GPU isolation | Advanced | ai-specific |
| SAFE-K8S-0801-004 | vGPU virtualization security controls | Practitioner | ai-specific |
| SAFE-K8S-0801-006 | GPU memory clearing between workload transitions | Advanced | ai-specific |
| SAFE-K8S-0801-009 | GPU topology metadata protection and node label visibility restriction | Practitioner | ai-specific |
| SAFE-K8S-0801-010 | Admission validation of authorized GPU resource requests | Practitioner | ai-specific |
| SAFE-K8S-0801-011 | MPS and time-slicing residual-risk acceptance and compensating control approval | Advanced | ai-specific |
| SAFE-K8S-0801-012 | MPS and time-slicing workload eligibility and same-trust co-location enforcement | Advanced | ai-specific |
| SAFE-K8S-0801-013 | MPS and time-slicing memory remnant prevention verification | Advanced | ai-specific |
| SAFE-K8S-0801-014 | MPS and time-slicing side-channel risk assessment | Advanced | ai-specific |
- Domain: D08 - GPU, Accelerator, and Confidential Computing
- Maturity: Advanced
- Controls: 7
This knowledge area focuses on: GPU driver lifecycle and vulnerability management, CUDA library and container toolkit security, GPU firmware integrity monitoring, Device plugin socket directory access restriction and unauthorized socket access monitoring, and Device plugin registration authentication monitoring and rogue plugin detection. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0802-001 | GPU driver lifecycle and vulnerability management | Practitioner | ai-specific |
| SAFE-K8S-0802-002 | CUDA library and container toolkit security | Advanced | ai-specific |
| SAFE-K8S-0802-004 | GPU firmware integrity monitoring | Advanced | ai-specific |
| SAFE-K8S-0802-006 | Device plugin socket directory access restriction and unauthorized socket access monitoring | Practitioner | ai-specific |
| SAFE-K8S-0802-007 | Device plugin registration authentication monitoring and rogue plugin detection | Practitioner | ai-specific |
| SAFE-K8S-0802-008 | GPU kernel module signing and Secure Boot enforcement | Advanced | ai-specific |
| SAFE-K8S-0802-009 | GPU driver binary path file integrity monitoring | Advanced | ai-specific |
- Domain: D08 - GPU, Accelerator, and Confidential Computing
- Maturity: Advanced
- Controls: 5
This knowledge area focuses on: NVLink and NVSwitch traffic isolation for multi-GPU training, InfiniBand and RoCE fabric security controls, RDMA memory region and queue pair isolation, DPU and SmartNIC firmware cryptographic verification and Secure Boot integrity, and DPU and SmartNIC host trust boundary definition and policy engine administrative restriction.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0803-001 | NVLink and NVSwitch traffic isolation for multi-GPU training | Advanced | ai-specific |
| SAFE-K8S-0803-002 | InfiniBand and RoCE fabric security controls | Advanced | ai-specific |
| SAFE-K8S-0803-003 | RDMA memory region and queue pair isolation | Advanced | ai-specific |
| SAFE-K8S-0803-005 | DPU and SmartNIC firmware cryptographic verification and Secure Boot integrity | Advanced | ai-specific |
| SAFE-K8S-0803-006 | DPU and SmartNIC host trust boundary definition and policy engine administrative restriction | Advanced | ai-specific |
- Domain: D08 - GPU, Accelerator, and Confidential Computing
- Maturity: Advanced
- Controls: 5
This knowledge area focuses on: TEE-based model and data protection for AI workloads, Remote attestation for TEE integrity verification, Confidential AI workload operational constraints and risk assessment, Attestation-conditioned enclave key release, and Sealed storage binding of encrypted AI artifacts to enclave measurements.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0804-001 | TEE-based model and data protection for AI workloads | Advanced | ai-specific |
| SAFE-K8S-0804-002 | Remote attestation for TEE integrity verification | Advanced | ai-specific |
| SAFE-K8S-0804-004 | Confidential AI workload operational constraints and risk assessment | Advanced | ai-specific |
| SAFE-K8S-0804-005 | Attestation-conditioned enclave key release | Advanced | ai-specific |
| SAFE-K8S-0804-006 | Sealed storage binding of encrypted AI artifacts to enclave measurements | Advanced | ai-specific |
- Domain: D08 - GPU, Accelerator, and Confidential Computing
- Maturity: Advanced
- Controls: 4
This knowledge area focuses on: GPU telemetry collection and anomaly detection, GPU allocation audit trail and workload identity tracking, GPU-based attack detection for cryptomining and memory scraping, and GPU side-channel attack awareness and mitigation.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0805-001 | GPU telemetry collection and anomaly detection | Practitioner | ai-specific |
| SAFE-K8S-0805-002 | GPU allocation audit trail and workload identity tracking | Practitioner | ai-specific |
| SAFE-K8S-0805-003 | GPU-based attack detection for cryptomining and memory scraping | Advanced | ai-specific |
| SAFE-K8S-0805-004 | GPU side-channel attack awareness and mitigation | Advanced | ai-specific |
- Domain: D09 - AI Workload Security: Training, Serving, and Pipelines
- Maturity: Practitioner
- Controls: 9
This knowledge area focuses on: Parameter server and all-reduce security, Checkpoint security, Training fault tolerance and security, Federated learning security on Kubernetes, and Gang scheduling security (Volcano, Kueue). Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0901-002 | Parameter server and all-reduce security | Advanced | ai-specific |
| SAFE-K8S-0901-003 | Checkpoint security | Practitioner | ai-specific |
| SAFE-K8S-0901-004 | Training fault tolerance and security | Practitioner | ai-specific |
| SAFE-K8S-0901-005 | Federated learning security on Kubernetes | Advanced | ai-specific |
| SAFE-K8S-0901-006 | Gang scheduling security (Volcano, Kueue) | Practitioner | ai-specific |
| SAFE-K8S-0901-007 | AI operator privilege management | Practitioner | ai-specific |
| SAFE-K8S-0901-008 | Training job network isolation | Practitioner | ai-specific |
| SAFE-K8S-0901-009 | Multi-node training worker mutual authentication | Practitioner | ai-specific |
| SAFE-K8S-0901-010 | Encrypted inter-worker gradient transport | Practitioner | ai-specific |
- Domain: D09 - AI Workload Security: Training, Serving, and Pipelines
- Maturity: Practitioner
- Controls: 10
This knowledge area focuses on: Inference server hardening, Model loading integrity verification, Inference request validation and input sanitization, Multi-model serving isolation and encryption, and Multi-cluster inference routing and failover security. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0902-001 | Inference server hardening | Practitioner | ai-specific |
| SAFE-K8S-0902-002 | Model loading integrity verification | Practitioner | ai-specific |
| SAFE-K8S-0902-003 | Inference request validation and input sanitization | Practitioner | ai-specific |
| SAFE-K8S-0902-004 | Multi-model serving isolation and encryption | Practitioner | ai-specific |
| SAFE-K8S-0902-005 | Multi-cluster inference routing and failover security | Practitioner | ai-specific |
| SAFE-K8S-0902-006 | LLM serving configuration security | Practitioner | ai-specific |
| SAFE-K8S-0902-008 | Inference endpoint authentication and authorization | Practitioner | ai-specific |
| SAFE-K8S-0902-009 | Inference response filtering and output controls | Practitioner | ai-specific |
| SAFE-K8S-0902-010 | Infrastructure-layer prompt injection classification and instruction boundary enforcement | Practitioner | ai-specific |
| SAFE-K8S-0902-011 | Streaming token-level output leakage and policy-violation filtering | Practitioner | ai-specific |
- Domain: D09 - AI Workload Security: Training, Serving, and Pipelines
- Maturity: Practitioner
- Controls: 6
This knowledge area focuses on: Adversarial example defenses at the serving layer, Inference-time resource controls, LLM context window and token resource controls, Inference request queue priority, timeout, and depth controls, and GPU inference autoscaling replica bounds and stabilization enforcement. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0903-001 | Adversarial example defenses at the serving layer | Practitioner | ai-specific |
| SAFE-K8S-0903-003 | Inference-time resource controls | Practitioner | ai-specific |
| SAFE-K8S-0903-004 | LLM context window and token resource controls | Practitioner | ai-specific |
| SAFE-K8S-0903-006 | Inference request queue priority, timeout, and depth controls | Practitioner | ai-specific |
| SAFE-K8S-0903-007 | GPU inference autoscaling replica bounds and stabilization enforcement | Practitioner | ai-specific |
| SAFE-K8S-0903-008 | Budget-aware inference autoscaling suppression and degraded-service fallback | Practitioner | ai-specific |
- Domain: D09 - AI Workload Security: Training, Serving, and Pipelines
- Maturity: Practitioner
- Controls: 12
This knowledge area focuses on: Pipeline orchestrator hardening, Notebook and experimentation environment security, Scheduled feature computation job hardening, Feature freshness and integrity monitoring, and Pipeline stage isolation between sensitivity levels. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0904-001 | Pipeline orchestrator hardening | Practitioner | ai-specific |
| SAFE-K8S-0904-003 | Notebook and experimentation environment security | Practitioner | ai-specific |
| SAFE-K8S-0904-007 | Scheduled feature computation job hardening | Practitioner | ai-specific |
| SAFE-K8S-0904-008 | Feature freshness and integrity monitoring | Practitioner | ai-specific |
| SAFE-K8S-0904-011 | Pipeline stage isolation between sensitivity levels | Practitioner | ai-specific |
| SAFE-K8S-0904-012 | Cross-classification pipeline data transfer authorization gates | Practitioner | ai-specific |
| SAFE-K8S-0904-013 | Pipeline artifact storage encryption and object-store access policy enforcement | Practitioner | ai-specific |
| SAFE-K8S-0904-014 | Pipeline stage-scoped artifact access and retention governance | Practitioner | ai-specific |
| SAFE-K8S-0904-015 | Experiment tracking metadata access control and tenant visibility enforcement | Practitioner | ai-specific |
| SAFE-K8S-0904-016 | Experiment tracking access and modification audit logging | Practitioner | ai-specific |
| SAFE-K8S-0904-017 | Pipeline definition signing and execution-time signature verification | Practitioner | ai-specific |
| SAFE-K8S-0904-018 | Pipeline definition immutable version storage and controlled rollback governance | Practitioner | ai-specific |
- Domain: D09 - AI Workload Security: Training, Serving, and Pipelines
- Maturity: Advanced
- Controls: 37
This knowledge area focuses on: AI system lifecycle classification, Automated model promotion gates, Model artifact lifecycle management, Model provenance verification at deployment, and Development-to-production environment separation for AI workloads. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0905-001 | AI system lifecycle classification | Practitioner | ai-specific |
| SAFE-K8S-0905-005 | Automated model promotion gates | Advanced | ai-specific |
| SAFE-K8S-0905-006 | Model artifact lifecycle management | Advanced | ai-specific |
| SAFE-K8S-0905-009 | Model provenance verification at deployment | Advanced | ai-specific |
| SAFE-K8S-0905-012 | Development-to-production environment separation for AI workloads | Advanced | ai-specific |
| SAFE-K8S-0905-015 | AI system control profile enforcement | Practitioner | ai-specific |
| SAFE-K8S-0905-025 | Separation of duties enforcement for model promotion approvals | Advanced | ai-specific |
| SAFE-K8S-0905-028 | ML framework and Python dependency vulnerability management | Advanced | ai-specific |
| SAFE-K8S-0905-029 | CUDA and GPU accelerator dependency vulnerability management | Advanced | ai-specific |
| SAFE-K8S-0905-032 | Safe model format allowlist and unsafe deserialization blocking | Practitioner | ai-specific |
| SAFE-K8S-0905-033 | Pre-load model file structure and metadata validation | Practitioner | ai-specific |
| SAFE-K8S-0905-034 | Canary and A/B candidate version isolation and traffic-splitting integrity | Advanced | ai-specific |
| SAFE-K8S-0905-035 | Automatic canary rollback on error-rate and latency degradation | Advanced | ai-specific |
| SAFE-K8S-0905-036 | Automated AI workload circuit-breaker threshold enforcement | Advanced | ai-specific |
| SAFE-K8S-0905-037 | Manual emergency halt governance and forensic evidence preservation | Advanced | ai-specific |
| SAFE-K8S-0905-038 | Model registry RBAC and workload pull authorization scoping | Practitioner | ai-specific |
| SAFE-K8S-0905-039 | Model registry access review and stale-permission remediation | Practitioner | ai-specific |
| SAFE-K8S-0905-040 | Model registry audit event generation and centralized forwarding | Practitioner | ai-specific |
| SAFE-K8S-0905-041 | Model registry sensitive-operation alerting and anomalous activity review | Practitioner | ai-specific |
| SAFE-K8S-0905-042 | CTA-2114 ML-BOM generation and lineage metadata capture | Advanced | ai-specific |
| SAFE-K8S-0905-043 | Durable ML-BOM attachment to model artifacts and versions | Advanced | ai-specific |
| SAFE-K8S-0905-044 | Public model quarantine isolation and malicious artifact scanning | Advanced | ai-specific |
| SAFE-K8S-0905-045 | Sandboxed external model behavioral vetting and disposition review | Advanced | ai-specific |
| SAFE-K8S-0905-046 | ML artifact cryptographic signing with Sigstore or equivalent | Advanced | ai-specific |
| SAFE-K8S-0905-047 | Training pipeline attestation generation for ML artifacts | Advanced | ai-specific |
| SAFE-K8S-0905-048 | OCI model artifact digest pinning in deployment and promotion workflows | Advanced | ai-specific |
| SAFE-K8S-0905-049 | OCI model registry tag immutability and overwrite prevention | Advanced | ai-specific |
| SAFE-K8S-0905-050 | Authenticated reviewer identity validation for model promotion approvals | Advanced | ai-specific |
| SAFE-K8S-0905-051 | Model promotion approval audit binding to reviewer identity and model version | Advanced | ai-specific |
| SAFE-K8S-0905-052 | Approved external model source allowlist definition and maintenance | Advanced | ai-specific |
| SAFE-K8S-0905-053 | Approved external model source periodic review and allowlist update governance | Advanced | ai-specific |
| SAFE-K8S-0905-054 | External model source NetworkPolicy enforcement for protected namespaces | Advanced | ai-specific |
| SAFE-K8S-0905-055 | Admission-time rejection of unapproved external model source references | Advanced | ai-specific |
| SAFE-K8S-0905-056 | External model publisher identity and provenance metadata verification | Advanced | ai-specific |
| SAFE-K8S-0905-057 | External model trust-signal assessment and approval review | Advanced | ai-specific |
| SAFE-K8S-0905-058 | Internal re-signing of approved external models before deployment eligibility | Advanced | ai-specific |
| SAFE-K8S-0905-059 | External-origin annotation and internal registry enrollment for approved external models | Advanced | ai-specific |
- Domain: D09 - AI Workload Security: Training, Serving, and Pipelines
- Maturity: Practitioner
- Controls: 5
This knowledge area focuses on: Large-scale data integrity verification, Statistical drift, outlier, and input validation for training data poisoning detection, Annotation pipeline integrity and targeted label attack detection, Training data provenance tracking from ingestion through model training, and Integrity verification at each training data transformation stage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0906-002 | Large-scale data integrity verification | Practitioner | ai-specific |
| SAFE-K8S-0906-004 | Statistical drift, outlier, and input validation for training data poisoning detection | Practitioner | ai-specific |
| SAFE-K8S-0906-005 | Annotation pipeline integrity and targeted label attack detection | Practitioner | ai-specific |
| SAFE-K8S-0906-006 | Training data provenance tracking from ingestion through model training | Practitioner | ai-specific |
| SAFE-K8S-0906-007 | Integrity verification at each training data transformation stage | Practitioner | ai-specific |
- Domain: D09 - AI Workload Security: Training, Serving, and Pipelines
- Maturity: Practitioner
- Controls: 5
This knowledge area focuses on: Training data privacy controls, Feature store access boundary enforcement and serving authentication, Feature engineering privacy controls and leakage validation, Training dataset access restriction across storage backends, and Model deployment authorization and namespace-scoped release control.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0907-002 | Training data privacy controls | Practitioner | ai-specific |
| SAFE-K8S-0907-004 | Feature store access boundary enforcement and serving authentication | Practitioner | ai-specific |
| SAFE-K8S-0907-005 | Feature engineering privacy controls and leakage validation | Practitioner | ai-specific |
| SAFE-K8S-0907-006 | Training dataset access restriction across storage backends | Practitioner | ai-specific |
| SAFE-K8S-0907-007 | Model deployment authorization and namespace-scoped release control | Practitioner | ai-specific |
- Domain: D09 - AI Workload Security: Training, Serving, and Pipelines
- Maturity: Advanced
- Controls: 8
This knowledge area focuses on: Oracle attack prevention, Inference API information exposure controls, Model watermarking and fingerprinting, Model abuse logging and alerting, and Secure aggregation for privacy-preserving model outputs. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0908-001 | Oracle attack prevention | Advanced | ai-specific |
| SAFE-K8S-0908-002 | Inference API information exposure controls | Advanced | ai-specific |
| SAFE-K8S-0908-003 | Model watermarking and fingerprinting | Advanced | ai-specific |
| SAFE-K8S-0908-005 | Model abuse logging and alerting | Advanced | ai-specific |
| SAFE-K8S-0908-006 | Secure aggregation for privacy-preserving model outputs | Advanced | ai-specific |
| SAFE-K8S-0908-008 | Inference output perturbation and privacy-preserving response shaping | Advanced | ai-specific |
| SAFE-K8S-0908-009 | Differential privacy parameter governance for inference endpoints | Advanced | ai-specific |
| SAFE-K8S-0908-010 | Inference privacy budget tracking and threshold enforcement | Advanced | ai-specific |
- Domain: D09 - AI Workload Security: Training, Serving, and Pipelines
- Maturity: Practitioner
- Controls: 10
This knowledge area focuses on: Embedding pipeline integrity, RAG prompt injection defense, Vector index lifecycle management, Classification-aware chunking and vector collection segregation, and Vector database authentication and collection-level access control. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0909-002 | Embedding pipeline integrity | Practitioner | ai-specific |
| SAFE-K8S-0909-005 | RAG prompt injection defense | Practitioner | ai-specific |
| SAFE-K8S-0909-006 | Vector index lifecycle management | Practitioner | ai-specific |
| SAFE-K8S-0909-008 | Classification-aware chunking and vector collection segregation | Practitioner | ai-specific |
| SAFE-K8S-0909-009 | Vector database authentication and collection-level access control | Practitioner | ai-specific |
| SAFE-K8S-0909-010 | Vector database encryption in transit and at rest | Practitioner | ai-specific |
| SAFE-K8S-0909-011 | Retrieved context integrity validation and relevance threshold enforcement | Practitioner | ai-specific |
| SAFE-K8S-0909-012 | Context poisoning monitoring and incident response for RAG retrieval | Practitioner | ai-specific |
| SAFE-K8S-0909-013 | Approved source repository access control and allowlist enforcement for RAG ingestion | Practitioner | ai-specific |
| SAFE-K8S-0909-014 | Document provenance and integrity validation before RAG chunking and indexing | Practitioner | ai-specific |
- Domain: D09 - AI Workload Security: Training, Serving, and Pipelines
- Maturity: Advanced
- Controls: 19
This knowledge area focuses on: Federated learning cross-cluster coordination security, Destination-side signature and digest re-verification for replicated model artifacts, Cross-cluster orchestration identity federation and authorization, Centralized audit logging for cross-cluster orchestration actions, and Security-aware target-cluster posture verification before multi-cluster placement. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-0910-004 | Federated learning cross-cluster coordination security | Advanced | ai-specific |
| SAFE-K8S-0910-015 | Destination-side signature and digest re-verification for replicated model artifacts | Advanced | ai-specific |
| SAFE-K8S-0910-016 | Cross-cluster orchestration identity federation and authorization | Advanced | ai-specific |
| SAFE-K8S-0910-017 | Centralized audit logging for cross-cluster orchestration actions | Advanced | ai-specific |
| SAFE-K8S-0910-018 | Security-aware target-cluster posture verification before multi-cluster placement | Advanced | ai-specific |
| SAFE-K8S-0910-019 | Compromised-cluster federation isolation and re-admission governance | Advanced | ai-specific |
| SAFE-K8S-0910-020 | Cross-cluster transport encryption for distributed AI traffic | Advanced | ai-specific |
| SAFE-K8S-0910-021 | Cross-cluster endpoint and workload authentication for AI communication | Advanced | ai-specific |
| SAFE-K8S-0910-022 | Cross-cluster communication authorization policy enforcement | Advanced | ai-specific |
| SAFE-K8S-0910-024 | Cross-cluster model provenance chain-of-custody preservation | Advanced | ai-specific |
| SAFE-K8S-0910-025 | Cross-cluster registry federation endpoint authorization and reconciliation governance | Advanced | ai-specific |
| SAFE-K8S-0910-026 | Multi-cluster security policy baseline federation | Advanced | ai-specific |
| SAFE-K8S-0910-027 | Multi-cluster policy drift detection and remediation | Advanced | ai-specific |
| SAFE-K8S-0910-028 | Unified multi-cluster compliance reporting | Advanced | ai-specific |
| SAFE-K8S-0910-029 | Centralized multi-cluster secret, certificate, and incident governance coordination | Advanced | ai-specific |
| SAFE-K8S-0910-030 | Cross-cluster registry replication channel mutual authentication | Advanced | ai-specific |
| SAFE-K8S-0910-031 | Cross-cluster registry endpoint enrollment approval | Advanced | ai-specific |
| SAFE-K8S-0910-032 | Cross-cluster traffic anomaly monitoring for distributed AI workloads | Advanced | ai-specific |
| SAFE-K8S-0910-033 | Investigation of anomalous cross-cluster AI communication | Advanced | ai-specific |
- Domain: D10 - Observability, Incident Response, and Governance
- Maturity: Practitioner
- Controls: 25
This knowledge area focuses on: Audit volume management for AI workloads, Supplemental application-level telemetry for AI workload events, Permitted responses to audit findings, Kubernetes audit level and stage filtering for AI workloads, and SIEM correlation rules for AI-specific attack patterns. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-1001-004 | Audit volume management for AI workloads | Practitioner | ai-specific |
| SAFE-K8S-1001-007 | Supplemental application-level telemetry for AI workload events | Practitioner | ai-specific |
| SAFE-K8S-1001-008 | Permitted responses to audit findings | Practitioner | baseline |
| SAFE-K8S-1001-010 | Kubernetes audit level and stage filtering for AI workloads | Practitioner | ai-specific |
| SAFE-K8S-1001-012 | SIEM correlation rules for AI-specific attack patterns | Practitioner | ai-specific |
| SAFE-K8S-1001-015 | PII redaction and sensitive payload minimization for inference logs | Practitioner | ai-specific |
| SAFE-K8S-1001-016 | Audit policy coverage for AI-specific resource and workflow events | Practitioner | ai-specific |
| SAFE-K8S-1001-017 | Audit capture of admission, authorization, and privileged API decisions for AI workloads | Practitioner | ai-specific |
| SAFE-K8S-1001-019 | Regulatory AI artifact and provenance record retention enforcement | Practitioner | ai-specific |
| SAFE-K8S-1001-023 | Regulatory audit log durable retrieval enforcement | Practitioner | ai-specific |
| SAFE-K8S-1001-024 | Audit log append-only storage and tamper protection | Practitioner | baseline |
| SAFE-K8S-1001-025 | Dual authorization for audit log deletion or modification | Practitioner | baseline |
| SAFE-K8S-1001-026 | Durable audit backend delivery for Kubernetes AI workloads | Practitioner | ai-specific |
| SAFE-K8S-1001-027 | Tamper-resistant retention for Kubernetes AI audit backends | Practitioner | ai-specific |
| SAFE-K8S-1001-028 | AI-specific SIEM source onboarding and forwarding | Practitioner | ai-specific |
| SAFE-K8S-1001-029 | SIEM ingestion health, delivery completeness, and source coverage monitoring | Practitioner | ai-specific |
| SAFE-K8S-1001-030 | Centralized AI workload log collection and routing | Practitioner | ai-specific |
| SAFE-K8S-1001-031 | Tenant and workload context preservation for AI log segregation and searchability | Practitioner | ai-specific |
| SAFE-K8S-1001-032 | Cluster-wide Kubernetes and AI log source coverage | Practitioner | baseline |
| SAFE-K8S-1001-033 | Centralized aggregation onboarding and export for cluster-wide AI logs | Practitioner | baseline |
| SAFE-K8S-1001-034 | Centralized AI log backend immutability and integrity verification | Practitioner | baseline |
| SAFE-K8S-1001-036 | Regulatory audit log retention period configuration and compliance verification | Practitioner | ai-specific |
| SAFE-K8S-1001-037 | Regulatory audit log immutability and deletion prevention before retention expiry | Practitioner | ai-specific |
| SAFE-K8S-1001-038 | Centralized AI log retention lifecycle enforcement | Practitioner | baseline |
| SAFE-K8S-1001-039 | Durable retrieval validation for centralized AI logs | Practitioner | baseline |
- Domain: D10 - Observability, Incident Response, and Governance
- Maturity: Practitioner
- Controls: 6
This knowledge area focuses on: Metric endpoint authentication, Distributed tracing for ML pipelines, AI workload telemetry integration into cluster monitoring, AI-specific alerting and failure mode detection, and Metric endpoint authorization and RBAC. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-1002-001 | Metric endpoint authentication | Practitioner | baseline |
| SAFE-K8S-1002-002 | Distributed tracing for ML pipelines | Practitioner | ai-specific |
| SAFE-K8S-1002-003 | AI workload telemetry integration into cluster monitoring | Practitioner | ai-specific |
| SAFE-K8S-1002-004 | AI-specific alerting and failure mode detection | Practitioner | ai-specific |
| SAFE-K8S-1002-005 | Metric endpoint authorization and RBAC | Practitioner | baseline |
| SAFE-K8S-1002-006 | Sensitive metric redaction and access restriction | Practitioner | ai-specific |
- Domain: D10 - Observability, Incident Response, and Governance
- Maturity: Advanced
- Controls: 4
This knowledge area focuses on: STRIDE threat modeling for Kubernetes AI systems, OCTAVE risk-based threat assessment for Kubernetes AI environments, MITRE ATT&CK for Containers coverage mapping and gap analysis, and Technique-aligned detection engineering for Kubernetes AI attack scenarios.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-1003-001 | STRIDE threat modeling for Kubernetes AI systems | Practitioner | ai-specific |
| SAFE-K8S-1003-002 | OCTAVE risk-based threat assessment for Kubernetes AI environments | Advanced | ai-specific |
| SAFE-K8S-1003-004 | MITRE ATT&CK for Containers coverage mapping and gap analysis | Advanced | ai-specific |
| SAFE-K8S-1003-005 | Technique-aligned detection engineering for Kubernetes AI attack scenarios | Advanced | ai-specific |
- Domain: D10 - Observability, Incident Response, and Governance
- Maturity: Advanced
- Controls: 5
This knowledge area focuses on: ML threat taxonomy per CTA-2114 mapped to Kubernetes, Software supply chain threat model per NIST SP 800-204D, Kubernetes AI threat intelligence feed ingestion and detection enrichment, Adversarial ML threat taxonomy and structured classification, and Cross-source threat correlation with business context for AI incidents.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-1004-001 | ML threat taxonomy per CTA-2114 mapped to Kubernetes | Advanced | ai-specific |
| SAFE-K8S-1004-002 | Software supply chain threat model per NIST SP 800-204D | Advanced | ai-specific |
| SAFE-K8S-1004-004 | Kubernetes AI threat intelligence feed ingestion and detection enrichment | Advanced | ai-specific |
| SAFE-K8S-1004-005 | Adversarial ML threat taxonomy and structured classification | Advanced | ai-specific |
| SAFE-K8S-1004-006 | Cross-source threat correlation with business context for AI incidents | Advanced | ai-specific |
- Domain: D10 - Observability, Incident Response, and Governance
- Maturity: Practitioner
- Controls: 19
This knowledge area focuses on: Kubernetes incident response lifecycle, AI-specific incident response playbooks for Kubernetes, Ransomware recovery prioritization and post-incident preparedness improvement, Post-incident AI model integrity verification, and Documented post-incident model retraining or rollback decisions. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-1005-001 | Kubernetes incident response lifecycle | Practitioner | ai-specific |
| SAFE-K8S-1005-008 | AI-specific incident response playbooks for Kubernetes | Practitioner | ai-specific |
| SAFE-K8S-1005-014 | Ransomware recovery prioritization and post-incident preparedness improvement | Practitioner | baseline |
| SAFE-K8S-1005-015 | Post-incident AI model integrity verification | Practitioner | ai-specific |
| SAFE-K8S-1005-016 | Documented post-incident model retraining or rollback decisions | Practitioner | ai-specific |
| SAFE-K8S-1005-017 | Recovery-time lateral movement containment for compromised AI workloads | Practitioner | ai-specific |
| SAFE-K8S-1005-018 | Component integrity verification before restoration after compromise | Practitioner | ai-specific |
| SAFE-K8S-1005-019 | Vulnerability disclosure policy, intake channels, and triage SLAs for Kubernetes AI infrastructure | Practitioner | baseline |
| SAFE-K8S-1005-020 | Vulnerability response ownership and multi-party coordination governance for Kubernetes AI infrastructure | Practitioner | baseline |
| SAFE-K8S-1005-021 | Kubernetes containment runbooks for node draining, namespace isolation, and workload suspension | Practitioner | ai-specific |
| SAFE-K8S-1005-022 | Kubernetes incident credential revocation procedures for ServiceAccounts and external access | Practitioner | ai-specific |
| SAFE-K8S-1005-023 | GPU-aware node draining and accelerator workload containment | Practitioner | ai-specific |
| SAFE-K8S-1005-024 | Inference service quarantine and pipeline execution suspension with state preservation | Practitioner | ai-specific |
| SAFE-K8S-1005-025 | Kubernetes forensic evidence acquisition for container, node, audit, and network artifacts | Practitioner | ai-specific |
| SAFE-K8S-1005-026 | Forensic chain-of-custody and evidence handling for Kubernetes AI incidents | Practitioner | ai-specific |
| SAFE-K8S-1005-027 | GPU and accelerator forensic evidence preservation for Kubernetes AI incidents | Practitioner | ai-specific |
| SAFE-K8S-1005-028 | Model access and training provenance forensic preservation for Kubernetes AI incidents | Practitioner | ai-specific |
| SAFE-K8S-1005-029 | Kubernetes backup verification for etcd and AI workload data | Practitioner | baseline |
| SAFE-K8S-1005-030 | Documented etcd restoration procedures and tested execution readiness | Practitioner | baseline |
- Domain: D10 - Observability, Incident Response, and Governance
- Maturity: Advanced
- Controls: 7
This knowledge area focuses on: Regulatory compliance mapping for Kubernetes AI platforms, Automated audit readiness for Kubernetes AI platforms, Policy-as-code enforcement for AI workload compliance, NIST SSDF v1.1 alignment and gap assessment for Kubernetes AI development, and NIST SP 800-218A AI/ML profile alignment for Kubernetes AI development. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-1006-001 | Regulatory compliance mapping for Kubernetes AI platforms | Practitioner | ai-specific |
| SAFE-K8S-1006-004 | Automated audit readiness for Kubernetes AI platforms | Advanced | ai-specific |
| SAFE-K8S-1006-005 | Policy-as-code enforcement for AI workload compliance | Practitioner | ai-specific |
| SAFE-K8S-1006-007 | NIST SSDF v1.1 alignment and gap assessment for Kubernetes AI development | Advanced | ai-specific |
| SAFE-K8S-1006-008 | NIST SP 800-218A AI/ML profile alignment for Kubernetes AI development | Advanced | ai-specific |
| SAFE-K8S-1006-009 | Continuous policy decision evidence generation and export for AI workload compliance | Practitioner | ai-specific |
| SAFE-K8S-1006-010 | Policy exception approval and expiration governance for AI workload compliance | Practitioner | ai-specific |
- Domain: D10 - Observability, Incident Response, and Governance
- Maturity: Practitioner
- Controls: 13
This knowledge area focuses on: Continuous security posture management for AI clusters, Change management for production AI model deployments, Secure AI workload decommissioning, Cluster service protection from AI training resource exhaustion, and Pre-upgrade Kubernetes API compatibility testing for AI workloads. Additional controls in the table below extend this coverage.
| Control ID | Title | Maturity | Class |
|---|---|---|---|
| SAFE-K8S-1007-004 | Continuous security posture management for AI clusters | Practitioner | ai-specific |
| SAFE-K8S-1007-005 | Change management for production AI model deployments | Practitioner | ai-specific |
| SAFE-K8S-1007-006 | Secure AI workload decommissioning | Practitioner | ai-specific |
| SAFE-K8S-1007-007 | Cluster service protection from AI training resource exhaustion | Practitioner | ai-specific |
| SAFE-K8S-1007-010 | Pre-upgrade Kubernetes API compatibility testing for AI workloads | Practitioner | ai-specific |
| SAFE-K8S-1007-011 | Kubernetes cluster upgrade planning, sequencing, and rollback governance | Practitioner | ai-specific |
| SAFE-K8S-1007-012 | AI infrastructure compatibility matrix and coordinated component upgrade governance | Practitioner | ai-specific |
| SAFE-K8S-1007-013 | Automated AI infrastructure asset discovery and continuously updated inventory | Practitioner | ai-specific |
| SAFE-K8S-1007-014 | AI asset classification and criticality governance for Kubernetes environments | Practitioner | ai-specific |
| SAFE-K8S-1007-015 | GPU node onboarding security baseline validation gates | Advanced | ai-specific |
| SAFE-K8S-1007-016 | GPU node hardware attestation, driver integrity, and taint verification | Advanced | ai-specific |
| SAFE-K8S-1007-017 | Kubernetes release-channel and changelog monitoring for API deprecations | Practitioner | ai-specific |
| SAFE-K8S-1007-018 | Deprecated Kubernetes API usage inventory and migration tracking for AI workloads | Practitioner | ai-specific |