Skip to content

Managing AI-SPM rules

Rules define the specific criteria AQtive Guard uses to evaluate the security and compliance posture of your AI assets. These rules are applied during the scanning process and generate issues when violations are detected.

AQtive Guard provides two types of AI-SPM rules, accessed via the Profiles page:

  • Built-in AI-SPM rules: Predefined checks developed by the AQtive Guard AI security team based on industry standards, threat research, and best practices.
  • Custom AI-SPM rules: Flag deviations from policies you define to enforce specific organizational governance and compliance standards.

Built-in AI-SPM rules

To view the AI-SPM Built-in rules list:

  1. From the AQG main menu, select Profiles.
  2. Select the AI-SPM rules tab, then select the Built-in tab.

AI-SPM Built-in rules table

The table provides a high-level overview of each rule:

  • Name - The unique name or identifier of the rule (for example, Missing input guardrails, Low jailbreak-resistance score).
  • AI-SPM objects analyzed - The type of asset the rule evaluates (Models / Agents / MCP servers).
  • Description - A brief summary of the policy or check performed by the rule.
  • Details - Opens the Rule details panel for expanded risk information and specifications.

Built-in rule details panel

Select Details for any built-in rule to view comprehensive documentation and technical specifications for that rule.

  • Rule description - A summary of the rule purpose.
  • Risk factors - Explains the security and compliance consequences of violating the rule. This section is organized into Governance/Compliance (citing standards like NIST AI RMF and OWASP LLM Top-10) and Security.
  • Specifications - Technical details defining how the rule is triggered:
    • Trigger - The condition in the asset properties or relationships that caused the issue to be flagged.
    • Severity - The severity level assigned when the rule is triggered (Low, Medium / High).
    • Applies to - The type of object the rule is run against (Models / Agents / MCP servers).

Custom AI-SPM rules

To view the AI-SPM Custom rules list:

  1. From the AQG main menu, select Profiles.
  2. Select the AI-SPM rules tab, then select the Custom tab.

AI-SPM Custom rules table

The table provides a high-level overview of each rule:

  • Name - The unique user-provided name or identifier of the rule.
  • AI-SPM objects analyzed - The type of asset the rule evaluates (Models / Agents / MCP Servers).
  • Description - A brief summary of the policy or check performed by the rule.
  • Details - Opens the Rule details panel for expanded information and specifications.

Custom rule details panel

Select Details for any custom rule to view its current status and configuration.

  • Rule Status: If the rule has been deactivated, a warning banner appears stating: Rule deactivated. Its past issues remain visible.
  • Rule Name: The user-provided name or identifier of the rule.
  • Severity: The severity level assigned when the rule is triggered.
  • AI-SPM objects analyzed: The asset types the rule applies to (Models, Agents, MCP servers).
  • Restricted … : The list of specific objects that the policy is configured to flag, including:
    • Restricted assets - user-provided asset names.
    • Restricted suppliers - selected from drop-down list.
    • Restricted libraries - user-provided development framework or library.
    • Restricted hosting type - Managed / Self-hosted

Create a new AI-SPM custom rule

Custom rules allow you to set and enforce specific governance and compliance standards that are unique to your organization. These rules are accessible via the Custom tab on the AI-SPM rules page.

To create a new AI-SPM Custom rule:

  1. From the AQG main menu, select Profiles.
  2. Select the AI-SPM rules tab, then select the Custom tab.
  3. Select the + Add rule button to open the New custom rule builder.

  4. Select a Rule Template. The dropdown provides pre-defined policy structures that target different asset properties:

    • Flag specific models, agents, or servers: Flags assets based on their exact name or identifier.
    • Flag assets from specific suppliers: Flags assets based on the distribution platform (Supplier).
    • Flag assets from specific libraries: Flags assets based on the development framework (Library).
    • Flag assets of specific hosting type: Flags assets based on their deployment environment (Self-hosted / Managed).

  5. Configure the remaining required fields:

    • Rule name: Provide a unique and descriptive name for the rule (such as High risk AI assets).
    • Restricted assets / Asset names: Enter the specific names of the assets, suppliers, libraries, or hosting type that the rule should flag.
    • Severity: Select the severity level assigned when the rule is triggered (Critical / High / Medium / Low / Informational).

  6. Select Create to save the rule and activate it on all future scans.