15.3.3 Isolation Procedures

2025.10.06.
AI Security Blog

An alert fires. Your flagship AI agent is making unauthorized external API calls, and its outputs have become nonsensical, hinting at a successful adversarial attack. The model is live, serving thousands of users. Before you can analyze the damage or roll back to a stable version, you must stop the bleeding. Your immediate priority is to contain the threat. This is the domain of isolation—the critical, time-sensitive process of cutting off a compromised system to prevent further harm.

The Goal of Isolation: Creating a Digital Quarantine

In traditional incident response, you might unplug a server from the network. With AI systems, the concept is the same, but the implementation is more nuanced. The goal is to create a controlled environment where the compromised model can do no more damage while you investigate. Effective isolation procedures are designed to achieve several objectives simultaneously:

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

  • Prevent Data Exfiltration: Stop the model from leaking sensitive data it has access to.
  • Halt Malicious Actions: If the AI is an agent with agency (e.g., ability to execute code, manage infrastructure), isolation stops it from taking further destructive actions.
  • Stop Propagation: Prevent the spread of adversarial inputs or corrupted outputs to other systems or users.
  • Preserve Evidence: Isolate the system in a state that allows for forensic analysis without tipping off an attacker that they have been fully detected and ejected.

Think of isolation not as a single action, but as a series of concentric walls you can raise around the AI system, from the network perimeter down to the individual process.

Diagram of layered AI system isolation. Network Isolation Service / API Isolation Resource Isolation Process / Container AI CONTAIN
Figure 15.3.3.1 – Layered Isolation Model. Each layer represents a different control plane for containing a compromised AI system, from broad network controls to specific process termination.

Tactical Isolation Layers

A defense-in-depth strategy for isolation means you have multiple mechanisms at your disposal. Depending on the severity and nature of the incident, you can apply one or more of these tactics.

1. Network Isolation

This is your broadest and often fastest tool. By manipulating network rules, you can effectively place the AI system in a digital “penalty box,” cutting off its communication with the outside world or other internal systems.

  • Egress Filtering: The most critical first step. Modify firewall or cloud security group rules to block all outbound traffic from the model’s host. This immediately stops data exfiltration and callbacks to attacker-controlled servers.
  • Ingress Filtering: Block incoming traffic to the model’s API endpoints to prevent attackers from sending further malicious inputs. This can be a blanket block or targeted to specific IP ranges.
  • VLAN Shunting: Move the compromised host to a quarantined Virtual Local Area Network (VLAN) that has no routes to production resources, allowing only for forensic access from a security team’s jump box.

2. Service & API Isolation

A more surgical approach involves disabling the pathways to the model without taking the entire underlying server offline. This is often done at the API gateway or load balancer level.


# Pseudocode for an API Gateway rule modification
#
# Objective: Temporarily disable the '/v1/chat/completions' endpoint for the compromised model
# while leaving other endpoints or models active.

- rule: id=isolate-model-alpha
  action: block
  priority: 1
  match:
    path: "/v1/chat/completions"
    headers:
      x-model-id: "model-alpha-v2"
  # This rule immediately returns a 503 Service Unavailable error
  # for any requests to the compromised model endpoint.

3. Resource Isolation

A compromised model is only as dangerous as the resources it can access. By revoking its permissions, you defang it. This is a crucial step to prevent pivot attacks within your infrastructure.

  • Revoke IAM Roles: In cloud environments, detach the IAM (Identity and Access Management) role from the virtual machine or container running the model. This instantly revokes its permissions to access databases, storage buckets (like S3), and other cloud services.
  • Database Credential Rotation: If the model uses static credentials to access a database, immediately rotate them and do not provide the new credentials to the compromised service.
  • Filesystem Permissions: Change filesystem permissions to read-only for directories the model previously had write access to, preventing it from modifying files or writing malicious scripts.

4. Process & Container Isolation

This is the most direct and definitive form of isolation: terminating the running process. In modern, containerized deployments, this is a clean and effective way to stop the model in its tracks.


# Example using Kubernetes to immediately scale down a compromised deployment
#
# This command tells Kubernetes to reduce the number of running pods for the
# 'generative-agent-api' deployment to zero, effectively shutting it down.
# The deployment configuration remains, allowing for easy restart after investigation.

kubectl scale deployment/generative-agent-api --replicas=0 -n ai-production

Graduated Response: Matching the Tactic to the Threat

Not every incident requires a full system shutdown. A key part of your incident response plan should be a framework for deciding how aggressively to isolate based on the evidence available. Overreacting can cause unnecessary downtime, while underreacting allows an attack to escalate.

Threat Level Example Scenario Primary Isolation Tactic(s) Objective
Low Minor prompt injection detected, generating harmless but non-compliant output. – API rate-limiting for specific users/IPs.
– Enable “safe mode” or enhanced filtering.		 Degrade service for suspicious actors without full outage; gather data.
Medium Model is leaking non-critical internal metadata (e.g., library versions) in its responses. – Service/API Isolation (disable specific endpoint).
– Resource Isolation (revoke access to non-essential data sources).		 Contain the leak; prevent escalation while maintaining core service.
High Model is being used to exfiltrate PII from a connected database. – Network Isolation (block egress traffic).
– Resource Isolation (revoke all database credentials immediately).		 Stop data loss immediately; preserve the host for forensics.
Critical An AI agent with production access is executing unauthorized infrastructure changes. – Process/Container Isolation (kill the process).
– Full Network Isolation (quarantine host).
– Revoke all IAM roles.		 Total and immediate containment to prevent catastrophic damage.

Automation vs. Manual Intervention

Your isolation procedures should blend automated and manual steps. Automated responses, triggered by high-confidence security alerts (e.g., a known malicious payload), can execute network or API isolation in milliseconds. However, more ambiguous situations benefit from manual intervention by a human analyst who can apply graduated responses and avoid causing a major outage based on a false positive. The best strategy is often an automated “soft” isolation (like flagging or rate-limiting) that buys time for a human to perform a “hard” isolation if necessary.

With the immediate threat contained through these isolation procedures, you have bought yourself critical time. The system is stable, the attack has been halted, and you can now move from reactive containment to methodical investigation and recovery, which begins with a post-incident analysis.

15.3.2 Model rollback strategies

2025.10.06.

15.3.4 Post-incident analysis

2025.10.06.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist