Lilly Tech Systems
Best Practices
Comprehensive best practices for securing AI APIs including gateway configuration, monitoring and alerting, cost attack prevention, compliance requirements, and security testing strategies.
API Gateway Configuration
An API gateway is your first line of defense. Configure it specifically for AI workloads:
# AI API Gateway Configuration security: authentication: type: api_key header: X-API-Key validate_on: every_request rate_limiting: requests_per_minute: 60 tokens_per_minute: 100000 concurrent_requests: 5 algorithm: sliding_window input_validation: max_payload_size: 1MB max_prompt_tokens: 32000 content_filter: enabled injection_detection: enabled output_validation: pii_filter: enabled safety_classifier: enabled max_response_tokens: 4096 logging: access_logs: enabled request_body: hashed response_body: disabled # Privacy anomaly_detection: enabled
Monitoring and Alerting
AI APIs require specialized monitoring beyond traditional API metrics:
| Metric | Alert Threshold | Indicates |
|---|---|---|
| Token consumption spike | >3x normal rate | Possible cost attack or compromised key |
| Error rate increase | >5% 4xx/5xx responses | Input validation catching attacks, or service issues |
| New API key usage from unusual IP | Any new geo-location | Possible credential theft |
| PII detection rate | >1% of responses | Model leaking training data or user data |
| Injection detection triggers | >10 per hour per user | Active attack attempt |
| Latency degradation | P99 >2x baseline | DoS attack or resource exhaustion |
Security Testing for AI APIs
Prompt Injection Testing
Maintain a library of injection payloads and test regularly. Include direct injection, indirect injection (via retrieved documents), and multi-turn escalation attacks.
Authentication Testing
Test key revocation, expiration, scope enforcement, and rate limit bypass. Verify that invalid, expired, and revoked keys are properly rejected.
Cost Attack Simulation
Simulate cost attacks in staging: max-length inputs, rapid-fire requests, and concurrent connection floods. Verify that spending caps and rate limits hold.
AI API Security Checklist
Authentication
API keys with hashed storage, expiration, scoping, and automated rotation. Consider OAuth2 for user-facing applications.
Rate Limiting
Token-based rate limiting with per-user quotas, spending caps, and concurrent request limits.
Input Security
Schema validation, payload size limits, prompt injection detection, and content safety filtering.
Output Security
PII detection and redaction, content safety classification, system prompt leak prevention.
Monitoring
Real-time usage analytics, anomaly detection, cost tracking, and automated alerting.
Incident Response
Key revocation procedures, model rollback, abuse investigation, and customer notification processes.
Compliance Considerations
- Data residency: Ensure AI API requests and responses are processed in compliant regions. Some regulations require data to stay within specific geographic boundaries.
- Consent management: If AI processes personal data, verify that appropriate consent has been obtained. Track consent status per API consumer.
- Right to explanation: Under GDPR Article 22, automated decisions must be explainable. Log sufficient information to explain any AI-driven decision.
- Data retention: Define how long API request/response logs are retained. Balance security monitoring needs with privacy requirements.