Authors:
Aaron Sutton, Technical Solutions for Financial Services - Google Cloud Office of the CISO
Brian Schmult, Consulting Account Lead - Google Cloud Professional Services
In the age of cloud and AI, innovation is the engine of progress. Yet, for those in heavily regulated industries such as Financial Services, Healthcare, and the Public Sector, the path to pioneering new solutions is often obstructed by complex security and compliance hurdles. Navigating the landscape of secure cloud adoption can feel onerous, and layering on the additional considerations of Generative AI only increases the challenge.
We consistently hear from organizations grappling with fundamental questions: How do you truly understand a SaaS provider's security foundation? What are the absolute must-have controls for your own secure deployment? And critically, how do you confidently demonstrate that your security measures not only meet but exceed stringent regulatory demands—all without grinding progress to a halt?
Today, as part of our commitment to the Shared Fate model, we are thrilled to announce the launch of Control Navigator, a new offering designed to streamline your compliance journey on Google Cloud. To kick off this initiative, we are releasing our first comprehensive prescriptive guidance: the Control Navigator for Vertex AI.
Born in Financial Services, Built for All Regulated Industries
This initiative was born out of direct collaboration with our strategic customers in the financial services sector—one of the most heavily regulated industries in the world. We listened to their feedback to create prescriptive, actionable guidance that maps Google Cloud's opinionated best practices to rigorous frameworks like NIST 800-53, CSA CCM, and the Cyber Risk Institute (CRI) Profile.
While designed with the stringent requirements of financial services in mind, the principles and controls outlined in this playbook are broadly applicable to any regulated industry. Whether you are in Healthcare managing patient data or in Manufacturing protecting intellectual property, Control Navigator for Vertex AI provides a robust framework for building and deploying AI in a secure and compliant manner.
The Benefits: Security at the Speed of Innovation
Control Navigator is more than just documentation; it is a service designed to deliver tangible results by bridging the gap between compliance requirements and technical implementation. It is built on three key benefits:
- Prescriptive Guidance: We provide clear, opinionated guidance on exactly how to configure Vertex AI and its supporting services. Instead of vague recommendations, you get specific configurations mapped to regulatory controls, giving your security, compliance, and risk teams the clarity they need to approve workloads faster.
- Accelerated Onboarding: By providing a clear and repeatable framework, Control Navigator dramatically reduces the time it takes to get AI workloads into production.By moving from a bespoke assessment process to a standardized security profile, organizations can avoid the pitfalls of traditional, lengthy approval cycles. Onboarding can be further accelerated through a hands-on Professional Services engagement, who will deploy a secure foundational environment and enable the Vertex AI platformservice according to these best practices.
- Automation and Continuous Monitoring: The guidance is designed to be deployed at scale using automation assets, such as Terraform, and validated continuously. This ensures that your security posture doesn't just start strong but remains robust as your environment evolves.
A Look Inside: Key Security Controls for AI
The Control Navigator for Vertex AI provides a defense-in-depth approach, implementing a wide range of preventative and detective controls to establish a secure foundation for your AI workloads. These controls are designed to align directly with the Google Recommended AI Essentials - Vertex AI framework found in Google Cloud's Compliance Manager.
Here is an overview of the critical security domains covered by the playbook:
1. Identity and Access Management (IAM)
Enforcing the principle of least privilege is paramount for preventing unauthorized access to sensitive AI models and data. The playbook implements controls that restrict access modes for notebooks and disable root access on compute instances. By enforcing these configurations, the guidance helps prevent privilege escalation and ensures that only authorized identities can interact with your AI resources.
2. Secure Networking and Environment Isolation
Your AI workloads must run in a secure, isolated environment to prevent data exfiltration and unauthorized external access. The Control Navigator guidance establishes a secure network perimeter using VPC Service Controls and strictly limits public connectivity. This includes blocking the assignment of external IP addresses to AI instances and restricting resources to specific, secure VPC networks, ensuring your models and data remain within a protected boundary.
3. Data Protection and Exfiltration Prevention
Data is your most valuable asset, and protecting it is a core focus of the Control Navigator. The playbook enforces Encryption at Rest by default and provides guardrails for using Customer-Managed Encryption Keys (CMEK) across your AI datasets and models. Additionally, it includes controls to prevent sensitive training data or model outputs from being leaked, such as disabling file downloads directly from user interfaces like JupyterLab.
4. Logging and Threat Detection
Comprehensive visibility is critical for regulated workloads to detect and respond to potential threats. The guidance mandates the enablement of robust audit logging—capturing Admin Read, Data Read, and Data Write events—across Vertex AI and its supporting services. It also integrates with Security Command Center to facilitate automated vulnerability scanning for container images, ensuring that artifacts are secure before they are ever deployed into your live environment.
Continuous Compliance with Compliance Manager
Implementing controls is only half the battle; proving they are working is the other. To provide continuous compliance monitoring and reporting, the foundational controls outlined in the Control Navigator playbook have been codified into the Google Recommended AI Essentials - Vertex AI framework.
This framework is available now within Compliance Manager in Security Command Center. By activating this framework, you can:
- Automate Assessments: Automatically scan your Vertex AI environment against the Control Navigator best practices.
- Detect Drift: Instantly identify if a resource violates a control (e.g., if a Notebook is accidentally created with a public IP).
- Streamline Audits: Generate reports that demonstrate your adherence to these Google-recommended controls, simplifying the evidence-gathering process for internal and external auditors.
Get Started Today
We are committed to helping you navigate the complexities of AI adoption. The Control Navigator offering for Vertex AI is a testament to that commitment, providing you with the tools and guidance you need to innovate with confidence.
To get started:
- Review the full Security best practices for generative AI playbook.
- Explore the Compliance Manager in Security Command Center and enable the Google Recommended AI Essentials - Vertex AI framework to start assessing your environment today.
- Reach out to your Google Cloud account team to learn more about how our Professional Services Organization (PSO) can assist you with a tailored Control Navigator engagement.
Secure your future, accelerate your innovation, and navigate the cloud with confidence.