AI security goes far beyond AI.

Adding an LLM call to a product puts security focus primarily on prompt filtering, output guardrails, and input validation.

That is crucial, but it only covers the application layer, and an equally important infra layer needs its own controls.

To understand this, trace a single model call.

The prompt leaves the app, hits a provider endpoint, and depending on their retention policy, it sits in external logs for days.

If that prompt carries any regulated/private data, it moves beyond the app's boundary.

This isn't a failure of prompt filtering since it only governs what goes into the model, and it does not enforce where data can travel/who can store it.

Beyond application-layer controls, two infrastructure-level concerns need their own coverage:

1) The first is per-request.

Every model call moves data outside the app boundary. Who can access it in transit? Is it scoped to the right tenant?

2) The second is posture drift.

Do providers retain the data, and for how long? Can one tenant's prompts reach another tenant's context through unintended disclosure? And do the AI outputs stay inside the compliance boundary that enterprise deals require?

Teams typically solve both in the application code, where each new AI
feature gets its:

- own scoping logic
- own encryption
- own logging

Ten features mean ten separate implementations of the same controls.

Moving both to the infrastructure layer simplifies this.

- If IAM policies control which services can call which endpoints, every new model call will inherit that boundary automatically.

- VPC isolation keeps tenant traffic apart at the network level.

- Encryption covers every data flow by default. Every API call, including model calls, gets logged without the feature code handling any of it.

@awscloud builds this as the managed infra and they have partnered with me today to explain how it works.

Model calls through Bedrock or SageMaker inherit the same IAM, VPC, encryption, and CloudTrail boundaries as every other service.

For instance, IDEMIA runs this pattern in production. The company handles identity data for 45+ US government agencies.

After moving to containers on Amazon EKS in AWS GovCloud, they cut costs by 30% and sped up delivery by 4x, with the security coming from the infrastructure, not the application code.

You can read more on how AWS supports ISVs building this way → https://aws.amazon.com/isv/?utm_source=fnf&utm_medium=x&utm_campaign=june&utm_term=apaachar&utm_content=isv

Also, I wrote a detailed breakdown of the 11 components in a production agent harness, the full software layer that wraps an LLM. This post covers what sits underneath it. The harness is only as secure as the layer it runs on.

Read it below.

Stanford researchers proved you are not being rejected by 10 companies. You are being rejected by one algorithm 10 times.

Your score is stored for 330 days. Every company that uses the same vendor sees the same number. They call it the algorithmic blackball.

Researchers at Stanford HAI, Chapman University, and Northeastern University published the largest audit of AI hiring algorithms ever conducted.

The paper is called "Algorithmic Monocultures in Hiring." Published at FAccT 2026, May 26. The data came from Pymetrics, the AI hiring platform used by major Fortune 100 companies.

Here is what they found.

When you apply for a job at a company that uses Pymetrics, you play a series of assessment games. Your scores are stored. For up to 330 days. If another company also uses Pymetrics, your application is evaluated using the same stored scores. You are not getting two separate evaluations. You are getting the same score twice.

If the algorithm rejects you once, it rejects you everywhere.

The researchers call this the "algorithmic blackball." One bad score locks you out of every company that shares the same vendor. You never find out why. You never get a second chance. You just stop hearing back.

They ran a large-scale simulation using real applicant data. The result: over 40,000 job advances were lost because applicants who would have succeeded at one company were screened out by an algorithm calibrated for a different one.

Then they measured who gets hit hardest.

25.87% of Black applicants were routed into algorithmically discriminatory hiring processes. 14.74% of Asian applicants. These are not hypothetical projections. These are rates measured in deployed, real-world hiring systems used by some of the largest employers on earth.

The same algorithm. Applied across companies. Producing the same racial disparities at every one of them.

This is already in the courts. Mobley v. Workday is a federal class-action lawsuit alleging that AI hiring tools systematically discriminate against older, Black, and disabled applicants. The case is ongoing.

In Europe, the EU AI Act classifies hiring algorithms as high-risk AI systems by default. Compliance requirements take effect August 2, 2026. Weeks away.

In the United States, there is no equivalent federal law.

The researchers make four recommendations. Measure adverse impact at the position level. Strengthen cross-employer surveillance. Monitor risks from algorithmic concentration. Create legal pathways for independent researchers to access hiring data.

The last one carries an implicit warning. This study was only possible because Pymetrics voluntarily shared its data. Most vendors would prefer their algorithms remain opaque.

The next time you apply for a job and never hear back, the rejection may not have come from a human. It may have come from a score you received 330 days ago, at a company you have already forgotten, for a role that had nothing to do with the one you just applied to.