Module 7 — Quiz¶

Type: Quiz · Duration: ~10 min · Status: Mandatory · Pass mark: 70% (9 of 12) Module: Module 7 — Securing the AI Pipeline (MLSecOps & Defenses)

Question 1 (multiple choice)¶

What is AI-SDLC?

a) A new SDLC that replaces existing engineering practices. b) The discipline of integrating AI/ML-specific security activities into a software development lifecycle — existing SDLC plus AI-specific gates. c) A vendor-side compliance tool. d) A subset of GDPR.

Answer: b

Question 2 (short)¶

Name the four AI-specific gates that don't exist in a classical SDLC.

Answer: Model selection gate; fine-tune / training-data gate; pre-launch red-team gate; post-incident retraining gate.

Question 3 (multiple choice)¶

Which lifecycle stages does the application team typically own end-to-end?

a) Data, Train, Eval b) Deploy, Monitor, Fine-tune c) All six stages d) None — all are vendor-controlled

Answer: b

Question 4 (short)¶

What does Sigstore-for-models add, and what does it not close?

Answer: Adds: cryptographic signature over the file, verified signer identity, transparency log entry. Doesn't close: legitimate publisher's compromised credentials, signed-but-malicious models (publisher might be the attacker), most provenance gaps about how the model was trained.

Question 5 (multiple choice)¶

Name the four guardrail placements in an LLM pipeline.

a) Header, body, footer, response b) Input, retrieval, model-level, output c) Pre-train, train, post-train, deploy d) HTTP, TCP, IP, ethernet

Answer: b

Question 6 (multiple choice)¶

Why is structured output the highest-ROI guardrail for many LLM apps?

a) It increases model accuracy. b) It collapses the attack surface by constraining what the model can emit to a schema, at near-zero latency cost. c) It speeds up training. d) It removes the need for input filters.

Answer: b

Question 7 (short)¶

Describe the dual-LLM pattern in one or two sentences.

Answer: Privileged LLM handles the user's request and orchestrates tools, never sees raw untrusted content. Quarantined LLM processes untrusted content (retrieved docs, web pages, emails) into structured summaries only, never influences tool calls.

Question 8 (multiple choice)¶

Name a critical reason to log tool/agent actions in an LLM application's observability stack.

a) Cost reporting. b) Forensic trail for agent-escape attacks (M3 L3.8 territory) — without the action log you can't reconstruct what an agent did when compromised. c) UX optimization. d) Compliance with classical SDLC.

Answer: b

Question 9 (multiple choice)¶

Which is not one of the four functions of an AI red-team program?

a) Pre-launch red-team b) Periodic red-team c) Vendor-relationship red-team d) Continuous (automated) red-team

Answer: c

Question 10 (multiple choice)¶

When would you reach for promptfoo over Garak?

a) Always; promptfoo is strictly better. b) When you need a CI-friendly eval harness with custom assertions for regression detection on every PR; Garak is for periodic security scans with its pre-built probe library. c) Only for image classifiers. d) Only when running against frontier models.

Answer: b

Question 11 (scenario — short)¶

A team ships a customer-service chatbot with no guardrails, no logging, no eval suite. They ask for your three top recommendations to get to production-grade defensive posture. What do you recommend?

Sample answer: 1. Layered runtime guardrails (L7.7): input filter (Llama Guard), structured output schema for responses, and for any RAG component, the dual-LLM pattern for retrieved content. Measure attack-success-rate before vs after. 2. Prompt/response logging with PII redaction (L7.9): the L7.4.1 six-category log stack with Presidio redaction, retained per policy. Plus at least one abuse-detection query. 3. CI-integrated eval harness (L7.8): promptfoo with safety assertions, blocked-PR pattern. Garak nightly. Catches regressions automatically.

Bonus: pre-launch red-team gate before any major model swap.

Question 12 (scenario — short)¶

A customer reports that your LLM-powered handbook bot emitted an unexpected token "EXFIL-MARKER:" in a response to their employee. Walk the IR playbook in 5 steps.

Sample answer: 1. Confirm: search logs for the reporting tenant in the last hour; find the request_id; verify the marker appears. 2. Identify attack class: this matches L3.7 indirect PI exploit; check retrieved_chunks for instruction-shaped content. 3. Contain: tighten input filter or corpus sanitization; potentially disable the affected feature. 4. Eradicate: find the corpus modification that introduced the payload; revert; re-embed clean corpus; enable dual-LLM pattern. 5. Communicate + post-incident: internal #sec-incident notification; affected customer notification within 72 hrs if data was exposed; EU AI Act Article 73 reporting if applicable; eval-suite update; 14-day post-incident review.

Scoring¶

12 questions, 1 point each. 70% to pass.
Auto-grade Q1, Q3, Q5, Q6, Q8, Q9, Q10. Key-phrase grade Q2, Q4, Q7. Rubric Q11, Q12.