Securing AI in Practice: How Vandis and F5 Approach the Controls

Business leaders face increasing AI-related risks, yet responses are often reactive instead of strategic. Effective AI security needs a comprehensive control framework spanning the data pipeline, models, APIs, and outputs. Complicated environments and a shortage of specialized skills create serious challenges. F5 provides a proactive technology stack built by AI Red Team, implemented in F5 AI Guardrails, while Vandis applies structured techniques to consolidate sources, clean data, establish sources of truth, and operationalize those controls.

How should enterprises assess their AI security posture?

Many organizations assume they have a clear view of their AI landscape, but in practice, there’s often a disconnect between the data they believe is feeding AI systems and what those systems actually consume. Vandis addresses this from the outset by starting every engagement in the Define phase of its methodology. This begins with workshops that align executive leadership around core business objectives. From there, a structured review takes place, pinpointing which business units are driving AI efforts, cataloging models already in production, mapping the underlying datasets, and examining the API integrations connected to inference endpoints.

Uncovering shadow AI is part of the same work. Employees introduce internal data into public AI tools, bypassing IT governance. Business units adopt AI-enabled SaaS before security teams can assess the risks. Vandis delivers this inventory as a professional service, establishing a defensible baseline before any policy gets written.

How do OWASP’s LLM and Agentic threat lists fit together?

The OWASP Top 10 for LLM Applications covers the baseline risks for single-model systems: prompt injection, insecure output handling, training data poisoning, sensitive information disclosure, excessive agency, and model denial-of-service.

The OWASP 2026 Top 10 for Agentic Applications extends that framework to systems that act independently across tools, applications, and other agents. New failure modes matter for enterprises moving from basic chatbots to agentic systems: agent goal hijack, tool misuse, identity and privilege abuse, broken delegated trust, and rogue agents. Risks around identity, tool usage, and delegated trust often exceed what an LLM firewall alone can enforce.

Across Vandis' assessments, the single most common exposure is agent misuse; agents operating outside their intended scope. In 2026, three AI coding agents leaked secrets through a single prompt injection, Claude Code, Gemini CLI, and GitHub Copilot were all hit by the same injection technique. 1 The second-largest exposure is over-privileged agents. Ryan Young phrases it plainly: think of agents like new hires on their first day. You don't grant unrestricted access on day one; you start narrow and expand as the agent proves it is ready to handle. The biggest financial and operational exposure today is agent misuse.

How does F5 technology enforce AI controls?

F5 enforces control across AI systems in several ways.

F5 AI Guardrails inspect what goes into models and what comes out, blocking prompt injection, hidden instructions, and malicious inputs, while also preventing sensitive data or unsafe content from leaking in responses. Because this happens at the network layer, nothing reaches the model or the user without being validated first.

To stay ahead of evolving threats, F5 AI Red Team continuously tests systems with real-world attack techniques, such as jailbreaks and multi-step manipulation. Vandis recommends F5 AI Red Team for proactive testing and works with client security teams to translate those findings into Guardrails policies, so protections continually improve and remain aligned with the latest risks.

Across the API layer, F5 adds another layer of control through authentication, rate limiting, and bot protection, helping manage both security and costs. Additional services detect unusual traffic patterns and, when needed, inspect encrypted data, giving organizations full visibility and control over how their AI is used.

Taken together, F5’s approach is to enforce controls across multiple layers (network, application, and APIs) to ensure AI systems are protected from misuse and do not expose sensitive data.

How do you build an audit trail that holds up to regulators?

The regulatory domain is changing constantly. One-off compliance exercises aren’t enough anymore for AI solutions that evolve constantly; organizations need to ensure controls are persistent.

Regulations like the EU AI Act, evolving HIPAA rules in the US, NIST’s AI Risk Management Framework, and FINRA guidance all reinforce the same principles: if AI is influencing decisions, you must be able to explain what the AI model did and why. Standard application logs simply don’t provide that level of detail.

Vandis approaches this by building forensic audit capabilities that tie model behavior directly to business outcomes, enriched with the metadata needed for regulatory scrutiny. F5 AI Assistant underpins this with real-time telemetry, linking traffic, logs, and policy enforcement into a coherent view. Without that level of visibility, organizations run the risk of more than gaps in reporting; they also risk fines, legal exposure, and an inability to defend their decisions when it matters most.

How do you build AI governance that survives model change?

AI models evolve rapidly, and effective controls need to evolve with them. Governance tied to a specific model or vendor will fall over when either gets swapped out. The architecture that outlives a given model includes documented data lineage, role-based and attribute-based controls at the data source, human-in-the-loop checkpoints for high-impact decisions, tool-use boundaries for agents, and defined thresholds for when drift triggers retraining or retirement. This approach translates OWASP’s LLM and Agentic guidance, alongside NIST’s AI Risk Management Framework, from whitepapers into operational practice.

Of those controls, Vandis emphasizes human-in-the-loop checkpoints first. In a recent engagement, an agent looked flawless on a small test set but added 0.05% to every calculation as the dataset grew. Whilst this was a small percentage, it compounds into a real financial impact across thousands of transactions. A human checkpoint caught it. Once agents are validated, those checkpoints can be reduced, but early on, they protect both accuracy and the brand.

Most of this work is professional services: strategy, policy, assessment, architecture, and ongoing advisory. Managed services are selectively extended when a client has chosen a direction and allocated the resources to run it. The gap between an AI program that scales safely and one that produces a regulatory fine is rarely about tooling alone.

Frequently asked questions

What is F5 AI Guardrails?

F5 AI Guardrails is a runtime control layer that sits between users and AI models, inspecting prompts and responses as they pass through. On the inbound side, it blocks prompt injection, concealed instructions, and malicious payloads. On the outbound side, it prevents leakage of personally identifiable information and unsafe content. Because it operates at the network layer, enforcement happens before data reaches the model and before responses reach the user.

What's the difference between OWASP's LLM Top 10 and Agentic Top 10?

The OWASP Top 10 for LLM Applications covers single-model risks like prompt injection, insecure output handling, training data poisoning, and model denial-of-service. The OWASP 2026 Top 10 for Agentic Applications extends the framework to systems that act across tools, applications, and other agents. Its new categories include agent goal hijack, tool misuse, identity and privilege abuse, broken delegated trust, and rogue agents.

How is F5 AI Red Team different from traditional red teaming?

Traditional red teams run time-bounded, human-led attack simulations. F5 AI Red Team runs continuous adversarial testing against AI systems, including jailbreak attempts, multi-turn manipulation, indirect prompt injection through retrieved content, and goal-hijack scenarios for agents. Its vulnerability database grows by more than 10,000 new attack techniques every month, and those findings feed directly into F5 AI Guardrails policies. The result is a feedback loop between attack discovery and live defense.

Which regulations require audit trails for AI-driven decisions?

Several overlapping frameworks now demand traceability for AI-driven decisions. The EU AI Act is in force. In the US, updates to the HIPAA Security Rule are on the HHS agenda for May 2026; NIST's AI Risk Management Framework provides guidance for federal contractors and regulated industries; FINRA Regulatory Notice 24-09 covers AI in financial services; and the Algorithmic Accountability Act is pending in Congress. Standard application logs do not meet any of their audit requirements.

Can a standard WAF protect AI applications?

A standard WAF protects the web and API surface around an application, but it was not built to inspect the content of prompts or model outputs. It will not catch prompt injection, concealed instructions buried in retrieved documents, or sensitive data leaking in a response. F5 addresses this by combining F5 WAAP for API-layer threats with F5 AI Guardrails for model-layer inspection, so enforcement occurs across the traffic, API, and model layers.