Securely deploying AI at the network edge - ITSP.80.101

Effective date

This publication takes effect on July 15, 2026.

This is an UNCLASSIFIED publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre).

For more information, contact the Cyber Centre:

Revision history

  1. First release: July 15, 2026.
 

This publication sets out practical cyber security priorities for organizations that develop, deploy or operate artificial intelligence (AI) systems at the network edge. It is intended for practitioners, such as information technology (IT) and operational technology (OT) security managers, administrators and analysts, who are responsible for securing edge AI deployments. Appendix A introduces core edge AI categories and Appendix B provides representative use cases across sectors.

This publication is designed to complement and extend the Canadian Centre for Cyber Security’s (Cyber Centre) foundational AI security guidance Top 10 artificial intelligence security actions: A primer (ITSAP.10.049), which addresses AI security for general organizational contexts. This publication is organized into the same three security pillars that underpin ITSAP.10.049:

  • Pillar 1: Protecting against adversarial use of AI
  • Pillar 2: Protecting AI systems
  • Pillar 3: Protecting users and business processes

We expect these pillars to remain foundational as AI technologies and threats evolve. Rather than referencing specific action numbers from ITSAP.10.049, which may periodically be revised, this publication aligns conceptually with those pillars, pointing readers to the relevant thematic areas where appropriate.

Table of contents

Edge AI  

Edge AI refers to AI that performs inference and decision-making on or near the device where data is generated, such as:

  • smartphones with on-device assistants
  • industrial gateways and controllers
  • autonomous vehicles and drones
  • smart sensors
  • medical diagnostic devices

AI models are usually trained centrally, in the cloud or on premises, and then deployed to the network edge.

In practice, edge AI is often hybrid. Devices process data locally but rely on the cloud for model updates, orchestration, telemetry or fallback support. Edge AI is defined more by local inference and decision-making than by total independence from the cloud. Organizations adopt edge AI because of its low latency, reduced bandwidth use, and stronger data residency. It is also resilient in the event of connectivity loss and offers mission-critical autonomy as well as potentially lower costs. However, privacy is not guaranteed with edge AI, and the total cost of ownership can include the cost of shifting to device hardware, energy, and fleet lifecycle management.

Edge AI creates distinct security and safety challenges, which may include:

  • local processing can expose models and data to attackers
  • offline operation can delay patching and oversight
  • data may be less private
  • autonomous systems may act faster than humans can intervene

These combined challenges can produce a materially different risk profile from cloud AI, especially where devices operate in untrusted environments or controlled physical systems.

 

Cyber security guidelines for edge AI

The guidelines below represent a practical baseline for organizations deploying edge AI. Organizations may require additional technical, procedural and assurance controls, especially for sensitive or mission-critical systems. You should apply supplementary controls wherever the consequences of compromise, malfunction or misuse are severe.

These guidelines are organized into pillars, consistent with ITSAP.10.049:

  • Pillar 1: Protecting against adversarial use of AI addresses how adversaries can exploit AI systems and how organizations can use detection and monitoring to respond
  • Pillar 2: Protecting AI systems focuses on securing models, software pipelines, devices, identities and supply chains
  • Pillar 3: Protecting users and business processes addresses safety, privacy, resilience and human oversight

Pillar 1: Protecting against adversarial use of AI

This pillar addresses the reality that adversaries can use AI to conduct faster, more adaptive and more frequent attacks. Edge AI devices are especially exposed because they often operate in public or uncontrolled environments and may be difficult to patch or supervise continuously. Organizations should emphasize rapid detection, behavioural monitoring and adaptive protection at the device and fleet level.

Behaviour-based detection and protection of edge devices

Objective: Detect and disrupt abnormal or malicious behaviour affecting edge devices, including attacks that adapt over time or use AI to evade static controls.

Deploy security controls that can identify suspicious behaviour rather than relying only on fixed signatures or static rules. Monitor device processes, network activity, command sequences, sensor outputs and usage patterns for signs of deviation from normal operation. Where feasible, use device- or fleet-level baselines so unusual behaviour can be flagged quickly even when a specific attack is not yet known.

Prioritize protections that can respond dynamically, such as policy-based isolation, automated containment, rate limiting or failsafe mode activation when defined thresholds are exceeded. In environments with intermittent connectivity, ensure local protections can still function when cloud-based security services are unavailable. Review detections regularly to refine thresholds, reduce noise and adapt to changing device roles and operating conditions.

Small and medium-sized organizations should:

  • enable built-in endpoint detection and response (EDR) or antivirus (for example, Microsoft 365 Defender)
  • use simple network anomaly tools or a firewall’s intrusion prevention system to flag unusual device traffic
  • start with basic rules (like new outbound connections and central processing unit (CPU) spikes) and auto-quarantine when these are triggered.

IT security practitioners should:

  • build per-device-class baselines in your security information and event management (SIEM)
  • deploy EDR where supported
  • use OT and Internet of Things (IoT) network intrusion detection for industrial equipment
  • write detection rules for output distribution shifts, unusual protocol uses and sudden inference-rate changes

Continuous monitoring and anomaly detection

Objective: Gain visibility into edge AI behaviour and detect security or safety issues early.

Deploy monitoring capabilities on edge devices to capture both traditional security telemetry and AI-specific signals. At a minimum, collect authentication events, resource usage, connectivity anomalies and errors. You should also collect model-related metrics such as inference counts, confidence levels, latency, decision logs or autonomous actions taken. Ensure the data can be transmitted securely, including store-and-forward mechanisms for intermittent connectivity.

Define alert thresholds so serious events, such as failed integrity checks or dangerous deviations in behaviour, trigger immediate action. Lower-grade anomalies can then be reviewed without creating alert fatigue. Monitor for performance shifts, drift, unusual outputs or changing input patterns that may indicate sensor faults, adversarial interference or model degradation. Prepare AI-specific incident response playbooks so responsible teams know how to isolate, investigate and safely recover affected systems.

Small and medium-sized organizations should:

  • use a managed SIEM or built-in cloud monitoring (such as Microsoft 365 Defender, Azure Sentinel or Elastic Cloud)
  • collect system logs, application logs and basic health metrics
  • set alerts for version or digital fingerprint (hash) changes as well as error spikes

IT security practitioners should:

  • define a telemetry schema (device posture, firmware and model hashes, attestation results, sensor health and inference statistics)
  • sign and buffer logs and push to a SIEM
  • build dashboards and anomaly rules for drift, tampering, and connectivity gaps

Pillar 2: Protecting AI systems

This pillar focuses on securing the AI components, devices, software and supporting infrastructure that make edge AI possible. Because AI is often embedded in distributed devices, organizations need strong visibility, supply chain controls, integrity protections and identity governance to prevent compromise.

Identify and classify your edge AI assets

Objective: Know what edge AI systems you have, where they run and the impact if they fail or are compromised.

Conduct a comprehensive discovery exercise to identify all edge systems using any form of AI, including rule-based automation, machine learning (ML), computer vision, sensor fusion or embedded AI features, that may not be immediately apparent. For each edge system, document what it does, what could happen if it fails, whether it affects physical processes and whether fallback or manual control exists.

Classify systems into clear risk tiers (safety-critical, business-critical or operational) so you can prioritize security efforts. Record architectural details and dependencies, including whether systems are fully local, hybrid edge-cloud, gateway-based or federated. Maintain this as a living inventory and connect it to change management so new AI capabilities trigger review. This foundational step underpins every other security measure in this guidance.

Secure your AI supply chain and maintain a dynamic bill of materials

Objective: Know the origin and integrity of every component in your edge AI stack and be ready to replace or update them quickly.

Expand your inventory to include:

  • hardware
  • firmware
  • operating systems
  • AI models
  • libraries
  • dependencies
  • plug-ins
  • datasets
  • configuration files

Generate and maintain software bills of materials (SBOMs) and, where possible, model bills of materials (MBOMs) that capture provenance and versioning for AI components. Update SBOMs and MBOMs whenever systems change.

Vet third-party software, frameworks and pre-trained models before deploying them. This includes conducting vulnerability checks, supplier reviews and integrity validation through hashes or signatures. Monitor component vulnerabilities continuously and be prepared to patch, replace, disable or quarantine affected elements rapidly. Enforce that only approved and signed software and models can run on edge devices.

Govern non-human identities

Objective: Manage credentials and identities used by AI systems with the same rigour applied to human users.

Audit all AI agents, service accounts, bots, scripts and automated processes to determine how they authenticate and what they can access. Eliminate risky patterns such as shared human accounts, static credentials embedded in code or firmware and orphaned machine accounts that remain active after decommissioning.

Assign every AI system a unique identity, issue short-lived credentials where possible and automate rotation and revocation. Apply least privilege so AI agents can access only the systems, data or commands they genuinely require. In higher-assurance environments, tie identity issuance to device or workload attestation so credentials are granted only when the system is in a trusted state.

Secure model disposal and apply cryptographic erasure

Objective: Ensure retired edge AI devices and models cannot be mined for data, credentials or intellectual property.

Establish a formal decommissioning process for edge AI devices that includes secure wiping, verification, documentation and credential revocation. Where supported, use hardware-based cryptographic erasure by destroying or invalidating encryption keys so stored data and models become unreadable. In highly sensitive cases, physically destroy storage media.

Require secure storage and disposal capabilities during procurement so future devices support encryption and reliable key destruction. Also account for lost or stolen devices by enabling rapid remote wipe and immediate revocation of access. This extends security across the full lifecycle of the asset.

Harden AI models, agents and control logic against theft and tampering

Objective: Protect AI models and related control components on edge devices from theft, tampering and manipulation.

Use hardware-supported protections such as Secure Boot, full-disk encryption and trusted execution environments where available. Treat models, policies, configuration files and agent logic as critical software by signing them digitally and verifying signatures before loading. Where feasible, bind model or configuration encryption to individual devices so copied files cannot be reused elsewhere.

Continuously verify integrity and monitor for unusual performance changes that may indicate tampering, unauthorized modification or adversarial manipulation. Protect rules, prompts, configuration files and models from unauthorized change through logging, write protection, checksums or digital signatures. Regularly test scenarios such as spoofed sensor data, malicious configuration changes or deceptive inputs to confirm that safeguards, fail-safes and alerts work as intended.

Pillar 3: Protecting users and business processes

This pillar addresses privacy, safety, reliability and governance. It recognizes that AI can fail through drift, error, misuse or over-automation even when no malicious attack is involved. It emphasizes resilient processes and human control.

Implement data privacy and on-device processing controls

Objective: Reduce unnecessary exposure of sensitive data and maintain control over how personal or sensitive information is processed.

Map the dataflows of each edge AI system, including:

  • what data is collected
  • where data is stored
  • whether personal or sensitive information is involved
  • whether personal or sensitive information is transmitted to external servers or vendor platforms

Many devices ship with default cloud services enabled, so hidden data transfers must be identified and assessed.

Prioritize local or on-premises processing for sensitive data using compact models or small language models where feasible. When external processing is required, route data only to approved environments that meet privacy, security and jurisdictional requirements. Monitor outbound traffic for unexpected destinations, encrypt data in transit and minimize exposure through anonymization, aggregation or data minimization where possible.

Secure the operational and information technology boundary and implement fail-safes

Objective: Ensure that when AI is integrated with OT, safety and reliability do not depend solely on AI.

Identify every point where edge AI interacts with physical equipment or industrial control processes. For each interaction point, determine the worst-case outcome if the AI fails or behaves unexpectedly, and confirm whether a safe fallback exists that does not rely on the AI itself. Where gaps exist, add independent hardware or low-level safety controls such as emergency stops, spring-return valves or other default-safe mechanisms.

Test AI behaviour in simulated or controlled environments before live deployment, including under abnormal or adversarial conditions. Segment networks between AI and OT systems, tightly limit communications and monitor for unauthorized or anomalous commands. Apply restraint and use AI in OT only where it provides clear value that justifies the added complexity and risk.

Maintain human oversight and mechanical fail-safes

Objective: Ensure humans can intervene, override or shut down autonomous edge AI systems when necessary.

Implement accessible kill switches, override controls or independent shutdown mechanisms for every autonomous or safety-relevant edge AI system. These controls should not rely on the AI’s cooperation and should be tested regularly. Define where human approval is required before AI-initiated actions occur, especially for high-impact decisions.

Train operators to understand AI capabilities and limitations, including how to detect unreliable output, interpret alerts and assume manual control. Manage degrees of autonomy deliberately, assigning each system the appropriate level of independence for its risk profile. Maintain tamper-resistant logs of AI actions and human interventions so incidents and near-misses can be reviewed and used to improve both technology and process.

 

The “1 device” exercise — Applying this guidance

After reviewing these guidelines, apply them to one real edge AI device in your environment. Choose a representative or high-impact system and answer the following four questions:

  1. What decisions does the device make autonomously?
  2. What inputs influence those decisions?
  3. What happens if the device fails or is compromised?
  4. What fallback exists if the AI stops working or can no longer be trusted?

Document the findings and use them to prioritize action. If you discover weak or unvalidated inputs, strengthen detection, integrity controls and monitoring. If consequences are severe and fallback is weak, prioritize safety mechanisms, segmentation and human override. For sensitive, safety-critical or mission-critical systems, use this exercise to identify additional controls beyond those outlined in this publication to close residual gaps.

Summary

Edge AI offers significant operational benefits, but it also places more responsibility on the deploying organization for security, safety and resilience. By applying these edge AI cyber security guidelines, organizations can better defend against AI-enabled threats, secure their AI systems and supply chains, as well as preserve privacy, human oversight and operational continuity.

Under Pillar 1, organizations should improve visibility, dynamic detection and anomaly response to keep pace with increasingly adaptive attacks. Under Pillar 2, they should manage AI devices, models, components, identities and control logic as critical assets. Under Pillar 3, they should ensure that AI adoption does not erode privacy, safety, trust or human control. When implemented together, these guidelines can help organizations take a principled and adaptable approach to securing edge AI as technologies and threats continue to evolve.

Learn more

 

Appendix A: Key edge AI categories

The spectrum of AI technologies commonly deployed at the network edge can be vast.

To effectively secure edge AI, it is important to recognize the different types, or categories, of AI and ML techniques that may be running on your devices, since each has distinct vulnerabilities. Below is a summary of eight major AI categories found in edge deployments. These categories are not mutually exclusive; an edge device may use multiple AI types simultaneously.

  • Category A – Rule-based systems:
    • Description: these use human-defined if/then rules or logic (for example, simple expert systems, safety interlocks)
    • Vulnerability: attackers may tamper with the rules or thresholds themselves. Even without ML, manipulated rules can cause harmful outcomes if thresholds are altered (for example, changing a safety-alarm trigger from 150 pounds per square inch (PSI) to 500 PSI)
  • Category B – Search, planning and optimization:
    • Description: algorithms that systematically explore possible solutions or paths (for example, route planning or scheduling)
    • Vulnerability: input manipulation can mislead the planning process. For example, feeding incorrect map data to a pathfinding AI could send a robot or vehicle along an unsafe route
  • Category C – Probabilistic reasoning:
    • Description: AI that fuses data from multiple uncertain sources (for example, Bayesian or Kalman filters)
    • Vulnerability: subtle biasing of inputs can gradually skew estimates without triggering obvious alarms
  • Category D – Classic ML:
    • Description: traditional ML models (for example, decision trees, random forests or support vector machines)
    • Vulnerability: model files and data pipelines must be treated as critical software assets; an attacker might steal or alter an ML model on a device or manipulate how it processes data
  • Category E – Computer vision pipelines:
    • Description: systems that interpret images or video
    • Vulnerability: physical adversarial attacks, such as placing patterns in a camera’s view, can mislead the vision system without any digital compromise of the device
  • Category F – Deep learning (non-generative):
    • Description: deep neural networks used for prediction, classification or detection (for example, voice recognition, advanced driver-assistance systems)
    • Vulnerability: susceptible to adversarial examples and exploitation of software or hardware vulnerabilities in the ML framework
  • Category G – Generative AI and small language models (SLMs):
    • Description: AI that creates new content or interprets complex commands, which is now feasible on the edge with SLMs
    • Vulnerability: introduces unique threats such as prompt injection and output manipulation. In addition, malicious inputs could subvert instructions or cause generated outputs to trigger harmful downstream actions
  • Category H – Reinforcement learning and autonomy (agentic systems):
    • Description: AI agents that perceive, decide and act in a loop (for example, robotics, drones or autonomous vehicles)
    • Vulnerability: faces the broadest range of risks, combining physical tampering, adversarial inputs and model compromise with direct and immediate real-world consequences
 

Appendix B: Edge AI use cases (user and operator categories)

The following are representative categories of organizations or contexts that deploy edge AI, with example use cases:

  • Category 1 – Critical infrastructure operators:
    • Description: large-scale essential services and utilities
    • Examples: power grids, telecommunications networks, energy pipelines, nuclear facilities, transportation systems, as well as banking and financial transaction networks
    • Mapping example: A power grid operator (Category 1) using AI to predict equipment failures and optimize load distribution (Category C – Probabilistic reasoning) will therefore prioritize continuous anomaly monitoring, supply chain integrity of AI sensors, and robust failsafes to prevent cascading outages
  • Category 2 – Healthcare and medical devices:
    • Description: health sector entities deploying AI at points of care
    • Examples: hospitals using diagnostic AI devices, medical device manufacturers with smart monitoring implants, and health agencies using AI for bedside patient data analysis
    • Mapping example: A healthcare operator (Category 2) using AI to help diagnose X-ray images (Category E – Computer vision pipelines) will therefore prioritize data sovereignty and model monitoring for patient safety, as well as adversarial input controls to prevent misdiagnosis from manipulated imaging data
  • Category 3 – Industrial and manufacturing (industrial IoT):
    • Description: industrial companies using AI in OT environments
    • Examples: factories with AI-driven predictive maintenance sensors, robotic assembly lines, AI-based quality inspection systems, as well as industrial control systems with embedded ML
    • Mapping example: A manufacturer (Category 3) deploying AI-driven robotic assembly controlled by reinforcement learning agents (Category H – Reinforcement learning and autonomy) will therefore prioritize physical failsafes, human override mechanisms and hardening of on-device models against tampering
  • Category 4 – Smart cities and municipal services:
    • Description: public sector and urban infrastructure operators
    • Examples: city traffic control systems with AI-timed lights, environmental monitoring sensors with local analytics, public safety surveillance cameras with AI, and smart grid components in municipal utilities
    • Mapping example: A municipal operator (Category 4) using AI to optimize traffic light sequencing (Category B – Search, planning and optimization) will therefore prioritize integrity verification of input data feeds, transparency in automated decision logic, and human override capabilities
  • Category 5 – Consumer and small business:
    • Description: individuals and small firms using consumer-grade or small-scale edge AI
    • Examples: smart home devices (like security cameras, voice assistants or smart appliances), wearable health trackers, small business security systems, and smartphones with on-device AI features
    • Mapping example: A small business (Category 5) using an AI-enabled smart security camera system (Category E – Computer vision pipelines) will therefore prioritize vendor management for embedded AI components, data sovereignty to limit unnecessary cloud transmission, and privacy controls for individuals captured on camera
  • Category 6 – Automotive and transportation:
    • Description: use of edge AI in vehicles and transport systems
    • Examples: autonomous and semi-autonomous cars, advanced driver-assistance systems, AI in fleet management devices, delivery drones or unmanned aerial vehicles, and vehicle-to-everything communication systems
    • Mapping example: An automotive manufacturer (Category 6) deploying deep learning for advanced driver-assistance systems (Category F – Deep learning (non-generative)) will therefore prioritize adversarial robustness of perception models, cryptographic protection of over-the-air model updates, and failsafe mechanisms that default control to the human driver
  • Category 7 – Retail and physical security:
    • Description: retail industry and security service providers leveraging edge AI
    • Examples: AI-powered closed-circuit television and video analytics, facial recognition access control, smart point-of-sale (POS) kiosks, and autonomous inventory management robots
    • Mapping example: A retail operator (Category 7) using AI-powered facial recognition for access control (Category E – Computer vision pipelines) will therefore prioritize data privacy compliance, secure model disposal to protect biometric data, and continuous monitoring for model drift or spoofing attempts
  • Category 8 – Agriculture technology:
    • Description: farming and agricultural businesses deploying AI on equipment
    • Examples: Autonomous tractors and farm machinery, drones for crop monitoring and pesticide application, as well as edge sensors for soil monitoring and livestock tracking
    • Mapping example: An agricultural operator (Category 8) using AI-guided autonomous drones for crop monitoring (Category H – Reinforcement learning and autonomy) will therefore prioritize secure supply chain verification of drone firmware, device hardening against physical tampering in remote environments, and defined human override procedures
  • Category 9 – Defence and national security:
    • Description: government defence, military and security organizations using edge AI in the field
    • Examples: tactical drones and surveillance robots, AI-enabled communication equipment for troops, autonomous reconnaissance systems, and edge devices in secure military networks
    • Mapping example: A defence organization (Category 9) deploying AI for real-time tactical surveillance and autonomous decision support (Categories F and H – Deep learning and Reinforcement learning) will therefore prioritize cryptographic protection of on-device models, zero-trust identity management for autonomous agents, and anti-tamper controls on field-deployed devices
  • Category 10 – Financial services (edge computing):
    • Description: financial sector use of AI at edge locations
    • Examples: fraud detection algorithms running on automated teller machines or POS terminals, biometric authentication devices at bank branches, high-frequency trading systems at exchange edges, and edge analytics for real-time transaction processing
    • Mapping example: A financial institution (Category 10) using AI for real-time fraud detection at POS terminals (Category D – Classic ML) will therefore prioritize model integrity monitoring, secure update pipelines, and anomaly detection to identify when the fraud model's behaviour has been manipulated

Identifying your organization’s category (or combination of categories) will help you tailor these guidelines to your specific context. For instance, a healthcare operator may prioritize data sovereignty and model monitoring for patient safety, whereas a defence organization would heavily emphasize model hardening and human oversight of autonomous systems. You can use these categories as a starting point to focus your efforts where they matter most.

Date modified: