Security, Networking, Monitoring, and Responsible AI
Key Takeaways
- Production AI-103 solutions should prefer Microsoft Entra ID, managed identity, and RBAC over embedded API keys.
- Private endpoints, private link, and managed networking reduce public exposure for Foundry projects, AI Search, Storage, APIs, and other dependencies.
- Content filters address harmful content categories, while Prompt Shields target direct and indirect prompt-injection attacks.
- Monitoring and tracing are separate but related: monitoring tracks production health and quality trends, while tracing captures request-level execution evidence.
- Responsible AI planning includes evaluators, safety evaluations, provenance metadata, approval workflows, tool constraints, and user-feedback loops.
Security, Networking, Monitoring, and Responsible AI
AI-103 treats security and responsible AI as design requirements, not cleanup tasks. A Foundry app might pass a quick demo with an API key, public endpoints, and no telemetry, but that design will not satisfy production scenarios. The exam favors keyless authentication, scoped authorization, private connectivity, safety filters, observability, and human oversight where actions are sensitive.
Identity and Access
Use Microsoft Entra ID and managed identity when Azure-hosted compute calls Foundry Models, Azure OpenAI, Azure AI Search, Storage, Key Vault, or internal APIs. A managed identity is an Azure-managed service principal, so code can request tokens without storing secrets. Then use role-based access control (RBAC) to grant only the permissions required at the correct scope.
| Requirement | Better design | Risky design |
|---|---|---|
| App calls model deployment | Managed identity with Azure AI or Azure OpenAI data-plane role | API key hard-coded in source or app settings with broad access |
| Project stores reusable service access | Project connection using Entra ID or managed identity where possible | Shared admin key pasted into multiple flows |
| Developer needs project access | Azure AI User or project-scoped role | Subscription Owner for day-to-day development |
| Secret still required | Store in Key Vault and retrieve with managed identity | Store in repository, prompt flow file, or front-end code |
Networking and Isolation
Use private networking when data sensitivity, compliance, or exfiltration risk matters. Private endpoints and private link create private IP paths to services such as Foundry resources, Storage, Azure AI Search, API Management, or private tool endpoints. In stricter designs, disable public network access and make sure every dependency has a private route, not just the model endpoint.
For agents, also constrain tools. Register only the tools the agent needs, authenticate tool calls independently, and require approval before high-impact actions such as sending external messages, updating production records, executing code, or calling privileged APIs.
Safety Controls
Content safety has multiple layers. Basic content filters classify prompts and completions for harm categories such as hate, sexual, violence, and self-harm. Prompt Shields look for direct jailbreak attempts and indirect prompt-injection attacks hidden in retrieved documents, web pages, emails, images, or uploaded files. Protected-material filters can help detect known protected text or code in generated output.
| Control | Main purpose | Exam clue |
|---|---|---|
| Content filter | Block or annotate unsafe input and output categories | Harmful prompt or generated response |
| Prompt Shields | Detect jailbreak and indirect prompt injection | Retrieved content tries to override system instructions |
| Groundedness evaluator | Check whether an answer is supported by provided sources | RAG bot invents facts or ignores citations |
| Approval workflow | Keep humans in control of sensitive actions | Agent can spend money, change data, or contact users |
Monitoring, Tracing, and Evaluation
Monitoring answers: "Is production healthy?" Foundry monitoring integrates with Azure Monitor and Application Insights to surface token consumption, latency, exceptions, quality scores, safety events, and response trends. Use alerts when cost spikes, latency rises, groundedness drops, or harmful-output metrics breach thresholds.
Tracing answers: "What happened in this one request?" Distributed traces record spans for prompt construction, retrieval, model calls, tool invocations, agent decisions, and downstream services. Traces support debugging, audit review, and provenance because they show the evidence trail behind a response.
Evaluation answers: "Is this system good enough?" Run pre-production evaluation on labeled datasets and use continuous evaluation on sampled production traffic. Include quality metrics, risk and safety evaluators, groundedness, relevance, task completion, and custom business checks. A reliable AI-103 solution combines all three: monitoring for trends, tracing for detail, and evaluation for measurable quality.
A RAG-powered agent uses managed identity and private endpoints, but users report that retrieved documents sometimes contain hidden instructions telling the agent to ignore its system prompt. Which control most directly addresses this risk?