Security Standards and Compliance

Your compliance team just sent the quarterly audit checklist. Forty-seven items covering OWASP Top 10, SOC 2 controls, GDPR data handling, and PCI DSS requirements for the payment module. Last quarter, this took your team three weeks of manual review. This quarter, you have AI tools — but your security team wants to know exactly what data those tools can access and whether AI-generated code meets compliance standards.

What You’ll Walk Away With

• Security-first AI tool configuration that satisfies enterprise security teams
• Automated compliance checking workflows using AI-assisted code review
• Data governance frameworks for AI tool usage in regulated environments
• Prompt patterns for security-focused code generation and vulnerability scanning
• Audit trail implementation that proves AI-generated code meets standards

Configuring AI Tools for Security

Data Handling Policies

Before writing a single prompt, establish what data can and cannot be sent to AI providers.

Cursor

Cursor Business offers Privacy Mode, which ensures no code is stored or used for training:

.cursor/rules

SECURITY REQUIREMENTS:
- Privacy Mode MUST be enabled (Settings → Privacy → Privacy Mode ON)
- Never paste production credentials, API keys, or secrets into prompts
- Never paste customer PII (names, emails, SSNs) into prompts
- When discussing database schemas with PII columns, use anonymized names
- Reference .env.example for environment variable names, never .env

Cursor Business provides SOC 2 Type II compliance and zero data retention guarantees.

Claude Code

Claude Code respects .claudeignore files to prevent sensitive files from being read:

.claudeignore

.env
.env.*
**/secrets/
**/credentials/
**/*.pem
**/*.key
**/config/production.json

Additionally, configure hooks to block sensitive data from leaving the environment:

{
  "hooks": {
    "PreToolUse": [{
      "matcher": ".*",
      "command": "python scripts/check-sensitive-data.py \"$PROMPT\""
    }]
  }
}

Claude Max and API plans provide zero data retention by default for business usage.

Codex

Codex cloud tasks run in sandboxed environments with network restrictions:

codex.md

SECURITY POLICY:
- Never read or output contents of .env files
- Never include actual API keys, tokens, or passwords in code or comments
- Use environment variable references for all sensitive configuration
- Flag any hardcoded credentials found during code review

Codex enterprise plans provide data isolation guarantees and can be configured with custom network policies.

Automated Security Scanning

OWASP Top 10 Review

Tip

Copy-paste prompt for OWASP compliance review:

Perform an OWASP Top 10 (2021) security review of our authentication module at /src/auth/:
1. A01:2021 - Broken Access Control: Check all route handlers for proper authorization
2. A02:2021 - Cryptographic Failures: Verify password hashing, token generation, TLS usage
3. A03:2021 - Injection: Review all database queries for parameterization
4. A04:2021 - Insecure Design: Check for rate limiting, account lockout, session management
5. A05:2021 - Security Misconfiguration: Review CORS, CSP headers, error handling
6. A06:2021 - Vulnerable Components: Check dependencies for known CVEs
7. A07:2021 - Auth Failures: Review login flow, MFA implementation, session tokens
8. A08:2021 - Software/Data Integrity: Check for unsigned updates, untrusted deserialization
9. A09:2021 - Logging Failures: Verify security events are logged with sufficient detail
10. A10:2021 - SSRF: Check all server-side URL fetching for validation

For each finding: severity (Critical/High/Medium/Low), file location, specific line,
and a concrete fix with code. No generic advice.

Continuous Security Review in CI

Cursor

Use Cursor’s Background Agent to run security reviews on every PR:

Review the changes in this PR for security issues:
1. Check for any new SQL queries - are they parameterized?
2. Check for any new API endpoints - do they have authentication middleware?
3. Check for any new file uploads - are they validated for type and size?
4. Check for any new user inputs - are they sanitized before rendering?
5. Check for any new dependencies - do they have known vulnerabilities?

Output a security review checklist with pass/fail for each item.

Claude Code

Integrate security review into your CI pipeline using headless mode:

.github/workflows/security-review.yml

security-review:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4
    - name: AI Security Review
      run: |
        claude -p "Review the git diff for security issues:
        $(git diff origin/main...HEAD)

        Check for:
        1. SQL injection vulnerabilities
        2. Missing authentication/authorization
        3. Hardcoded secrets or credentials
        4. Unvalidated user input
        5. Insecure cryptographic operations
        6. Missing rate limiting on new endpoints

        Output as JSON: {issues: [{severity, file, line, description, fix}]}
        Exit code 1 if any Critical or High severity issues found."

Codex

Codex can be triggered by GitHub PR events for automatic security review:

When a PR is opened, perform a security review:
1. Analyze all changed files for OWASP Top 10 vulnerabilities
2. Check new dependencies against known vulnerability databases
3. Verify authentication is required on all new endpoints
4. Confirm input validation exists for all new user-facing parameters
5. Post findings as a PR review comment with inline annotations

Compliance Framework Implementation

SOC 2 Controls with AI Assistance

Tip

Copy-paste prompt for SOC 2 audit preparation:

Help me prepare for our SOC 2 Type II audit by reviewing our codebase against key controls:

CC6.1 (Logical Access):
- List all authentication mechanisms in our codebase
- Verify role-based access control is implemented consistently
- Check that session management follows security best practices

CC6.6 (System Boundaries):
- Map all external API integrations and their authentication methods
- Verify TLS is enforced on all external communications
- Check that API rate limiting is implemented

CC7.2 (Monitoring):
- Verify security events are logged (failed logins, permission changes, data exports)
- Check that logs include timestamp, user, action, and resource
- Confirm log retention and integrity mechanisms

For each control: current status (Compliant/Partial/Non-compliant), evidence location, and remediation steps if needed.

GDPR Data Handling

Tip

Copy-paste prompt for GDPR compliance audit:

Audit our codebase for GDPR compliance:
1. Data Inventory: Find all places where personal data is collected, stored, or processed.
   Search for: email, name, address, phone, IP address, cookies, user agent
2. Consent Management: Verify consent is collected before processing personal data
3. Right to Erasure: Check that user deletion cascades to all data stores
4. Data Minimization: Flag any places where we collect data we do not strictly need
5. Encryption: Verify personal data is encrypted at rest and in transit
6. Breach Notification: Check that security event logging would support a 72-hour notification

Map each finding to the specific GDPR article it relates to.
Present as a compliance matrix with: Data Type | Location | Legal Basis | Encrypted | Deletable

Secure Code Generation Patterns

Teaching AI Your Security Standards

Encode your security requirements so AI-generated code is secure by default.

// .cursor/rules or CLAUDE.md - Security section
SECURITY CODING STANDARDS:

Authentication:
- All API endpoints must use the authMiddleware from /src/middleware/auth.ts
- JWT tokens expire after 15 minutes, refresh tokens after 7 days
- Password hashing uses bcrypt with cost factor 12

Input Validation:
- All request bodies validated with Zod schemas before processing
- File uploads limited to 10MB, allowed types: jpg, png, pdf
- URL parameters must be validated as UUIDs where applicable

Database:
- ALL queries must use parameterized statements (Drizzle ORM or prepared statements)
- Never construct SQL strings with string concatenation
- Database connections use least-privilege service accounts

Output:
- All HTML output must be escaped (handled by React/template engine)
- API responses must not include internal error details in production
- Set Content-Security-Policy, X-Frame-Options, X-Content-Type-Options headers

When This Breaks

“Our security team will not approve AI tools because they send code to external servers.” Bring the vendor’s SOC 2 report, data processing agreement, and zero retention policy to the meeting. Most enterprise AI tool plans provide contractual guarantees. Claude Code can also run with local models if absolute data isolation is required.

“AI-generated code passed review but had a vulnerability.” AI tools reduce but do not eliminate security risks. Maintain automated scanning (SAST, DAST, dependency auditing) in CI regardless of whether code is AI-generated or human-written. Security review is a defense-in-depth strategy.

“Compliance audits take the same amount of time even with AI.” You are probably running audits reactively. Set up continuous compliance monitoring with AI-powered CI checks. The quarterly audit becomes a formality when every PR is already reviewed against compliance controls.

“Different teams encode security requirements differently.” Centralize your security standards in a shared rules file and distribute it to all repositories. Use a monorepo or Git submodule for shared configuration.

What’s Next

Privacy and Data Handling Enterprise data privacy policies and AI tool data governance.

Security Testing Automated vulnerability scanning and penetration testing with AI.

Disaster Recovery Backup, recovery, and rollback strategies for AI-assisted development.