Artificial intelligence is changing the way that organisations design, deliver, and secure their digital services. Security architects are now expected to address risks linked to automated decision-making, alongside evolving regulatory requirements. In many cases, traditional security design approaches are no longer sufficient to meet these needs.
Frameworks like the Sherwood Applied Business Security Architecture (SABSA) offer a structured way to link business priorities, risk management, and technical architecture – all while helping architects make informed design decisions. In this article, we’ll look at how exactly SABSA can be applied to modern AI-enabled environments, and how architects can use this framework to support practical, risk-aligned security.
Emerging AI Risks, in a Business Context
AI has introduced new kinds of exposure that security architects must understand before designing any technical controls. These risks are not limited to vulnerabilities in the infrastructure. They can also include issues surrounding automated decision-making, data security, and regulations relating to how systems are built and run.
A core principle of the SABSA framework is that security architecture should begin with the actual context of the business, rather than the technology. This means identifying organisational priorities, stakeholder expectations, and risk tolerance, all before defining the security requirements. In AI-enabled environments, this approach helps architects avoid reactive decision-making, and instead build stable security models which will support innovation over the long-term.
By framing AI security challenges in this manner – in terms of business impact and risk appetite – SABSA provides a practical foundation for developing architectures which are both effective, and aligned with organisational goals.
Incorporating AI Risk into Practical Security Design
Once AI-related risks have been understood in business terms, security architects need a structured way to address these concerns in the technical architecture. That’s where SABSA’s layered approach becomes particularly useful. The framework supports a logical progression, from defining security attributes, through to choosing technologies and implementation strategies that reflect organisational priorities.
In AI-enabled environments, this can involve designing controls around data protection, system resilience, access management, and monitoring. Rather than applying isolated security measures, architects are encouraged to develop integrated solutions that support both operational performance and risk management goals. This helps ensure that AI initiatives can move forward with appropriate safeguards in place.
By linking risk analysis directly to architectural design decisions, SABSA enables security architects to build structures that are both effective and aligned with broader digital efforts.
Keeping Architectures Secure Over Time
Designing security controls is only part of the challenge for modern security architects. AI-driven systems are dynamic, often evolving through ongoing data input, model updates, and changes in how services are delivered. In turn, this means that security architecture must also support governance, assurance, and continual improvement after the systems become operational.
The SABSA framework emphasises the need to monitor performance, confirm that controls remain effective, and ensure that security design continues to reflect organisational risk tolerance. In AI-enabled environments, this might involve maintaining oversight of data handling, reviewing access controls, and ensuring early detection of emerging risks.
By incorporating governance considerations into architectural thinking, architects can help organisations maintain confidence in their AI-related initiatives, while also showing that security remains aligned with business objectives and regulatory requirements.
Building Architecture Skills in an AI-Enabled Environment
The scope of security architecture continues to expand to address AI-related risk and governance challenges. In turn, architects are expected to develop a broader mix of business, technical, and assurance capabilities. Understanding how to translate organisational priorities into security requirements, design structured frameworks, and support ongoing oversight, are all becoming a defining part of the modern security architect role.
Structured learning pathways can help you develop these competencies for yourself. The SABSA Foundation course, for example, focuses on understanding business drivers, risk context, and the principles of layered security architecture. More advanced courses – such as the Advanced A1 – explore practical architecture design techniques, and the governance processes required to maintain alignment between security strategy and organisational objectives.
Training programs like these provide recognised and reliable routes towards building the necessary expertise. By progressing from foundational concepts to advanced architectural capabilities, security professionals can strengthen their ability to design and manage security architectures suited to AI-enabled environments.
Strengthening Security Architecture in the Age of AI
AI is rapidly reshaping the way organisations manage risk, compete, and operate. For security architects, this shift brings both new opportunities and responsibilities. Designing effective protection now requires a clearer understanding of business priorities, evolving threats, and resilient long-term governance structures. Frameworks such as SABSA help provide that structure, enabling architects to move beyond isolated technical controls, and contribute more directly to organisational strategy and performance.
Structured training pathways provide the most reliable and effective route for professionals looking to develop in this area. The courses offered by ALC Training introduce recognised SABSA concepts, and support subsequent progression into more advanced design and assurance roles, helping security architects prepare for the demands of increasingly AI-enabled digital environments.