Configure AI Protection

Premium and Enterpriseservice tiers (requiresorganization-level activation)

Preview — AI Protection for Security Command Center Premium

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

AI Protection helps you secure your AI assets and workflows by monitoring your models, data,and AI-related infrastructure. This guide describes how to configure AI Protection.

Before you begin

  1. Get your organization ID.
  2. To create and grant roles, ensure you have the required permissions, such asthe Identity and Access Management (IAM) Role Administrator (roles/iam.roleAdmin) and OrganizationAdministrator (roles/resourcemanager.organizationAdmin) roles. For moreinformation, seeIAM roles and permissions index.

Required roles

After you complete the steps inBefore you begin, follow thesteps in one of the following sections to set up required roles forAI Protection access:

Custom roles

To adhere to the principle of leastprivilege, you can create custom IAM roles that grant only the necessarypermissions for viewer or administrator access.

This document shows you how to create and grant custom roles for AI Protection.

Configure viewer access

Viewer access lets a user view the AI Protection dashboard and data. Toconfigure viewer access, you create a customAIP Viewer role and then grantthat role to a user.

Create the AIP Viewer custom role

Create a custom role that contains all the permissions that are required forread-only access to AI Protection.

Console

  1. In the Google Cloud console, go to theRoles page.

Go to Roles

  1. ClickCreate role.
  2. In theTitle field, enterAIP Viewer.
  3. TheID field auto-populates. You can optionally change it toaip.viewer.
  4. In theDescription field, enterGrants permissions required to viewAIP dashboard and data.
  5. SetRole launch stage toGeneral Availability.
  6. ClickAdd permissions.

  7. Filter for and select each of the following permissions:

    • cloudasset.assets.exportResource
    • cloudasset.assets.searchAllIamPolicies
    • cloudasset.assets.searchAllResources
    • cloudasset.assets.searchEnrichmentResourceOwners
    • cloudasset.othercloudconnections.get
    • cloudasset.othercloudconnections.list
    • cloudsecuritycompliance.controlComplianceSummaries.list
    • cloudsecuritycompliance.frameworkComplianceReports.get
    • dspm.locations.computeAggregation
    • dspm.locations.fetchLineageConnections
    • monitoring.timeSeries.list
    • resourcemanager.organizations.get
    • resourcemanager.projects.get
    • securitycentermanagement.securityCommandCenter.get
    • securitycenter.assets.group
    • securitycenter.assets.list
    • securitycenter.attackpaths.list
    • securitycenter.complianceReports.aggregate
    • securitycenter.findings.group
    • securitycenter.findings.list
    • securitycenter.issues.get
    • securitycenter.issues.group
    • securitycenter.issues.list
    • securitycenter.issues.listFilterValues
    • securitycenter.simulations.get
    • securitycenter.sources.get
    • securitycenter.sources.list
    • securitycenter.userinterfacemetadata.get
    • securitycenter.valuedresources.list

  8. ClickAdd.

  9. ClickCreate.

gcloud

  1. In a terminal, run the followinggcloud command to create the role:
gcloudiamrolescreateaip.viewer\--organization=ORGANIZATION_ID\--title="AIP Viewer"\--description="Grants permissions required to view AIP dashboard and data."\--permissions="cloudasset.assets.exportResource,cloudasset.assets.searchAllIamPolicies,cloudasset.assets.searchAllResources,cloudasset.assets.searchEnrichmentResourceOwners,cloudasset.othercloudconnections.get,cloudasset.othercloudconnections.list,cloudsecuritycompliance.controlComplianceSummaries.list,cloudsecuritycompliance.frameworkComplianceReports.get,dspm.locations.computeAggregation,dspm.locations.fetchLineageConnections,monitoring.timeSeries.list,resourcemanager.organizations.get,resourcemanager.projects.get,securitycentermanagement.securityCommandCenter.get,securitycenter.assets.group,securitycenter.assets.list,securitycenter.attackpaths.list,securitycenter.complianceReports.aggregate,securitycenter.findings.group,securitycenter.findings.list,securitycenter.issues.get,securitycenter.issues.group,securitycenter.issues.list,securitycenter.issues.listFilterValues,securitycenter.simulations.get,securitycenter.sources.get,securitycenter.sources.list,securitycenter.userinterfacemetadata.get,securitycenter.valuedresources.list"\

ReplaceORGANIZATION_ID with your organizationID.

Grant viewer access to a user

After you create theAIP Viewer custom role, grant it to users who need vieweraccess.

Console

  1. In the Google Cloud console, go to theIAM page.

Go to IAM

  1. ClickGrant Access.
  2. In theNew principals field, enter the user's email address.
  3. In theSelect a role drop-down, search for and select theAIPViewer custom role.
  4. ClickSave.

gcloud

  1. In a terminal, run the followinggcloud command:
gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:USER_EMAIL"\--role="organizations/ORGANIZATION_ID/roles/aip.viewer"

Replace the following:

  • ORGANIZATION_ID:your organization ID.
  • USER_EMAIL: theuser's email address.

Configure administrator access

Administrator access lets a user manage AI Protection features.To configure administrator access, you first create theAIP Essentials customrole. Then, you grant that role and the required predefined roles to a user.

Create the AIP Essentials custom role

Create a custom role that contains the essential supporting permissions requiredfor AI Protection.

Console

  1. In the Google Cloud console, go to theRoles page.

Go to Roles

  1. ClickCreate role.
  2. In theTitle field, enterAIP Essentials.
  3. TheID field auto-populates. You can optionally change it toaip.essentials.
  4. In theDescription field, enterGrants supporting permissionsrequired to view AIP dashboard and data.
  5. SetRole launch stage toGeneral Availability.
  6. ClickAdd permissions.

  7. Filter for and select each of the following permissions:

    • cloudasset.assets.searchEnrichmentResourceOwners
    • cloudasset.othercloudconnections.get
    • cloudasset.othercloudconnections.list
    • resourcemanager.organizations.get
    • resourcemanager.projects.get
    • securitycentermanagement.securityCommandCenter.get
    • securitycenter.assets.group
    • securitycenter.assets.list
    • securitycenter.attackpaths.list
    • securitycenter.complianceReports.aggregate
    • securitycenter.findings.group
    • securitycenter.findings.list
    • securitycenter.simulations.get
    • securitycenter.userinterfacemetadata.get
    • securitycenter.valuedresources.list

  8. ClickAdd.

  9. ClickCreate.

gcloud

  1. In a terminal, run the followinggcloud command to create the role:
gcloudiamrolescreateaip.essentials\--organization=ORGANIZATION_ID\--title="AIP Essentials"\--description="Grants supporting permissions required to view AIP dashboard and data."\--permissions="cloudasset.assets.searchEnrichmentResourceOwners,cloudasset.othercloudconnections.get,cloudasset.othercloudconnections.list,resourcemanager.organizations.get,resourcemanager.projects.get,securitycentermanagement.securityCommandCenter.get,securitycenter.assets.group,securitycenter.assets.list,securitycenter.attackpaths.list,securitycenter.complianceReports.aggregate,securitycenter.findings.group,securitycenter.findings.list,securitycenter.simulations.get,securitycenter.userinterfacemetadata.get,securitycenter.valuedresources.list"\

ReplaceORGANIZATION_ID with your organizationID.

Grant administrator access to a user

After you create theAIP Essentials custom role, grant it along with therequired predefined roles to users who need administrator access.

Console

  1. In the Google Cloud console, go to theIAM page.

Go to IAM

  1. ClickGrant Access.
  2. In theNew principals field, enter the user's email address.
  3. In theSelect a role drop-down, search for and add each of thefollowing roles:
    • DSPM Admin (roles/dspm.admin)
    • Model Armor Admin (roles/modelarmor.admin)
    • Model Armor Floor Settings Admin(roles/modelarmor.floorSettingsAdmin)
    • Cloud Security Compliance Admin(roles/cloudsecuritycompliance.admin)
    • Security Center Findings Viewer(roles/securityCenter.findingsViewer)
    • Monitoring Viewer (roles/monitoring.viewer)
    • Cloud Asset Viewer (roles/cloudasset.viewer)
    • The customAIP Essentials role you created.
  4. ClickSave.

gcloud

  1. In a terminal, run the following commands, one for each role:
gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:USER_EMAIL"\--role="roles/dspm.admin"gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:USER_EMAIL"\--role="roles/modelarmor.admin"gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:USER_EMAIL"\--role="roles/modelarmor.floorSettingsAdmin"gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:USER_EMAIL"\--role="roles/cloudsecuritycompliance.admin"gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:USER_EMAIL"\--role="roles/securityCenter.findingsViewer"gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:USER_EMAIL"\--role="roles/monitoring.viewer"gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:USER_EMAIL"\--role="roles/cloudasset.viewer"gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID\--member="user:USER_EMAIL"\--role="organizations/ORGANIZATION_ID/roles/aip.essentials"

Replace the following:

  • ORGANIZATION_ID:your organization ID.
  • USER_EMAIL: theuser's email address.

Predefined roles

To get the permissions that you need to configure AI Protection and view dashboard data, ask your administrator to grant you the following IAM roles on your organization:

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

The following Google Cloud CLI commands can be used to assign the preceding roles to a user:

Assign roles using gcloud CLI

  • To grant the Security Center Admin role to a user, run the following command:

    gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID--member=user:USER_EMAIL_ID--role=roles/securitycenter.admin

  • To grant the Security Center Admin Viewer role to a user, run the following command:

    gcloudorganizationsadd-iam-policy-bindingORGANIZATION_ID--member=user:USER_EMAIL_ID--role=roles/securitycenter.adminViewer

    Replace the following:

    • ORGANIZATION_ID: the numeric organization ID
    • USER_EMAIL_ID: the email address of the user who requires access

Supported regions

For a list of regions where AI Protection is supported, seeRegionalendpoints.

Access for service accounts

Ensure that organization policies don't block any service accounts mentioned inthe following sections.

Set up AI Protection

Complete the following to enable AI Protection at the organization level:

Premium

  1. If you haven't activated Security Command Center in your organization,thenActivateSecurity Command Center Premium.
  2. After activating the Premium service tier of Security Command Center, set upAI Protection by going toSettings>Manage Settingson the AI Protection card.

    Go to AI Protection settings

  3. Enablediscovery of theresources that you want to protect with AI Protection.
  4. Check your AI security dashboard by going toRisk Overview>AI Security.
Note: After you finish onboarding, if a critical service is disabled, the dashboard provides instructions for the specific service and where to configure it. For more information, seeActivate and configure Google Cloud services.Note: After all the required services are activated and configured, the AI Security dashboard might take some time to reflect the data from your AI assets.

Enterprise

  1. If you haven't activated Security Command Center in your organization,thenActivateSecurity Command Center Enterprise.
  2. After activating the Enterprise service tier of Security Command Center, set upAI Protection by using the guidance in theSCC Setup Guide.

    Go to Setup guide

    1. Expand theReview security capabilities summary panel.
    2. From theAI protection panel, clickSet up.
    3. Follow the directions to check whether required and dependent services forAI Protection are configured. To understand what isautomatically enabled and what requires additional configuration, seeActivate and configure Google Cloudservices.
  3. Enablediscovery of theresources that you want to protect with AI Protection.
Note: After all the required services are activated and configured, the AI Security dashboard might take some time to reflect the data that comes from your AI assets.

Activate and configure Google Cloud services

After activating Security Command Center Premium or Enterprise, activate and configure additionalGoogle Cloud services to use the full capabilities of AI Protection.

The following services are automatically activated:

  • Agent Engine Threat Detection (Preview)
  • AI Discovery service
  • Attack Path Simulations
  • Cloud Audit Logs
  • Cloud Monitoring
  • Compliance Manager
  • Event Threat Detection
  • Data Security Posture Management
  • Notebook Security Scanner
  • Sensitive Data Protection

The following services are required for AI Protection:

Some of these services require additional configuration, as outlined in thefollowing sections.

Configure AI Discovery service

AI Discovery service is automatically activated as part ofSecurity Command Center Enterprise onboarding. The Monitoring Viewer(roles/monitoring.viewer) IAM role is provided, but check that it's applied to the Security Command CenterEnterprise organization service account.

Permissions required for this task

To perform this task, you must have been granted the following permissionsor the following IAM roles.

Roles

  • roles/monitoring.viewer

  1. In the Google Cloud console, go to theIAM page.

    Go to IAM

  2. ClickGrant Access.

  3. In theNew principals field, enter the Security Command Center Enterpriseorganization service account. The service account uses the formatservice-org-ORG_ID@security-center-api.gserviceaccount.com ReplaceORG_ID with yourorganization ID.

  4. In theSelect a role field, selectMonitoring Viewer.

  5. ClickSave.

Configure advanced DSPM cloud controls

Configure DSPM with advanced cloud controls for dataaccess, flow, and protection. For more information, seeDeploy advanced data security cloud controls.

When creating a custom framework that applies to AI workloads, include thesecloud controls:

  • Data Access Governance: Restrict access tosensitive data to specific principals, such as users or groups. You specifyallowed principals usingIAM v2 principal identifiersyntax. For example, you can create a policyto allow only members ofgdpr-processing-team@example.com to access specificresources.
  • Data Flow Governance: Restrict data flow to specific regions.For example, you can create a policy to allow data to be accessed only fromthe US or EU. You specify the allowed country codes using Unicode CommonLocale Data Repository (CLDR).
  • Data Protection (with CMEK): Identifyresources created without customer-managed encryption keys (CMEK) and receiverecommendations. For example, you can create a policy to detect resourcescreated without CMEK forstorage.googleapis.com andbigquery.googleapis.com.This policy detects unencrypted assets but doesn't prevent them from beingcreated.

Configure Model Armor

  1. Enable themodelarmor.googleapis.com service for each project that usesgenerative AI activity. For more information, seeGet started withModel Armor.
  2. Configure the following settings to define security and safety settings forlarge language model (LLM) prompts and responses:
    • Model Armortemplates: Create aModel Armor template.These templates define the types of risksto detect, such as sensitive data, prompt injections, and jailbreakdetection. They also define the minimum thresholds for those filters.
    • Filters: Model Armor uses various filters to identifyrisks, including malicious URL detection, prompt injection and jailbreakdetection, and sensitive data protection.
    • Floor settings: Configure the project-level floor settings toestablish default protection for all Gemini models.
Caution: If you didn't configure Model Armor for any of the projects in the organization or didn't create a template, the Model Armor widgets in the AI Security dashboard won't display any data.

Configure Notebook Security Scanner

Permissions required for this task

To perform this task, you must have been granted the following permissionsor the following IAM roles.

Roles

  • Dataform Viewer
  1. Enable the Notebook Security Scanner service for your organization. For moreinformation, seeEnable Notebook SecurityScanner.
  2. Grant the Dataform Viewer role (roles/dataform.viewer) tonotebook-security-scanner-prod@system.gserviceaccount.com on all projects that containNotebooks.

Configure Sensitive Data Protection

Enable thedlp.googleapis.com API for your project and configureSensitive Data Protection to scan for sensitive data.

Permissions required for this task

To perform this task, you must have been granted the following permissionsor the following IAM roles.

Roles

  • DLP Reader
  • DLP Data Profiles Admin

  1. Enable the Data Loss Prevention API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the API

  2. Grant theDLP Reader andDLP Data Profiles Admin roles to AI Protectionusers.

  3. ConfigureSensitive Data Protectionto scan for sensitive data.

Optional: Configure additional high-value resources

To create a resource value configuration, follow the steps inCreate a resource value configuration.

When the next attack path simulation runs, it covers the high-value resource setand generates attack paths.

Limitations

Premiumservice tier

AI Protection for the Security Command Center Premium tier has the followinglimitations for environments that are enabled for data residency:

  • AI Protection requires manual activation. AI Protectiondoesn't scan for threats or provide threat protection for these environmentsuntil activated.
  • You cannot access the AI Security dashboard or the AI Assets page. Both ofthese are disable for these environments.

For more information on data residency, seePlanning for data residency.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.