Enterprise organizations face unique challenges when adopting AI-assisted development tools. This guide provides battle-tested patterns for maintaining security, ensuring compliance, and scaling AI development across large teams while meeting regulatory requirements.
The Four Pillars of Secure AI Development
// .cursorrules for data protection/** * SECURITY REQUIREMENTS - STRICTLY ENFORCED * * NEVER include in code or prompts: * - API keys, passwords, or secrets * - Customer PII (names, emails, SSNs) * - Internal URLs or IP addresses * - Database connection strings * - Proprietary algorithms or trade secrets * * ALWAYS: * - Use environment variables for sensitive config * - Redact sensitive data in logs * - Encrypt data at rest and in transit */
// Example: Safe data handlingconst user = { id: 'user_123', // Use IDs, not emails role: 'admin', // Never: email: 'john@company.com' // Never: ssn: '123-45-6789'};# pre-commit hook for sensitive data detectionrepos: - repo: https://github.com/Yelp/detect-secrets hooks: - id: detect-secrets args: ['--baseline', '.secrets.baseline'] exclude: .*\.lock$
- repo: local hooks: - id: check-ai-prompts name: Check AI prompts for sensitive data entry: scripts/check-prompts.sh language: script files: \.(md|mdx|cursorrules)$Script example:
#!/bin/bash# Check for potential PII patternsif grep -E "(SSN|[0-9]{3}-[0-9]{2}-[0-9]{4})" "$@"; then echo "❌ Potential SSN found in AI prompts" exit 1fi
# Check for internal domainsif grep -E "@(company|internal)\.com" "$@"; then echo "❌ Internal email domain found" exit 1fi// Data sanitization utilitiesexport class DataSanitizer { static sanitizeForAI(data: any): any { const sensitivePatterns = [ { pattern: /\b\d{3}-\d{2}-\d{4}\b/g, replacement: 'XXX-XX-XXXX' }, // SSN { pattern: /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi, replacement: 'user@example.com' }, // Email { pattern: /\b(?:\d{4}[\s-]?){3}\d{4}\b/g, replacement: 'XXXX-XXXX-XXXX-XXXX' }, // Credit card { pattern: /Bearer\s+[A-Za-z0-9\-._~+\/]+=*/g, replacement: 'Bearer [REDACTED]' }, // Auth tokens ];
let sanitized = JSON.stringify(data);
sensitivePatterns.forEach(({ pattern, replacement }) => { sanitized = sanitized.replace(pattern, replacement); });
return JSON.parse(sanitized); }
static createSafeExample(realData: any): any { // Transform real data into safe examples return { ...this.sanitizeForAI(realData), _note: 'This is sanitized example data' }; }}Role-Based AI Access
{ "roles": { "senior_developer": { "models": ["claude-3-opus", "claude-3-sonnet"], "features": ["agent_mode", "multi_file_edit", "terminal_access"], "max_context_size": 200000, "audit_level": "standard" }, "junior_developer": { "models": ["claude-3-sonnet"], "features": ["ask_mode", "single_file_edit"], "max_context_size": 50000, "audit_level": "detailed", "requires_approval": ["database_operations", "deployment_commands"] }, "contractor": { "models": ["claude-3-haiku"], "features": ["ask_mode"], "max_context_size": 20000, "audit_level": "comprehensive", "blocked_patterns": ["production", "customer_data", "internal_api"] } }}Implement Policy Enforcement
// AI Gateway middlewareexport class AIGateway { async enforcePolicy(request: AIRequest, user: User): Promise<void> { const policy = await this.loadPolicy(user.role);
// Check model access if (!policy.models.includes(request.model)) { throw new ForbiddenError(`Model ${request.model} not allowed for role ${user.role}`); }
// Check context size if (request.contextSize > policy.max_context_size) { throw new ValidationError(`Context size exceeds limit for role ${user.role}`); }
// Check blocked patterns if (policy.blocked_patterns) { for (const pattern of policy.blocked_patterns) { if (request.prompt.toLowerCase().includes(pattern)) { throw new ForbiddenError(`Blocked pattern detected: ${pattern}`); } } }
// Log for audit await this.auditLog.record({ user, request, policy, timestamp: new Date() }); }}Monitor and Alert
alerts: - name: sensitive_data_in_prompt condition: prompt_contains_pii severity: high actions: - block_request - notify_security_team - create_incident
- name: excessive_ai_usage condition: usage_exceeds_budget severity: medium actions: - notify_user - notify_manager - throttle_requestsSOC2 Type II Requirements
Essential controls for AI-assisted development:
// Comprehensive audit logging for SOC2interface AIAuditLog { timestamp: Date; userId: string; sessionId: string; action: 'prompt' | 'completion' | 'file_edit' | 'command_execution'; model: string; prompt: string; response?: string; filesAccessed: string[]; filesModified: string[]; tokensUsed: number; cost: number; ipAddress: string; userAgent: string; riskScore: number;}
export class SOC2AuditLogger { async log(event: AIAuditLog): Promise<void> { // Encrypt sensitive fields const encrypted = await this.encrypt({ ...event, prompt: this.redactSensitive(event.prompt), response: event.response ? this.redactSensitive(event.response) : undefined });
// Store in compliant storage await this.store.append(encrypted);
// Real-time monitoring if (event.riskScore > 0.7) { await this.alerting.notify('high_risk_ai_activity', event); } }
async generateComplianceReport(startDate: Date, endDate: Date): Promise<Report> { const logs = await this.store.query({ startDate, endDate });
return { totalSessions: logs.length, uniqueUsers: new Set(logs.map(l => l.userId)).size, modelUsage: this.aggregateByModel(logs), costAnalysis: this.calculateCosts(logs), securityEvents: logs.filter(l => l.riskScore > 0.5), fileModifications: this.aggregateFileChanges(logs) }; }}name: AI-Assisted Change Control
on: pull_request: types: [opened, synchronize]
jobs: ai-review: runs-on: ubuntu-latest steps: - name: Check AI Attribution run: | # Ensure AI-generated code is marked if git diff --name-only | xargs grep -l "AI-Generated\|AI-Assisted" | wc -l -eq 0; then echo "❌ AI-generated code must be marked with attribution" exit 1 fi
- name: Security Scan uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' severity: 'HIGH,CRITICAL'
- name: License Compliance run: | # Check for prohibited licenses in AI suggestions npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause;ISC'
- name: Generate Compliance Report run: | echo "## AI-Assisted Code Review Report" >> $GITHUB_STEP_SUMMARY echo "- Files modified: $(git diff --name-only | wc -l)" >> $GITHUB_STEP_SUMMARY echo "- AI attribution found: ✅" >> $GITHUB_STEP_SUMMARY echo "- Security scan: ✅" >> $GITHUB_STEP_SUMMARY echo "- License compliance: ✅" >> $GITHUB_STEP_SUMMARYData Minimization
Right to Erasure
// HIPAA-compliant development patternsexport class HIPAACompliantDevelopment { // Use synthetic data for development static generateSyntheticPatient(): PatientRecord { return { id: faker.datatype.uuid(), name: 'Test Patient ' + faker.datatype.number(), dob: faker.date.past(), // Never use real SSN, MRN, or other identifiers mrn: 'TEST-' + faker.datatype.number({ min: 100000, max: 999999 }), conditions: ['Synthetic Condition A', 'Synthetic Condition B'] }; }
// Safe AI prompting for healthcare static createSafeHealthcarePrompt(template: string, data: any): string { // Replace all potential PHI with placeholders const safeData = { patientName: '[PATIENT_NAME]', patientDOB: '[DATE_OF_BIRTH]', patientMRN: '[MEDICAL_RECORD_NUMBER]', diagnosis: '[DIAGNOSIS]', medication: '[MEDICATION]' };
return template.replace(/\{\{(\w+)\}\}/g, (match, key) => { return safeData[key] || '[REDACTED]'; }); }}Establish Centers of Excellence
# AI Development Center of Excellence
## Responsibilities- Define and maintain AI coding standards- Review and approve AI tool configurations- Train teams on secure AI usage- Monitor compliance and usage metrics- Evaluate new AI tools and features
## Team Structure- AI Champions (1 per team)- Security Representative- Compliance Officer- Technical Architects- Training CoordinatorImplement Shared Knowledge Base
// Shared AI patterns repositoryinterface AIPattern { id: string; name: string; category: 'security' | 'performance' | 'architecture' | 'testing'; description: string; example: string; prompt: string; tags: string[]; approved: boolean; approvedBy: string; usageCount: number; successRate: number;}
export class AIPatternLibrary { async addPattern(pattern: AIPattern): Promise<void> { // Validate pattern await this.validateSecurity(pattern); await this.validateCompliance(pattern);
// Get approval const approval = await this.requestApproval(pattern); if (!approval.approved) { throw new Error(`Pattern rejected: ${approval.reason}`); }
// Store in shared repository await this.repository.save({ ...pattern, approved: true, approvedBy: approval.approver, createdAt: new Date() });
// Notify teams await this.notifyTeams('new_pattern_available', pattern); }}Standardize AI Workflows
# Standard AI development workflowname: Enterprise AI Development Flow
stages: - name: Requirements steps: - review_security_requirements - check_compliance_needs - identify_data_sensitivity
- name: Design steps: - use_approved_patterns - security_architecture_review - ai_prompt_review
- name: Implementation steps: - use_secure_ai_environment - follow_coding_standards - implement_audit_logging
- name: Review steps: - automated_security_scan - ai_attribution_check - compliance_validation
- name: Deployment steps: - final_security_review - update_audit_trail - monitor_ai_usageEnterprise AI Cost Optimization
Track, control, and optimize AI tool usage across your organization while maintaining productivity.
// Real-time cost tracking systemexport class AICostTracker { private readonly pricing = { 'claude-3-opus': { input: 0.015, output: 0.075 }, 'claude-3-sonnet': { input: 0.003, output: 0.015 }, 'gpt-4': { input: 0.03, output: 0.06 }, 'cursor-pro': { monthly: 20, included_requests: 500 } };
async trackUsage(event: AIUsageEvent): Promise<CostReport> { const modelPricing = this.pricing[event.model]; const cost = this.calculateCost(event, modelPricing);
await this.db.insert({ userId: event.userId, teamId: event.teamId, departmentId: event.departmentId, model: event.model, tokensIn: event.tokensIn, tokensOut: event.tokensOut, cost: cost, timestamp: event.timestamp, purpose: event.purpose, project: event.project });
// Check budget alerts await this.checkBudgetAlerts(event.teamId, cost);
return { sessionCost: cost, dailyTotal: await this.getDailyCost(event.userId), monthlyTotal: await this.getMonthlyCost(event.teamId), budgetRemaining: await this.getBudgetRemaining(event.teamId) }; }
async generateCostReport(period: Period): Promise<DetailedCostReport> { const usage = await this.db.query({ period });
return { totalCost: usage.reduce((sum, u) => sum + u.cost, 0), byTeam: this.aggregateByTeam(usage), byModel: this.aggregateByModel(usage), byPurpose: this.aggregateByPurpose(usage), topUsers: this.getTopUsers(usage), trends: this.analyzeTrends(usage), recommendations: this.generateRecommendations(usage) }; }}// Budget enforcement systemexport class BudgetController { async enforceLimit(request: AIRequest): Promise<boolean> { const budget = await this.getBudget(request.teamId); const spent = await this.getSpent(request.teamId); const projected = await this.projectCost(request);
if (spent + projected > budget.hard_limit) { await this.notify.admin('budget_exceeded', { team: request.teamId, budget: budget.hard_limit, projected: spent + projected }); throw new BudgetExceededError('Team budget exceeded'); }
if (spent + projected > budget.soft_limit) { await this.notify.manager('budget_warning', { team: request.teamId, percentUsed: ((spent + projected) / budget.soft_limit) * 100 }); }
// Implement progressive throttling const usagePercent = spent / budget.soft_limit; if (usagePercent > 0.8) { request.model = this.downgradeModel(request.model); await this.notify.user('model_downgraded_budget', { original: request.model, downgraded: request.model }); }
return true; }
private downgradeModel(model: string): string { const downgrades = { 'claude-3-opus': 'claude-3-sonnet', 'gpt-4': 'gpt-3.5-turbo', 'claude-3-sonnet': 'claude-3-haiku' }; return downgrades[model] || model; }}// Cost optimization recommendationsexport class CostOptimizer { analyzeUsagePatterns(usage: UsageData[]): Optimization[] { const optimizations: Optimization[] = [];
// Check for inefficient model usage const shortPrompts = usage.filter(u => u.tokensIn < 100 && u.model === 'claude-3-opus' );
if (shortPrompts.length > 10) { optimizations.push({ type: 'model_selection', description: 'Use smaller models for short prompts', impact: this.calculateSavings(shortPrompts, 'claude-3-haiku'), implementation: 'Auto-select model based on prompt length' }); }
// Check for repeated similar prompts const duplicates = this.findSimilarPrompts(usage); if (duplicates.length > 0) { optimizations.push({ type: 'caching', description: 'Cache responses for repeated queries', impact: duplicates.reduce((sum, d) => sum + d.cost, 0) * 0.8, implementation: 'Implement semantic caching layer' }); }
// Check for context window waste const oversizedContexts = usage.filter(u => u.tokensIn > 50000 && u.actuallyUsed < 10000 );
if (oversizedContexts.length > 0) { optimizations.push({ type: 'context_optimization', description: 'Reduce context window for efficiency', impact: this.calculateContextSavings(oversizedContexts), implementation: 'Use targeted file inclusion instead of full codebase' }); }
return optimizations.sort((a, b) => b.impact - a.impact); }}Never Trust
Always Verify
Detection
// Real-time incident detectionexport class AISecurityMonitor { async detectAnomalies(event: AIEvent): Promise<Incident[]> { const incidents: Incident[] = [];
// Check for data exfiltration attempts if (this.detectDataExfiltration(event)) { incidents.push({ type: 'data_exfiltration', severity: 'critical', details: event, timestamp: new Date() }); }
// Check for prompt injection if (this.detectPromptInjection(event)) { incidents.push({ type: 'prompt_injection', severity: 'high', details: event }); }
// Check for unusual access patterns if (await this.detectUnusualAccess(event)) { incidents.push({ type: 'unusual_access', severity: 'medium', details: event }); }
return incidents; }}Response
# Incident response automationincident_response: data_exfiltration: - action: block_user_immediately - action: revoke_all_tokens - action: notify_security_team - action: preserve_evidence - action: initiate_forensics
prompt_injection: - action: block_request - action: log_full_context - action: notify_ai_team - action: update_filters
unusual_access: - action: require_mfa - action: monitor_closely - action: notify_managerRecovery
Enterprise AI Security Checklist
Security Templates
Download enterprise security policy templates and configurations
Compliance Guides
Detailed guides for SOC2, GDPR, HIPAA compliance
Cost Calculator
Calculate and optimize your AI development costs