Skip to main content
TopAIThreats home TOP AI THREATS
Governance Concept

Defense in Depth

A security strategy that employs multiple independent layers of protection so that if one layer fails, subsequent layers continue to provide security. Applied to AI systems, defense in depth combines input validation, output filtering, sandboxing, access controls, monitoring, and human oversight to mitigate threats that no single control can fully address.

Security & Cyber Agentic Systems

Definition

Defense in depth is a security architecture principle borrowed from military strategy that layers multiple independent defensive controls so that the failure of any single control does not result in a complete security breach. In traditional cybersecurity, this includes network firewalls, intrusion detection, endpoint protection, access controls, and logging. For AI systems, defense in depth extends to include prompt-level input validation, classifier-based injection detection, output filtering, tool-use sandboxing, permission boundaries, rate limiting, anomaly detection, and human-in-the-loop approval for high-risk actions. No single defense can fully prevent AI-specific attacks such as prompt injection; layered defenses are the accepted best practice.

How It Relates to AI Threats

Defense in depth is essential across the Security and Cyber Threats domain because AI systems face attacks at multiple layers simultaneously. A prompt injection attempt might bypass input validation but be caught by output filtering. A jailbreak might circumvent one guardrail but trigger an anomaly detector. The strategy acknowledges that AI systems operating on natural language cannot achieve the deterministic security guarantees of traditional software, making redundant controls necessary. OWASP, NIST, and MITRE ATLAS all recommend defense in depth as the primary security architecture for LLM-integrated applications.

Why It Occurs

  • No single security control can reliably prevent all prompt injection variants or adversarial inputs
  • AI systems process unstructured natural language, making deterministic input validation impossible
  • The evolving nature of adversarial techniques means that any individual defense will eventually be bypassed
  • AI applications often span multiple trust boundaries (user input, retrieval sources, tool outputs) each requiring independent protection
  • Regulatory frameworks including the EU AI Act require demonstrable multi-layered risk mitigation for high-risk AI systems

Real-World Context

The shift toward defense in depth for AI systems accelerated after researchers demonstrated that individual guardrails and content filters could be bypassed through creative prompt engineering. The OWASP Top 10 for LLM Applications recommends defense in depth as the overarching mitigation strategy. Major AI providers including Anthropic, OpenAI, and Google DeepMind have published technical documentation describing their multi-layered safety architectures as implementations of defense in depth.

Related Threat Patterns

Prompt Injection Attack Security & Cyber Jailbreak & Guardrail Bypass Security & Cyber

Related Terms

Guardrail Input Validation Least Privilege Output Sandboxing
← Back to Glossary → Taxonomy → All Domains

Last updated: 2026-04-03