OCI Generative AI Hardening

Overview

This page covers the OCI Generative AI Service managed inference API — on-demand endpoints, AI Guardrails, Dedicated AI Clusters, and the service's IAM, network, and logging controls. Not in scope: OCI Data Science platform and self-hosted model containers on OCI Compute.

For the underlying threat model and cross-cutting principles that apply to all managed LLM API services, see General GenAI Hardening. Key infrastructure prerequisites are on sibling pages: oci-iam-07 — compartment hierarchy (foundational pattern for oci-genai-01), and OCI Logging (audit log configuration pattern for oci-genai-06).

OCI has two differentiators with no direct cloud-peer equivalent: Dedicated AI Cluster RDMA isolation (oci-genai-07) provides tenant-exclusive GPU allocation where no other customer's workloads share the underlying hardware, and Security Zone policy enforcement (oci-genai-08) via Zero Trust Packet Routing applies standing invariants (no public endpoints, encryption required) that survive IAM policy changes. Controls are ordered severity-descending: one CRITICAL, six HIGH, one MEDIUM.

Note: Equivalence links to AWS Bedrock, Azure OpenAI, and GCP Vertex AI controls are HTML comments during authoring and will be made live in the Wave 4 seal.

oci-genai-01-compartment-isolation ! CRITICAL PREVENTIVE

Place all OCI Generative AI resources — endpoints, dedicated clusters, fine-tuning jobs, and models — in a dedicated compartment, never in the root compartment or tenancy-wide scope. Apply IAM policies at the compartment level and never grant manage generative-ai-family in tenancy to application service accounts. The compartment boundary is the OCI blast-radius containment primitive: a compromised identity can only affect resources within the compartments it is granted access to. See oci-iam-07 — compartment hierarchy for the recommended compartment tree structure.

Remediation — OCI CLI

# OCI CLI 3.x — find and audit the GenAI compartment
# Step 1: locate the dedicated GenAI compartment
oci iam compartment list \
  --compartment-id "${ROOT_COMPARTMENT_OCID}" \
  --name genai \
  --output table

# Step 2: audit policies scoped to the compartment (should NOT contain "in tenancy")
oci iam policy list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output table

# Step 3: check for overly broad tenancy-level GenAI policies
oci iam policy list \
  --compartment-id "${ROOT_COMPARTMENT_OCID}" \
  --output json | \
  jq '.data[].statements[] | select(contains("generative-ai-family in tenancy"))'

Remediation — Terraform

# Terraform OCI provider ~> 5.0
resource "oci_identity_compartment" "genai" {
  compartment_id = var.root_compartment_ocid
  name           = "genai"
  description    = "Dedicated compartment for OCI Generative AI resources"
}

resource "oci_identity_policy" "genai_inference" {
  name           = "genai-inference-policy"
  description    = "Allow inference-only group to use Generative AI within the genai compartment"
  compartment_id = oci_identity_compartment.genai.id

  statements = [
    "Allow group ${var.inference_group_name} to use generative-ai-family in compartment id ${oci_identity_compartment.genai.id}",
  ]
}

Remediation — OCI Resource Manager

# Submit the Terraform block above to OCI Resource Manager via a configured
# Git source-provider. Variables are entered through the Console UI (schema-driven
# by an optional schema.yaml); state is stored in OCI Object Storage automatically.
# This is an INVOCATION snippet — the .tf body is the existing Terraform block
# on this same control-box (do NOT duplicate HCL here).
oci resource-manager stack create-from-git-provider \
  --compartment-id "$COMPARTMENT_OCID" \
  --config-source-provider-id "$CONFIG_SRC_PROVIDER_OCID" \
  --repository-url "https://example.com/org/hardening-iac" \
  --branch-name "main" \
  --working-directory "modules/oci-genai-01-compartment-isolation" \
  --display-name "oci-genai-01-compartment-isolation" \
  --terraform-version "1.5.x"

# Plan + apply via the ORM job lifecycle (state stored in OCI automatically).
STACK_OCID=$(oci resource-manager stack list \
  --compartment-id "$COMPARTMENT_OCID" \
  --display-name "oci-genai-01-compartment-isolation" \
  --query 'data[0].id' --raw-output)
PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \
  --stack-id "$STACK_OCID" --query 'data.id' --raw-output)
oci resource-manager job create-apply-job \
  --stack-id "$STACK_OCID" \
  --execution-plan-strategy FROM_PLAN_JOB \
  --execution-plan-job-id "$PLAN_JOB_OCID"

Remediation — Pulumi (TypeScript)

import * as pulumi from "@pulumi/pulumi";
import * as oci from "@pulumi/oci";

// Dedicated compartment for Generative AI workloads with strict policy fence.
const cfg = new pulumi.Config();
const parentCompartmentId = cfg.require("parentCompartmentOcid");

const genaiCompartment = new oci.identity.Compartment("genai-isolated", {
  compartmentId: parentCompartmentId,
  name: "genai-prod",
  description: "Isolated compartment for Generative AI inference + agent workloads",
  enableDelete: false,  // soft-delete only — audit trail preservation
});

// Fence: only GenAI workload identities may invoke models in this compartment.
const genaiFencePolicy = new oci.identity.Policy("genai-fence", {
  compartmentId: parentCompartmentId,
  name: "genai-compartment-fence",
  description: "Only GenAI workload SAs may invoke generative-ai service inside genai-prod",
  statements: [
    pulumi.interpolate`Allow dynamic-group GenAIWorkloads to use generative-ai-family in compartment id ${genaiCompartment.id}`,
    pulumi.interpolate`Allow group GenAIOps to read generative-ai-family in compartment id ${genaiCompartment.id}`,
  ],
});

export const genaiCompartmentOcid = genaiCompartment.id;

Compliance mapping

CIS AWS Foundations v3.0.0 CIS Microsoft Azure Foundations v3.0.0 CIS GCP Foundation v4.0.0 CIS OCI Foundation v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689)
n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AC-2; AC-6; AC-17 A.5.15; A.5.18 n/a LLM06:2025 Information Security Art. 55 (in force 2025-08-02)

Log signals

  • OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'generative-ai' with eventName in (CreateDedicatedAiCluster, CreateModel, CreateEndpoint) landing inside a compartment outside the documented Generative-AI subtree.
  • Compartment-move events that re-parent a Generative-AI endpoint compartment under a tenant-root subtree carrying shared-services workloads.
  • Policy statements newly created on the Generative-AI compartment granting manage generative-ai-family rights to non-AI-platform groups.

Query

'Log Source' = 'OCI Audit Logs'
          and 'Service Name' = 'generative-ai'
          and eventName in ('CreateDedicatedAiCluster', 'CreateModel', 'CreateEndpoint')
          | eval compartment_ok = if(data.target.compartment.id in_subset 'AICompartmentInventory', 'YES', 'NO')
          | where compartment_ok = 'NO'
          | stats count by 'User Name', data.target.id, eventName

Maintain a managed list of approved Generative-AI compartment OCIDs; the gate fires when a resource creation lands outside the list.

Alert threshold

  • Any Generative-AI resource created in a compartment outside the documented AI subtree — page on first event.
  • New policy granting manage generative-ai-family outside the AIPlatform group — page.

Initial response

  1. Move the resource back to the AI subtree via oci iam compartment move; OCI applies the move online with no impact on endpoint serving.
  2. Revert the policy via OCI Identity's policy version history; the prior statement set was the last-known-good compartment-scoped grant.
  3. Document the topology delta in the AI platform team's change log per general/ir.html.

References

oci-genai-02-iam-least-privilege ! HIGH PREVENTIVE

Configure OCI IAM policies with granular resource-type verbs for Generative AI, creating separate groups and policies for different use cases: an inference-only group using use generative-ai-family; a management group using manage generative-ai-endpoint; and a read-only audit group using read generative-ai-family. The generative-ai-family aggregate resource type includes generative-ai-chat, generative-ai-endpoint, generative-ai-model, and generative-ai-fine-tuning-job — grant the minimum necessary sub-type verbs rather than the aggregate to production application identities.

Remediation — OCI CLI

# OCI CLI 3.x — audit IAM policies for GenAI permissions
# List all policies in the GenAI compartment
oci iam policy list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output table

# Map groups to policies
oci iam group list --output table

# Check for overly broad 'manage' grants on inference-only groups
oci iam policy list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output json | \
  jq '.data[].statements[] | select(contains("manage generative-ai-family"))'

Remediation — Terraform

# Terraform OCI provider ~> 5.0
# Inference-only group: can call endpoints but cannot create/modify/delete
resource "oci_identity_group" "genai_inference" {
  compartment_id = var.tenancy_ocid
  name           = "genai-inference-users"
  description    = "Group for application identities that call GenAI inference endpoints only"
}

resource "oci_identity_policy" "genai_inference_policy" {
  name           = "genai-inference-policy"
  description    = "Inference-only access to Generative AI endpoints"
  compartment_id = var.genai_compartment_ocid

  statements = [
    # 'use' verb: can call endpoints; cannot create, update, or delete
    "Allow group genai-inference-users to use generative-ai-family in compartment id ${var.genai_compartment_ocid}",
  ]
}

# Management group: for operations teams only — NOT application service accounts
resource "oci_identity_group" "genai_admins" {
  compartment_id = var.tenancy_ocid
  name           = "genai-admins"
  description    = "Group for GenAI platform operators (endpoint creation, fine-tuning)"
}

resource "oci_identity_policy" "genai_admin_policy" {
  name           = "genai-admin-policy"
  description    = "Management access to Generative AI resources for ops team"
  compartment_id = var.genai_compartment_ocid

  statements = [
    "Allow group genai-admins to manage generative-ai-family in compartment id ${var.genai_compartment_ocid}",
  ]
}

Remediation — OCI Resource Manager

# Submit the Terraform block above to OCI Resource Manager via a configured
# Git source-provider. Variables are entered through the Console UI (schema-driven
# by an optional schema.yaml); state is stored in OCI Object Storage automatically.
# This is an INVOCATION snippet — the .tf body is the existing Terraform block
# on this same control-box (do NOT duplicate HCL here).
oci resource-manager stack create-from-git-provider \
  --compartment-id "$COMPARTMENT_OCID" \
  --config-source-provider-id "$CONFIG_SRC_PROVIDER_OCID" \
  --repository-url "https://example.com/org/hardening-iac" \
  --branch-name "main" \
  --working-directory "modules/oci-genai-02-iam-least-privilege" \
  --display-name "oci-genai-02-iam-least-privilege" \
  --terraform-version "1.5.x"

# Plan + apply via the ORM job lifecycle (state stored in OCI automatically).
STACK_OCID=$(oci resource-manager stack list \
  --compartment-id "$COMPARTMENT_OCID" \
  --display-name "oci-genai-02-iam-least-privilege" \
  --query 'data[0].id' --raw-output)
PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \
  --stack-id "$STACK_OCID" --query 'data.id' --raw-output)
oci resource-manager job create-apply-job \
  --stack-id "$STACK_OCID" \
  --execution-plan-strategy FROM_PLAN_JOB \
  --execution-plan-job-id "$PLAN_JOB_OCID"

Compliance mapping

CIS AWS Foundations v3.0.0 CIS Microsoft Azure Foundations v3.0.0 CIS GCP Foundation v4.0.0 CIS OCI Foundation v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689)
n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AC-2; AC-6; IA-2 A.5.15; A.5.18 CLD.12.1.5 LLM06:2025; LLM08:2025 Information Security Art. 55 (in force 2025-08-02)

Log signals

  • OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'identity' with eventName = 'UpdatePolicy' whose statement body widens grants on generative-ai-inference or generative-ai-model resource types.
  • Dynamic-group matchingRule mutations that newly include workloads outside the documented inference-tier identity pool.
  • Generative-AI inference-event audit records where the calling principal lacks an expected tag on the inference dynamic group.

Query

'Log Source' = 'OCI Audit Logs'
          and 'Service Name' = 'identity'
          and eventName in ('CreatePolicy', 'UpdatePolicy')
          | eval stmt = data.request.payload.statements
          | where stmt like '%generative-ai-inference%' and (stmt like '%manage%' or stmt like '%in tenancy%')
          | stats count by 'User Name', data.target.policy.name, 'Compartment Name'

Generative-AI inference grants are sensitive because model-output exfiltration scales with caller rights — every widening event should be ticketed.

Alert threshold

  • Any policy granting tenancy-scoped manage on generative-ai-family outside the AI platform admin group — page.
  • Dynamic-group rule widening that adds non-AI-tier workloads to the inference identity pool — page.

Initial response

  1. Revert the policy via OCI Identity's policy version history and re-scope the grant to the documented compartment-bounded statement.
  2. Audit Generative-AI inference events for any calls made under the widened policy and rate-limit or block downstream model endpoints if abuse is suspected.
  3. Rotate any OCI inference-tier credentials used during the widened window per general/ir.html.

References

oci-genai-03-guardrails-content-moderation ! HIGH PREVENTIVE

Enable OCI AI Guardrails with all three modules active: Content Moderation (CM) for hate speech, sexual content, violence, and self-harm; Prompt Injection (PI) detection for direct jailbreak and indirect injection attempts; and PII detection and redaction. OCI AI Guardrails is GA for on-demand inference mode. Configure thresholds above the default for production workloads — do not rely solely on OCI's default safety settings.

Disabling Content Moderation, Prompt Injection detection, or PII detection to improve latency or "UX" is the BLOCK_NONE anti-pattern documented in general/genai.html — Common Misconfigurations. All three guardrail modules should be enabled for production GenAI workloads.

Remediation — OCI CLI

# OCI CLI 3.x — check current guardrail configuration on GenAI endpoints
oci generative-ai endpoint list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output json | \
  jq '.[].guardRails'

# Inspect a specific endpoint's guardrail config
oci generative-ai endpoint get \
  --endpoint-id "${ENDPOINT_OCID}" \
  --query "data.contentModerationConfig"

Remediation — Terraform

# Terraform OCI provider ~> 5.0
resource "oci_generative_ai_endpoint" "this" {
  compartment_id       = var.genai_compartment_ocid
  dedicated_ai_cluster_id = var.dedicated_cluster_ocid
  model_id             = var.model_ocid
  display_name         = var.endpoint_name

  content_moderation_config {
    # Enable all three guardrail modules
    is_enabled = true
    # Verify exact nested argument names in OCI Terraform provider documentation at authoring time;
    # the provider exposes content_moderation_config at the endpoint level for on-demand mode.
  }
}

Remediation — OCI Resource Manager

# Submit the Terraform block above to OCI Resource Manager via a configured
# Git source-provider. Variables are entered through the Console UI (schema-driven
# by an optional schema.yaml); state is stored in OCI Object Storage automatically.
# This is an INVOCATION snippet — the .tf body is the existing Terraform block
# on this same control-box (do NOT duplicate HCL here).
oci resource-manager stack create-from-git-provider \
  --compartment-id "$COMPARTMENT_OCID" \
  --config-source-provider-id "$CONFIG_SRC_PROVIDER_OCID" \
  --repository-url "https://example.com/org/hardening-iac" \
  --branch-name "main" \
  --working-directory "modules/oci-genai-03-guardrails-content-moderation" \
  --display-name "oci-genai-03-guardrails-content-moderation" \
  --terraform-version "1.5.x"

# Plan + apply via the ORM job lifecycle (state stored in OCI automatically).
STACK_OCID=$(oci resource-manager stack list \
  --compartment-id "$COMPARTMENT_OCID" \
  --display-name "oci-genai-03-guardrails-content-moderation" \
  --query 'data[0].id' --raw-output)
PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \
  --stack-id "$STACK_OCID" --query 'data.id' --raw-output)
oci resource-manager job create-apply-job \
  --stack-id "$STACK_OCID" \
  --execution-plan-strategy FROM_PLAN_JOB \
  --execution-plan-job-id "$PLAN_JOB_OCID"

Compliance mapping

CIS AWS Foundations v3.0.0 CIS Microsoft Azure Foundations v3.0.0 CIS GCP Foundation v4.0.0 CIS OCI Foundation v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689)
n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SI-10; SI-15 A.8.28 n/a LLM01:2025; LLM02:2025 Dangerous/Violent Content; Data Privacy Art. 55 (in force 2025-08-02)

Log signals

  • OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'generative-ai' with eventName = 'UpdateEndpoint' whose contentModerationConfig.isEnabled flips to false.
  • Inference-event records emitted by the Generative-AI service log showing content-moderation verdict FLAGGED but the request still completed — surfaces guardrail bypass.
  • Endpoint creation events without an attached content-moderation configuration on a tenant-customer-facing endpoint.

Query

'Log Source' = 'OCI Audit Logs'
          and 'Service Name' = 'generative-ai'
          and eventName in ('UpdateEndpoint', 'CreateEndpoint')
          | eval moderation_off = if(data.request.payload.contentModerationConfig.isEnabled = 'false', 'YES', 'NO')
          | where moderation_off = 'YES'
          | stats count by 'User Name', data.target.endpoint.id, eventName

Content moderation is a single boolean per endpoint; flipping it off removes the prompt-and-completion safety filter.

Alert threshold

  • Any endpoint with contentModerationConfig.isEnabled = false on a customer-facing endpoint — page on first event.
  • More than three FLAGGED inference verdicts on a single endpoint per hour without an accompanying block — page.

Initial response

  1. Re-enable content moderation on the endpoint via Resource Manager; OCI Generative AI applies the change to the next inference call.
  2. Audit inference logs for any flagged completions returned during the disabled window; export prompt-response pairs to the responsible-AI review queue.
  3. Brief the model-serving team on the guardrail contract and document per general/ir.html.

References

oci-genai-04-private-endpoint ! HIGH PREVENTIVE

Configure a private endpoint for OCI Generative AI within your VCN using the Service Gateway, ensuring inference traffic routes through OCI's internal backbone without traversing the public internet. Disable the public endpoint on the OCI Generative AI endpoint resource. The Service Gateway provides connectivity to OCI services — including Generative AI — from your VCN without requiring an Internet Gateway or NAT Gateway, keeping all prompt and completion data on the OCI backbone.

Remediation — OCI CLI

# OCI CLI 3.x — verify Service Gateway and endpoint configuration
# Check for Service Gateway in the VCN
oci network service-gateway list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output table

# Verify endpoint type on GenAI endpoints
oci generative-ai endpoint list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output json | \
  jq '.[].endpointType'

# List route table rules to verify GenAI traffic routes through Service Gateway
oci network route-table list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output table

Remediation — Terraform

# Terraform OCI provider ~> 5.0
# Service Gateway — connect VCN to OCI services (including Generative AI) without internet routing
resource "oci_core_service_gateway" "genai" {
  compartment_id = var.genai_compartment_ocid
  vcn_id         = var.vcn_ocid
  display_name   = "genai-service-gateway"

  services {
    service_id = data.oci_core_services.all.services[0].id  # OCI Services CIDR
  }
}

# Route table rule: send Generative AI service traffic through the Service Gateway
resource "oci_core_route_table" "genai_private" {
  compartment_id = var.genai_compartment_ocid
  vcn_id         = var.vcn_ocid
  display_name   = "genai-private-route-table"

  route_rules {
    destination       = "all-${var.region}-services-in-oracle-services-network"
    destination_type  = "SERVICE_CIDR_BLOCK"
    network_entity_id = oci_core_service_gateway.genai.id
  }
}

Remediation — OCI Resource Manager

# Submit the Terraform block above to OCI Resource Manager via a configured
# Git source-provider. Variables are entered through the Console UI (schema-driven
# by an optional schema.yaml); state is stored in OCI Object Storage automatically.
# This is an INVOCATION snippet — the .tf body is the existing Terraform block
# on this same control-box (do NOT duplicate HCL here).
oci resource-manager stack create-from-git-provider \
  --compartment-id "$COMPARTMENT_OCID" \
  --config-source-provider-id "$CONFIG_SRC_PROVIDER_OCID" \
  --repository-url "https://example.com/org/hardening-iac" \
  --branch-name "main" \
  --working-directory "modules/oci-genai-04-private-endpoint" \
  --display-name "oci-genai-04-private-endpoint" \
  --terraform-version "1.5.x"

# Plan + apply via the ORM job lifecycle (state stored in OCI automatically).
STACK_OCID=$(oci resource-manager stack list \
  --compartment-id "$COMPARTMENT_OCID" \
  --display-name "oci-genai-04-private-endpoint" \
  --query 'data[0].id' --raw-output)
PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \
  --stack-id "$STACK_OCID" --query 'data.id' --raw-output)
oci resource-manager job create-apply-job \
  --stack-id "$STACK_OCID" \
  --execution-plan-strategy FROM_PLAN_JOB \
  --execution-plan-job-id "$PLAN_JOB_OCID"

Compliance mapping

CIS AWS Foundations v3.0.0 CIS Microsoft Azure Foundations v3.0.0 CIS GCP Foundation v4.0.0 CIS OCI Foundation v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689)
n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SC-7; AC-17 A.8.20; A.8.22 CLD.13.1.4 LLM10:2025 Information Security Art. 55 (in force 2025-08-02)

Log signals

  • OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'generative-ai' with eventName = 'UpdateEndpoint' whose payload sets networkConfig.networkType to PUBLIC.
  • Endpoint-create events with networkType = PUBLIC on customer-data-bearing endpoints.
  • VCN private-endpoint detachment events on a Generative-AI service-bound PE OCID.

Query

'Log Source' = 'OCI Audit Logs'
          and 'Service Name' = 'generative-ai'
          and eventName in ('CreateEndpoint', 'UpdateEndpoint')
          | eval net_type = data.request.payload.networkConfig.networkType
          | where net_type = 'PUBLIC'
          | stats count by 'User Name', data.target.endpoint.id, eventName

Endpoint network exposure is a single enum on the endpoint resource; PUBLIC moves inference traffic to the open internet.

Alert threshold

  • Any endpoint flipped to networkType = PUBLIC outside a documented engineering exception — page.
  • Private-endpoint detachment on a Generative-AI service-bound PE — page.

Initial response

  1. Re-set the endpoint networkType = PRIVATE via Resource Manager and re-attach the documented private-endpoint OCID.
  2. Audit inference traffic across the public-exposure window for any source IP outside the corporate VPN allocation; export the request 5-tuples for forensic retention.
  3. Rotate any client-side credentials that may have been observed on the public path and document per general/ir.html.

References

oci-genai-06-audit-logging ! HIGH DETECTIVE

Enable OCI Audit Logs for all OCI Generative AI API calls. OCI Audit captures all API calls to OCI services as structured events, including the caller identity, source IP, action, and resource affected. Route Generative AI audit logs to Object Storage for long-term retention beyond the default 90-day Audit service retention. See OCI Logging for the OCI Audit Logs configuration pattern and Service Connector Hub routing.

Remediation — OCI CLI

# OCI CLI 3.x — query audit events for Generative AI operations
# List recent audit events for GenAI API calls in the compartment
oci audit event list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --start-time "${ISO_DATE}" \
  --stream-specifier AUDIT \
  --output json | \
  jq '.data[] | select(.data.request.action | contains("generative-ai"))'

# Verify audit log retention Object Storage bucket
oci os bucket list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output table | grep audit

Remediation — Terraform

# Terraform OCI provider ~> 5.0
# Object Storage bucket for long-term audit log archival
resource "oci_objectstorage_bucket" "audit_logs" {
  compartment_id = var.genai_compartment_ocid
  namespace      = data.oci_objectstorage_namespace.this.namespace
  name           = "genai-audit-logs"
  access_type    = "NoPublicAccess"

  retention_rules {
    display_name = "90-day-minimum-retention"
    duration {
      time_unit  = "DAYS"
      time_amount = 90
    }
  }
}

# Service Connector Hub — route OCI Audit events to Object Storage for long-term retention
resource "oci_sch_service_connector" "audit_to_object_storage" {
  compartment_id = var.genai_compartment_ocid
  display_name   = "genai-audit-to-object-storage"
  state          = "ACTIVE"

  source {
    kind = "logging"
    log_sources {
      compartment_id = var.genai_compartment_ocid
      log_group_id   = "_Audit"  # OCI Audit log group
    }
  }

  target {
    kind      = "objectStorage"
    bucket_name = oci_objectstorage_bucket.audit_logs.name
    namespace  = data.oci_objectstorage_namespace.this.namespace
  }
}

Remediation — OCI Resource Manager

# Submit the Terraform block above to OCI Resource Manager via a configured
# Git source-provider. Variables are entered through the Console UI (schema-driven
# by an optional schema.yaml); state is stored in OCI Object Storage automatically.
# This is an INVOCATION snippet — the .tf body is the existing Terraform block
# on this same control-box (do NOT duplicate HCL here).
oci resource-manager stack create-from-git-provider \
  --compartment-id "$COMPARTMENT_OCID" \
  --config-source-provider-id "$CONFIG_SRC_PROVIDER_OCID" \
  --repository-url "https://example.com/org/hardening-iac" \
  --branch-name "main" \
  --working-directory "modules/oci-genai-06-audit-logging" \
  --display-name "oci-genai-06-audit-logging" \
  --terraform-version "1.5.x"

# Plan + apply via the ORM job lifecycle (state stored in OCI automatically).
STACK_OCID=$(oci resource-manager stack list \
  --compartment-id "$COMPARTMENT_OCID" \
  --display-name "oci-genai-06-audit-logging" \
  --query 'data[0].id' --raw-output)
PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \
  --stack-id "$STACK_OCID" --query 'data.id' --raw-output)
oci resource-manager job create-apply-job \
  --stack-id "$STACK_OCID" \
  --execution-plan-strategy FROM_PLAN_JOB \
  --execution-plan-job-id "$PLAN_JOB_OCID"

Compliance mapping

CIS AWS Foundations v3.0.0 CIS Microsoft Azure Foundations v3.0.0 CIS GCP Foundation v4.0.0 CIS OCI Foundation v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689)
n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AU-2; AU-12; SI-4 A.8.15; A.8.16 CLD.12.4.5 LLM10:2025 Information Security Art. 55 (in force 2025-08-02)

Log signals

  • OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'logging' with eventName = 'DeleteLog' targeting a service-log OCID backing Generative-AI invocation logging.
  • Inference-event ingestion gap on the Generative-AI log source longer than 10 minutes during steady-state hours.
  • Service-log configuration update events flipping the category attribute away from invocation.

Query

'Log Source' = 'OCI Audit Logs'
          and 'Service Name' = 'logging'
          and eventName in ('DeleteLog', 'UpdateLog')
          | eval is_genai = if(data.target.log.configuration.source.service = 'generative-ai', 'YES', 'NO')
          | where is_genai = 'YES'
          | stats count by 'User Name', data.target.log.displayName, eventName

Generative-AI service logs are individually addressed and their OCIDs are bounded; deletes are exceptional events.

Alert threshold

  • Any DeleteLog on a Generative-AI invocation log — page.
  • Ingestion gap exceeding 10 minutes on the Generative-AI log source — page; downstream model-abuse detections cannot evaluate without log flow.

Initial response

  1. Re-create the deleted service log via Resource Manager; OCI Logging restores the invocation pipeline and resumes ingestion within minutes.
  2. Back-fill the gap window from the dedicated AI cluster's local audit feed (accessible via the cluster admin REST endpoint) and load the slice into the Logging Analytics namespace.
  3. Confirm Logging Analytics resumes inference-event ingestion and update the AI-platform observability dashboard per general/ir.html.

References

oci-genai-07-dedicated-ai-cluster-isolation ! HIGH PREVENTIVE

For regulated workloads requiring tenant-exclusive GPU allocation, deploy OCI Dedicated AI Clusters (oci_generative_ai_dedicated_ai_cluster). Dedicated clusters provide RDMA-isolated GPU allocation in a single-tenant configuration — no other customer's workloads share the underlying hardware. This is an OCI-unique differentiator with no direct equivalent on other providers.

When to require dedicated clusters: healthcare workloads governed by HIPAA (shared-hardware side-channel risk for PHI in inference context), financial workloads under PCI DSS Level 1, government classified workloads, and any workload where shared-hardware speculative execution risk or GPU memory residue is unacceptable under your threat model.

Dedicated AI Clusters are significantly more expensive than on-demand inference. Reserve for workloads with explicit regulatory requirements for hardware isolation (HIPAA, PCI DSS Level 1) or workloads processing highly sensitive personal data. On-demand inference is sufficient for the majority of enterprise GenAI workloads.

Remediation — OCI CLI

# OCI CLI 3.x — enumerate and inspect dedicated AI clusters
# List all dedicated AI clusters in the GenAI compartment
oci generative-ai dedicated-ai-cluster list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output table

# Inspect a specific cluster's isolation configuration
oci generative-ai dedicated-ai-cluster get \
  --dedicated-ai-cluster-id "${CLUSTER_OCID}" \
  --output json | \
  jq '{id: .data.id, type: .data.type, unitCount: .data.unitCount, lifecycleState: .data."lifecycle-state"}'

Remediation — Terraform

# Terraform OCI provider ~> 5.0
resource "oci_generative_ai_dedicated_ai_cluster" "regulated" {
  compartment_id = var.genai_compartment_ocid
  display_name   = "regulated-workload-cluster"
  type           = "HOSTING"  # HOSTING for inference; FINE_TUNING for training jobs
  unit_count     = 1
  unit_shape     = "LARGE_COHERE"  # Verify available shapes in target region

  # dedicated_infrastructure_type ensures single-tenant GPU allocation
  # Verify exact argument name in OCI Terraform provider documentation at authoring time
  # dedicated_infrastructure_type = "DEDICATED"  # consult provider docs for current argument
}

Remediation — OCI Resource Manager

# Submit the Terraform block above to OCI Resource Manager via a configured
# Git source-provider. Variables are entered through the Console UI (schema-driven
# by an optional schema.yaml); state is stored in OCI Object Storage automatically.
# This is an INVOCATION snippet — the .tf body is the existing Terraform block
# on this same control-box (do NOT duplicate HCL here).
oci resource-manager stack create-from-git-provider \
  --compartment-id "$COMPARTMENT_OCID" \
  --config-source-provider-id "$CONFIG_SRC_PROVIDER_OCID" \
  --repository-url "https://example.com/org/hardening-iac" \
  --branch-name "main" \
  --working-directory "modules/oci-genai-07-dedicated-ai-cluster-isolation" \
  --display-name "oci-genai-07-dedicated-ai-cluster-isolation" \
  --terraform-version "1.5.x"

# Plan + apply via the ORM job lifecycle (state stored in OCI automatically).
STACK_OCID=$(oci resource-manager stack list \
  --compartment-id "$COMPARTMENT_OCID" \
  --display-name "oci-genai-07-dedicated-ai-cluster-isolation" \
  --query 'data[0].id' --raw-output)
PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \
  --stack-id "$STACK_OCID" --query 'data.id' --raw-output)
oci resource-manager job create-apply-job \
  --stack-id "$STACK_OCID" \
  --execution-plan-strategy FROM_PLAN_JOB \
  --execution-plan-job-id "$PLAN_JOB_OCID"

Compliance mapping

CIS AWS Foundations v3.0.0 CIS Microsoft Azure Foundations v3.0.0 CIS GCP Foundation v4.0.0 CIS OCI Foundation v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689)
n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SC-5; SC-7 A.8.6; A.8.20 CLD.13.1.4 LLM10:2025 Data Privacy Art. 55 (in force 2025-08-02)

Log signals

  • OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'generative-ai' with eventName = 'DeleteDedicatedAiCluster' against a cluster currently serving a production endpoint.
  • Dedicated-cluster scaling events that reduce unit-count below the documented production minimum, leading to inference-throughput collapse.
  • Cluster-binding update events that point a customer-facing endpoint at a shared inference cluster rather than the customer's dedicated cluster.

Query

'Log Source' = 'OCI Audit Logs'
          and 'Service Name' = 'generative-ai'
          and eventName in ('DeleteDedicatedAiCluster', 'UpdateDedicatedAiCluster', 'UpdateEndpoint')
          | eval scaled_down = if(data.request.payload.unitCount < 2, 'YES', 'NO')
          | where eventName = 'DeleteDedicatedAiCluster' or scaled_down = 'YES'
          | stats count by 'User Name', data.target.id, eventName

Dedicated AI cluster mutations are infrequent and ticketed; a delete against an in-production cluster is a control-fence break.

Alert threshold

  • Any DeleteDedicatedAiCluster on a cluster bound to a production endpoint — page on first event.
  • Cluster scale-down below the documented production minimum unit-count — page.

Initial response

  1. Re-create the dedicated cluster via Resource Manager and re-bind the endpoint to the restored cluster OCID; OCI Generative AI resumes serving from the customer-dedicated capacity once the cluster reaches ACTIVE.
  2. Confirm the endpoint's dedicatedAiClusterId matches the documented customer-bound OCID via oci generative-ai endpoint get.
  3. Capture the gap window and brief the customer-facing model-serving team per general/ir.html.

References

oci-genai-08-security-zone-policy ! HIGH PREVENTIVE

Apply OCI Security Zones to the GenAI compartment to enforce Zero Trust Packet Routing (ZPR) invariants and prevent insecure configurations. Security Zones enforce policies that cannot be bypassed by IAM changes: (1) all GenAI endpoints must use private endpoints — no public endpoint is allowed; (2) Object Storage buckets used for knowledge bases and fine-tuning data must have public access blocked; (3) all resources must use encryption (Oracle-managed minimum; Vault CMK for regulated workloads). Security Zone recipes provide standing policy enforcement that survives any individual IAM policy change or human error.

Remediation — OCI CLI

# OCI CLI 3.x — check Security Zone assignment and active recipes
# List Security Zones in the GenAI compartment
oci zones security-zone list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output table

# Inspect active Security Zone recipes
oci zones security-zone-recipe list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output table

# Get the Security Zone assignment for the GenAI compartment
oci zones security-zone get \
  --security-zone-id "${SECURITY_ZONE_OCID}" \
  --output json | \
  jq '{id: .data.id, displayName: .data."display-name", securityZoneRecipeId: .data."security-zone-recipe-id"}'

Remediation — Terraform

# Terraform OCI provider ~> 5.0
# Security Zone recipe defining the ZPR policy invariants
resource "oci_cloud_guard_security_recipe" "genai" {
  compartment_id = var.genai_compartment_ocid
  display_name   = "genai-security-recipe"

  # Reference the built-in OCI Maximum Security Zone recipe or define custom rules:
  # - No public endpoints (enforces oci-genai-04 private endpoint requirement)
  # - Object Storage public access blocked (enforces knowledge base and fine-tuning data protection)
  # - Encryption required on all resources
  source_recipe_id = data.oci_cloud_guard_security_recipes.maximum.security_recipes[0].id
  freeform_tags = {
    "workload" = "genai"
  }
}

# Associate the GenAI compartment with the Security Zone
resource "oci_cloud_guard_security_zone" "genai" {
  compartment_id       = var.genai_compartment_ocid
  display_name         = "genai-security-zone"
  security_zone_recipe_id = oci_cloud_guard_security_recipe.genai.id
  description          = "Security Zone enforcing ZPR invariants on the GenAI compartment"
}

Remediation — OCI Resource Manager

# Submit the Terraform block above to OCI Resource Manager via a configured
# Git source-provider. Variables are entered through the Console UI (schema-driven
# by an optional schema.yaml); state is stored in OCI Object Storage automatically.
# This is an INVOCATION snippet — the .tf body is the existing Terraform block
# on this same control-box (do NOT duplicate HCL here).
oci resource-manager stack create-from-git-provider \
  --compartment-id "$COMPARTMENT_OCID" \
  --config-source-provider-id "$CONFIG_SRC_PROVIDER_OCID" \
  --repository-url "https://example.com/org/hardening-iac" \
  --branch-name "main" \
  --working-directory "modules/oci-genai-08-security-zone-policy" \
  --display-name "oci-genai-08-security-zone-policy" \
  --terraform-version "1.5.x"

# Plan + apply via the ORM job lifecycle (state stored in OCI automatically).
STACK_OCID=$(oci resource-manager stack list \
  --compartment-id "$COMPARTMENT_OCID" \
  --display-name "oci-genai-08-security-zone-policy" \
  --query 'data[0].id' --raw-output)
PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \
  --stack-id "$STACK_OCID" --query 'data.id' --raw-output)
oci resource-manager job create-apply-job \
  --stack-id "$STACK_OCID" \
  --execution-plan-strategy FROM_PLAN_JOB \
  --execution-plan-job-id "$PLAN_JOB_OCID"

Compliance mapping

CIS AWS Foundations v3.0.0 CIS Microsoft Azure Foundations v3.0.0 CIS GCP Foundation v4.0.0 CIS OCI Foundation v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689)
n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) CM-2; CM-7; SC-7 A.8.9; A.8.20 CLD.13.1.4 n/a Information Security Art. 55 (in force 2025-08-02)

Log signals

  • OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'cloud-guard' with eventName in (DeleteSecurityZone, UpdateSecurityZone) targeting the security zone bound to the Generative-AI compartment.
  • Security-zone recipe rule deletions that remove a Generative-AI-relevant policy (public-endpoint denial, public-bucket denial, no-default-key).
  • Resource-creation deny events emitted by the security zone that should have blocked a non-conforming Generative-AI resource but show the resource subsequently created.

Query

'Log Source' = 'OCI Audit Logs'
          and 'Service Name' = 'cloud-guard'
          and eventName in ('DeleteSecurityZone', 'UpdateSecurityZone', 'DeleteSecurityRecipeRule')
          | eval ai_zone = if(data.target.securityZone.displayName like '%generative-ai%', 'YES', 'NO')
          | where ai_zone = 'YES'
          | stats count by 'User Name', data.target.securityZone.id, eventName

Security zones provide preventive enforcement at resource-creation time; their absence shifts the control from preventive to detective-only.

Alert threshold

  • Any DeleteSecurityZone on the Generative-AI compartment's security zone — page on first event.
  • Recipe rule deletion that removes a public-endpoint or public-bucket denial rule — page.

Initial response

  1. Re-create the security zone with its documented recipe via Resource Manager; OCI Cloud Guard reapplies preventive policy to subsequent resource mutations within the compartment.
  2. Audit Generative-AI resources created during the security-zone-down window for any that violate the documented zone recipe (public endpoints, default keys, public buckets) and remediate to conformance.
  3. Confirm the zone re-binds to the Generative-AI compartment OCID via oci cloud-guard security-zone get and document per general/ir.html.

References

oci-genai-05-vault-encryption ! MEDIUM PREVENTIVE

Configure OCI Vault Customer-Managed Keys (CMK) for fine-tuning training data stored in Object Storage and for custom model weights stored on Dedicated AI Clusters. Vault CMK enables encryption key lifecycle control — rotation, revocation, and HSM-backed key storage — for regulated workloads where Oracle-managed encryption is insufficient for compliance reasons. Use oci_kms_key with AES 256 algorithm; associate with Object Storage buckets used for fine-tuning data.

Scope note: OCI Vault CMK applies to fine-tuning training data and custom model weights stored on Dedicated AI Clusters. On-demand inference endpoints use Oracle-managed AES-256 double encryption and do not support Vault CMK for inference data. If your workload uses only on-demand mode, this control does not apply — scope it to Dedicated Cluster deployments and fine-tuning workflows only.

Remediation — OCI CLI

# OCI CLI 3.x — audit Vault CMK configuration for GenAI fine-tuning storage
# List Vault instances in the compartment
oci kms vault list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --output table

# Verify CMK association on Object Storage buckets used for fine-tuning data
oci os bucket get \
  --bucket-name "${BUCKET_NAME}" \
  --query 'data."kms-key-id"'

# List keys in the Vault
oci kms management key list \
  --compartment-id "${COMPARTMENT_OCID}" \
  --endpoint "${VAULT_MANAGEMENT_ENDPOINT}" \
  --output table

Remediation — Terraform

# Terraform OCI provider ~> 5.0
# OCI Vault for Customer-Managed Key management
resource "oci_kms_vault" "genai" {
  compartment_id = var.genai_compartment_ocid
  display_name   = "genai-vault"
  vault_type     = "DEFAULT"
}

# AES-256 CMK for fine-tuning data encryption
resource "oci_kms_key" "genai_finetuning" {
  compartment_id      = var.genai_compartment_ocid
  display_name        = "genai-finetuning-cmk"
  management_endpoint = oci_kms_vault.genai.management_endpoint

  key_shape {
    algorithm = "AES"
    length    = 32  # 256 bits
  }
}

# Object Storage bucket for fine-tuning training data — CMK-encrypted
resource "oci_objectstorage_bucket" "finetuning_data" {
  compartment_id = var.genai_compartment_ocid
  namespace      = data.oci_objectstorage_namespace.this.namespace
  name           = "genai-finetuning-data"
  access_type    = "NoPublicAccess"

  # Associate Vault CMK — applies to fine-tuning data storage ONLY
  # On-demand inference endpoints use Oracle-managed AES-256 double encryption
  kms_key_id = oci_kms_key.genai_finetuning.id
}

Remediation — OCI Resource Manager

# Submit the Terraform block above to OCI Resource Manager via a configured
# Git source-provider. Variables are entered through the Console UI (schema-driven
# by an optional schema.yaml); state is stored in OCI Object Storage automatically.
# This is an INVOCATION snippet — the .tf body is the existing Terraform block
# on this same control-box (do NOT duplicate HCL here).
oci resource-manager stack create-from-git-provider \
  --compartment-id "$COMPARTMENT_OCID" \
  --config-source-provider-id "$CONFIG_SRC_PROVIDER_OCID" \
  --repository-url "https://example.com/org/hardening-iac" \
  --branch-name "main" \
  --working-directory "modules/oci-genai-05-vault-encryption" \
  --display-name "oci-genai-05-vault-encryption" \
  --terraform-version "1.5.x"

# Plan + apply via the ORM job lifecycle (state stored in OCI automatically).
STACK_OCID=$(oci resource-manager stack list \
  --compartment-id "$COMPARTMENT_OCID" \
  --display-name "oci-genai-05-vault-encryption" \
  --query 'data[0].id' --raw-output)
PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \
  --stack-id "$STACK_OCID" --query 'data.id' --raw-output)
oci resource-manager job create-apply-job \
  --stack-id "$STACK_OCID" \
  --execution-plan-strategy FROM_PLAN_JOB \
  --execution-plan-job-id "$PLAN_JOB_OCID"

Compliance mapping

CIS AWS Foundations v3.0.0 CIS Microsoft Azure Foundations v3.0.0 CIS GCP Foundation v4.0.0 CIS OCI Foundation v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689)
n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SC-28; IA-5 A.8.24; A.8.10 n/a n/a Data Privacy Art. 55 (in force 2025-08-02)

Log signals

  • OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'generative-ai' with eventName in (UpdateModel, UpdateDedicatedAiCluster) whose kmsKeyId is nulled.
  • Vault audit feed showing ScheduleKeyDeletion against a key OCID present in the Generative-AI key-binding inventory.
  • Custom model fine-tune dataset upload events to an Object Storage bucket whose kmsKeyId is unset.

Query

'Log Source' = 'OCI Audit Logs'
          and 'Service Name' in ('generative-ai', 'kms')
          and (
            (eventName in ('UpdateModel', 'UpdateDedicatedAiCluster') and data.request.payload.kmsKeyId is null)
            or
            (eventName = 'ScheduleKeyDeletion' and data.target.key.id in_subset 'GenAIBoundKeys')
          )
          | stats count by 'User Name', data.target.id, eventName, 'Service Name'

The Generative-AI service binds Vault keys at the model and dedicated-cluster scope; null-keyings fall back to Oracle-managed defaults.

Alert threshold

  • Any model or dedicated cluster whose kmsKeyId is nulled — page.
  • ScheduleKeyDeletion against a Generative-AI-bound key OCID — page within the pending-deletion window.

Initial response

  1. Rebind the Vault key via Resource Manager; OCI Generative AI re-wraps model artefacts on the next reconciliation cycle.
  2. Cancel any pending key-deletion via oci kms management key cancel-key-deletion.
  3. Verify all fine-tune dataset buckets carry the expected kmsKeyId via oci os bucket get and document the rebind per general/ir.html.

References

Sources

  • OCI Generative AI Service security documentation — Oracle Cloud documentation (accessed 2026-05)
  • OCI Generative AI data handling and privacy — Oracle Cloud documentation (accessed 2026-05)
  • OCI AI Guardrails documentation — Oracle Cloud documentation (accessed 2026-05)
  • OCI Dedicated AI Cluster documentation — Oracle Cloud documentation (accessed 2026-05)
  • OCI Security Zones and Zero Trust Packet Routing — Oracle Cloud documentation (accessed 2026-05)
  • OWASP Top 10 for LLM Applications 2025 (accessed 2026-05)
  • NIST AI 600-1 (July 2024, final): https://doi.org/10.6028/NIST.AI.600-1 (accessed 2026-05)