Zscaler AI Security Platform

🗂 PILLAR 1 · AI Infrastructure — AI Asset Management & SPM CLOUD-NATIVE DISCOVERY · POSTURE MGMT

🧠 AI Assets — Models

Full inventory of AI/LLM models discovered across cloud infra

Per model: publisher, country of origin, licensing terms, risk score

Lifecycle timeline: discovery → deployment → monitoring → updates

Attack path graph: how the model can be compromised (IAM, public exposure, malware, CVEs)

Model Scan Findings — active vulnerability results

Status: Sanctioned / Unsanctioned / Pending Review

Platforms: Amazon Bedrock, Azure Foundry AI, Google Vertex AI, Hugging Face, Ollama

🔌 AI Assets — MCP Servers NEW Jun 2026

Centralized inventory of all MCP server instances (VMs, containers, etc.)

Capabilities flagged: file system access, network access, code execution

Risk score: Critical / High / Medium / Low (blast radius if compromised)

Status: Sanctioned / Unsanctioned / Pending Review

Connection graph: MCP ↔ client ↔ tools ↔ prompts ↔ APIs ↔ filesystem ↔ code repo

Tool-level detail: name, description, parameters, file/network access per tool

Attack path visualization with red-warning icons on vulnerable nodes

🤖 AI Assets — Agents NEW Jun 2026

Inventory of all AI agents discovered across the environment

Tracks ephemeral identities (agents that spawn sub-agents)

Access path mapping — what data/systems each agent can reach

Agentic codebase scanning — uncovers risks in agent source code

Governance status (sanctioned / unsanctioned / pending) per agent

Agent Registry integration with AI Broker product

📦 AI Resources — Software Libraries

Inventory of all AI/ML libraries in use across infra

Covers: Hugging Face, PyTorch, TensorFlow, LangChain, LlamaIndex, etc.

CVE and vulnerability mapping per library version

Supply chain risk: country of origin, maintainer, license type

Flags unsupported or end-of-life library versions

🗄 AI Resources — Data Stores

Discovers all data connected to AI models (S3 buckets, blob storage, vector DBs, RAGs)

Auto-classification: PII, PHI, IP, credentials, source code in training data

Data lineage: which model trains on which data, and what's exposed

Overprivileged access detection on training datasets

Data poisoning risk assessment

Revokes access from overprivileged users (internal + external)

📋 AI Posture Policies (SPM Rule Engine)

Prebuilt + custom policies per threat category

Threat categories: misconfiguration, data exposure, excessive permissions, injection risk, supply chain risk

Integrates 100+ DLP dictionaries: PII, PHI, PCI, source code, credentials

Data Sensitivity Settings — which DLP engines are active

Guided remediation: step-by-step fix instructions per violation

Framework alignment: NIST AI RMF 600-1, EU AI Act, HIPAA, GDPR, ISO 42001

Real-time alerts on configuration drift

☁️ Cloud Account Onboarding

AWS: IAM role-based scanner, Orchestrator + Monitoring CloudFormation templates, Org-level tree discovery

Supported IAM condition keys and operators documented

Azure: Foundry AI native integration

Google: Vertex AI native integration

Unmanaged: Hugging Face + Ollama discovery (self-hosted, local)

Scanner instance management per cloud account

🔬 Monitoring & Investigation

Dashboard: AI security posture overview — risk by severity, issue counts, model scan summary, compliance snapshot

Usage Insights: GenAI app usage by user/dept/geo, shadow AI discovery, CXO-level reporting

Issues View: All policy violations in one list, status tracking (Open/In Progress/Resolved), ITSM export to Jira / ServiceNow

Model Scan Findings: CVEs per model artifact and dependency, remediation guidance

Investigation (Query Builder): Custom queries across all AI asset and policy data — "Which agents touched this data store?"

🛡 PILLAR 2 · Secure Access to AI — AI Guard (Inline Proxy + DaaS API) ZIA LAYER · USER-FACING & INTERNAL APPS

📱 AI Applications Registry

Register every GenAI app AI Guard manages

250+ supported apps with full prompt extraction expanded Jun 2026

ChatGPT, Copilot, Gemini, Claude, Perplexity, Midjourney, etc.

Proxy mode (inline) vs. DaaS mode (API) per app

Application Groups for bulk policy binding

Anthropic Compliance API + OpenAI Compliance API NEW

Full conversational view — entire thread context, not just single turn NEW

🔑 LLM Providers & Credentials (Proxy mode only)

Configure upstream LLM providers AI Guard proxies to

Supported: OpenAI, Anthropic, Azure OpenAI, AWS Bedrock (standard + Unified + Agent), Google Gemini, Google Vertex AI

Credential management: API key, expiry date, provider binding

Public vs. private deployment flag

AI Guard sits in the trust chain — it holds the API keys

🧪 Policy Configurations — 18+ Detectors

Prompt Injection — adversarial inputs to hijack LLM behavior

Jailbreak Protection — bypass safety guidelines

PII / PHI / PCI — sensitive data in prompts or responses

Source Code / IP / Secrets — credentials, keys, proprietary code

Toxicity — harmful, abusive language

Malicious URLs — dangerous links in prompts or responses

Competitor Mention — blocks competitor references

Finance / Legal Advice — actionable vs. neutral information

Language Enforcement — approved language list only

Off-topic / Gibberish / Refusal — scope and quality control

Intent-based multi-turn guardrails — context across a conversation NEW

Actions per detector: Allow / Block / Detect (warn-only)

🔗 Policy Control (Binding Layer)

Separate object from Policy Configuration — the enforcement binding

User policy control: match by LLM provider + user/group

App policy control: match by app, custom headers, source IP

Rule order matters — processed top-to-bottom

Enable/disable per rule without deleting it

At least one match criterion required per rule

🌐 ZIA Proxy-Chain Integration (Inline Mode)

ZCC on endpoint → ZIA → proxy chain → AI Guard → LLM

AI Guard proxy endpoint: forward.zseclipse.net:9443

AI Guard CA cert uploaded to ZIA as proxy-chain root

QUIC protocol must be blocked (firewall rule) to prevent bypass

Wildcard FQDN destination groups + Forwarding Control rules per AI domain

Supported app/domain list — last updated Apr 14, 2026

Fail-closed proxy config recommended

⚙️ DaaS API Mode (No Proxy)

App calls AI Guard API directly — no inline proxy

API: api.<cloud>.zseclipse.net/v1/detection/execute-policy

Python SDK: execute_policy(content, direction, policy_id)

Direction: IN (prompt before LLM) · OUT (response before user)

Gateway integrations: LiteLLM, Portkey, Kong, Azure APIM, Apigee, NeMo

IDE integrations: Claude Code, Cursor, Cline, Windsurf

CI/CD: GitHub Actions, Jenkins — gate releases on pass/fail

Workflow: n8n, TrueFoundry — prompt+response scan in automation

📈 Dashboard, Insights & Usage

Dashboard: Per-transaction log — user, app, LLM, detector fired, action, latency, prompt detail. 90-day window.

Insights: Blocked counts, token usage, top detectors, PII categories, trends over time, security posture score

Usage: Prompt/response token volume per app and per user

Policy Testing: Test a prompt against a policy before deploying to prod

⚙️ Tenant Settings & RBAC

Deployment mode: Proxy or DaaS toggle at tenant level

Prompt/response storage: 90-day opt-in retention

Encryption: Customer-managed KMS key (AWS currently supported)

Network ACL: Restrict admin access by IPv4 CIDR

RBAC roles: Viewer / Editor / Administrator (custom templates via ZIdentity)

Log export: Splunk HEC, CrowdStrike + S3, AWS S3, ADX Event Hub

🎯 PILLAR 3 · Secure AI Infrastructure & Apps — Red Teaming (SPLX) APPSEC / DEV TEAMS · SHIFT-LEFT

⚔️ Automated Red Teaming Engine

5,000+ prebuilt attack simulations — purpose-built and domain-specific

Attack types: prompt injection, jailbreak, data poisoning, tool abuse, model confusion, hallucination induction

Multi-modal testing: text, voice, images, documents

AI red teaming for MCP servers NEW Jun 2026

Custom probe creation — upload your own attack datasets

Powered by OpenAI GPT-5.4-Cyber for sophisticated attack generation

Tests commercial and open-source LLMs — benchmark for model selection

Agentic Radar — open-source scanner for agentic AI workflows

🔒 Prompt Hardening Service Now Standalone

Automatically hardens system prompts based on red team findings

Reduces exploitable prompt attack surface by up to 95% (SPLX data)

Dynamic hardening — updates as new attack patterns emerge

Now available as standalone service (was bundled with red team only)

LLM log scanning — detects jailbreaks and injections in near real-time from existing logs

🏭 Policy Generator Market-First

Auto-generates runtime guardrail policies from red team findings

Output targets: Zscaler AI Guard policies, AWS Bedrock guardrails

Domain-specific and fine-tuned per customer's AI app context

Closes the loop: red team → policy → enforcement → re-test

📊 Compliance Heat Maps NEW Jun 2026

Visual mapping of red team findings → compliance framework gaps

Frameworks: EU AI Act, NIST AI RMF, OWASP LLM Top 10, MITRE ATLAS, ISO/IEC 42001

Custom policy creation and import for internal standards

Produces audit evidence of pre-production AI security testing

Board/CISO-level reporting on AI security posture

🔄 CI/CD & Remediation Integration

CI/CD: GitHub Actions, Jenkins — security scan as a pipeline gate

Pass/fail on expected actions (ALLOW/BLOCK/DETECT) per test prompt

Optional probes — warn without failing the build

ITSM: Jira and ServiceNow for remediation workflow tracking

Scan on: config/script changes, model updates, or manual dispatch

🏗 Runtime Guardrails (from Red Teaming)

Enforces input/output guardrails in live AI deployments

Detects malicious behavior, prompt injections, sensitive data leakage at runtime

Feeds findings back into Policy Generator for AI Guard policy updates

Deep visibility within development environments

🤖 NEW PRODUCTS · Agentic AI Security Layer (Zenith Live, Jun 9 2026) BRAND NEW · INDUSTRY-FIRST ZT FOR AGENTS

🔀 AI Broker NEW PRODUCT

Secures MCP (Model Context Protocol) communications between agents and tools

Secures A2A (Agent-to-Agent) communications

Agent Registry: inventory of every agent + fine-grained access policy per agent before it runs

Enforces least-privilege per agent identity

Ecosystem partners: Zendesk, n8n, Kore.ai — native compatibility

Works alongside AWS Bedrock, Google Cloud, Microsoft agent platforms

💻 Endpoint AI Security NEW PRODUCT

Detects AI-related threats on employee devices

Covers browsers, plugins, extensions — layer traditional EDRs miss

Detects local AI tools (Ollama, local LLMs) — invisible to inline ZIA inspection

Enforces AI policies down to the endpoint layer

Extends AI Asset Management visibility to endpoints

🗺 AI Access Graph NEW PRODUCT

Maps: identities ↔ agents ↔ apps ↔ models ↔ data sources

Powered by Symmetry Systems acquisition (May 2026)

Real-time data lineage tracking across every AI channel

Enforces tighter access policies by exposing unnecessary connections

Answers: "Which agent accessed what data, via which path, at what time?"

Reduces unnecessary access privileges and tracks data lineage at scale

⚖️ CROSS-CUTTING · AI Governance, Compliance & Ecosystem Integrations SPANS ALL PILLARS

📜 Regulatory Framework Alignment

EU AI Act — risk classification, documentation, human oversight requirements

NIST AI RMF 600-1 — govern, map, measure, manage AI risks

ISO/IEC 42001 — AI management system standard

OWASP LLM Top 10 — prompt injection, data leakage, insecure plugin design

MITRE ATLAS — adversarial ML threat matrix

HIPAA / GDPR / CCPA — data protection regulations

Compliance heat maps from red team findings (Jun 2026)

Continuous posture monitoring with drift alerts

🪤 AI Deception NEW

Decoy / honeypot layer that diverts model-based attacks

Neutralizes adversarial inputs before they reach real models

Detects reconnaissance, probing, and adversarial scanning activity

Generates intelligence on attacker techniques and targets

🔗 Ecosystem Integrations

LLM providers: OpenAI, Anthropic, AWS, Microsoft Azure, Google Cloud

ITSM: Jira, ServiceNow — issue tracking + remediation workflow

SIEM / Log: Splunk, CrowdStrike, ADX Event Hub, AWS S3

DSPM / DLP: Native Zscaler data security platform integration

AI Gateways: LiteLLM, Portkey, Kong, Azure APIM, Apigee

IDEs / Agents: Claude Code, Cursor, Cline, Windsurf, GitHub Copilot

Workflow: n8n, TrueFoundry, NeMo Guardrails

GSI partners: Wipro (AI-Guardian program, May 2026)

📐 QUICK REFERENCE · Deployment & Pre-Sales Decision Matrix SE CHEAT SHEET

Customer Scenario → Which Module

🙋 Employees using ChatGPT / Copilot / Gemini → AI Guard Proxy via ZIA (ZCC already in place)

🏗 Building internal AI chatbot on Azure OpenAI / Bedrock → AI Guard DaaS API (dev integration)

👁 "We don't know what AI tools our employees use" → AI Asset Management (inline traffic + SaaS CASB)

☁️ Running AI models/agents in AWS/Azure/GCP → AI Asset Management (cloud account onboarding)

🧑‍💻 Dev team building LLM apps, needs pre-prod testing → Red Teaming (SPLX) + Prompt Hardening

🤖 Deploying AI agents across business workflows → AI Broker + AI Access Graph + Agent Registry

💻 Shadow AI on employee laptops (local LLMs, browser plugins) → Endpoint AI Security

📋 EU AI Act / NIST AI RMF compliance requirement → Red Teaming Compliance Heat Maps + AI Posture Policies

Effort by Module (ZIA Customer Baseline)

🟢 AI Guard (user → GenAI) — Low: ZIA proxy-chain config, no new agent

🟡 AI Guard DaaS (internal app) — Medium: dev team SDK integration required

🟢 AI Asset Mgmt (inline traffic) — Very low: rides existing ZIA + SSL inspection

🟡 AI Asset Mgmt (SaaS embedded AI) — Low-medium: needs CASB API connector

🟡 AI Asset Mgmt (cloud agents/models) — Medium: cloud connector / IAM setup

🟢 AI Asset Mgmt (endpoints + local AI) — Low if ZCC already deployed

🟡 AI Asset Mgmt (code repos) — Medium: GitHub/GitLab connector setup

🔴 Red Teaming — Medium-high: dev/AppSec team must point LLM endpoint to SPLX

🔐 Zscaler AI Security Platform — Complete Module Map