Skip to content

Module 8 — Summary

Type: Theory · Duration: ~3 min · Status: Mandatory

Video script

[SLIDE 1 — Module 8 wrap]

Module 8 wrap. You learned to operationalize NIST AI RMF as a program rather than a paper exercise — risk register, control library, measurement suite, governance cadence. You designed an EU AI Act compliance program for high-risk systems with all five components: risk management, data governance, technical documentation, record-keeping, human oversight. You walked Article 11 / Annex IV section by section and built a real Article-11-shaped documentation skeleton for the Module 1 RAG. You learned org-design patterns for AI security programs, vendor management with AI-specific questionnaires, the cross-jurisdictional reporting matrix when an incident lands, and the model card / system card / data sheet / AI-BOM documentation stack.

The hardest single takeaway: governance is not separate from engineering. The system card you wrote in L8.7 references the threat model you wrote in L2.6, the defense measurements from L7.7, the IR playbook from L7.9, the AI-BOM from L4.9. Every governance artifact is an assembly of engineering outputs. The AI security engineer who can produce both — the engineering work and the governance artifacts that wrap it — is the AI security engineer who gets hired, gets promoted, and gets to design the program.

[SLIDE 2 — What changes in Module 9]

Module 9 is the capstone. The Helios Health scenario: you're the first AI security engineer at Helios Health, a fictional SaaS launching an LLM-powered medical-records assistant with tool access — read patient records, draft messages, search a knowledge base. Your deliverable: a full report. Threat model, red-team findings, remediation plan, pre-launch checklist tied to NIST AI RMF and EU AI Act. About 4 hours. Everything from M0 through M8 culminates here.

See you in Module 9.

Slide outline

  1. Module 8 wrap — five-checkmark recap + "governance is not separate from engineering" landing point.
  2. What's next — Module 9 capstone teaser.

Production notes

  • Recording: 2-3 min raw.
  • Same "Module N → Module N+1" visual convention; this one bridges to the capstone, so the framing matters more than usual.