Views:
Integrate TrendAI Vision One™ AI Guard within your application to scan your AI usage for harmful content generation, sensitive information leakage, and prompt injections.
For TrendAI-hosted integration, see Integrate Trend-hosted AI Guard. For data sovereignty, deploy and host AI Guard in your Amazon Web Services (AWS) environment or a Kubernetes cluster. TrendAI Vision One™ receives only the scan results.
AI Guard uses credits for model scanning. Plan monthly credit usage based on expected model scans.

Deploy on AWS Parent topic

Prerequisites:
  • You must have a TrendAI Vision One™ role with permission to create API keys and run scans.
  • Verify that your AWS account has enough quota for on-demand G and VT instance types. TrendAI™ recommends adding a buffer to handle potential changes in instance sizing.
  • Enable CloudWatch logging permissions in your AWS account.

Procedure

  1. Go to Cloud SecurityCloud AccountsAWS to connect or update your AWS account.
  2. To configure a new AWS account:
    1. Click Add Account.
    2. For Deployment Method, select CloudFormation.
    3. Select the account type:
      • Single AWS Account
      • AWS Organization
    4. Provide an Account name and Description to display in Cloud Accounts.
    5. Specify the Organizational Unit ID. When you add the AWS Organization, all member accounts without a specified alias in AWS receive an automatically generated name in Cloud Accounts.
  3. To configure an existing AWS account:
    1. Click Update AWS account then click the account name.
    2. In Cloud Accounts Settings, click the Stack Update tab.
  4. Select the AWS region for CloudFormation template deployment.
  5. To add custom tags to the resources deployed by TrendAI Vision One™, select Resource tagging and specify the key-value pairs.
    • To add up to three tags, click Create a new tag.
  6. Click Next.
  7. Enable AI Application Security.
  8. Select the Deployment.
  9. Select Enable AI Guard.
  10. In a new tab in the same browser session, sign in to the AWS account you want to connect using a role that has administrator privileges.
  11. For an existing AWS account:
    1. Under Update the CloudFormation template, click Copy S3 URL.
    2. If the API key has expired, click Copy Vision One API key then replace the API key in CloudFormation. The TrendAI Vision One™ API key is valid for 90 days.
    3. To review the template before deploying, click Download and Review Template.
    4. Go to Stacks and click the stack name for the stack you want to update.
      • Vision-One-Cloud-Account-Management
    5. Click Update.
    6. Select Replace current template.
    7. Paste the template S3 URL into Amazon S3 URL.
    8. Click Next.
  12. For a new AWS account:
    1. Click Next.
    2. To use automated deployment:
      1. Select Automated for the deployment type.
      2. Click Launch stack to launch the CloudFormation template in the AWS console.
      3. Complete the steps in Quick Create Stack.
    3. To use manual deployment:
      1. Select Manual for the deployment type.
      2. Click Download the template and stack parameters as a .zip.
      3. Go to Stacks under CloudFormation.
      4. Create a new stack using the parameters in the .zip file.
  13. In TrendAI Vision One™, click Done.
  14. In another tab, log in to the AWS management console and open the CloudFormation stack.
  15. Go to Outputs tab and copy the GuardAPIEndpoint.
  16. Integrate AI Guard with your application. Refer to the following code snippet for the integration.
    import os
import requests

# Get your 
                                TrendAI Vision One™ API key from environment variable
api_key = os.environ.get("V1_API_KEY")
if not api_key:
    raise ValueError("Missing V1_API_KEY environment variable")

# Get your TrendAI™ AI Guard URL from environment variable
ai_guard_url = os.environ.get("AI_GUARD_URL")
if not ai_guard_url:
    raise ValueError("Missing AI_GUARD_URL environment variable")

# Configure headers
headers = {
    "Authorization": f"Bearer {api_key}",
    "Content-Type": "application/json",
    "TMV1-Application-Name": "your-application-name"  # Required
}

# Prepare the payload
payload = {
    "prompt": "Your prompt or message here"
}

# Copy AI Guard URL from AWS template Stack Output
url = f"{ai_guard_url}"

# Make the API request
response = requests.post(
    url,
    headers=headers,
    json=payload
)

# Check response status
if response.status_code == 200:
    result = response.json()

    # API returns action and optional reasons
    action = result.get("action")
    reasons = result.get("reasons", [])

    if action == "Allow":
        print("Request allowed by AI Guard")
    elif action == "Block":
        print(f"Request blocked by AI Guard")
        print(f"Reasons: {', '.join(reasons)}")

    print(f"Response ID: {result.get('id')}")
else:
    print(f"Error: {response.status_code} - {response.text}")
    • Set the AI_GUARD_URL value using the value from GuardAPIEndpoint.

    Request options

    Parameter
    Values
    Description
    Request type
    Simple request or OpenAI chat formats
    Select with TMV1-Request-Type header.
    Response detail
    Minimal or representation
    Control with Prefer header.
    Auth
    Bearer API key
    Authorization: Bearer <token>.
    For more information, see the AI Guard API Reference and code examples and the TrendAI™ Automation Center.

Disable self-hosted AI Guard in AWS Parent topic

Procedure

  1. Go to Cloud SecurityCloud AccountsAWS.
  2. Record which accounts have the AI Security feature enabled.
  3. In Cloud Accounts Settings, click the Stack Update tab.
  4. Disable AI Application Security.
  5. Under Update the CloudFormation template, click Copy S3 URL.
  6. Go to Stacks and click the stack name for the stack you want to update.
    • Vision-One-Cloud-Account-Management
  7. Click Update.
  8. If the API key has expired, click Copy Vision One API key then replace the API key in CloudFormation. The TrendAI Vision One™ API key is valid for 90 days.
  9. Verify removal of the AI Security feature stack.

Next steps

Troubleshooting

Issue
Cause
Action
401 or 403 from API
Invalid or expired API key; role lacks permissions
Re‑generate key or assign a role with AI Guard scan permission.
action=block unexpectedly
Policy too aggressive
Lower to Moderate or adjust category toggles.
No results in TrendAI Vision One™
Self‑hosted not connected or CloudFormation not applied
Re‑run Update AWS account and confirm stack completed.
Parsing errors
Wrong TMV1-Request-Type for payload
Match header to request format.

Deploy on a Kubernetes cluster Parent topic

Prerequisites:
  • A TrendAI Vision One™ role with permission to create API keys and run scans
  • GPU-enabled AMD64 nodes with NVIDIA drivers supporting CUDA 12 or later
    ARM64 architecture is not supported in preview.
  • NVIDIA device plugin for Kubernetes installed on the GPU nodes, and a Kubernetes RuntimeClass named nvidia created with handler nvidia
  • Kubernetes version 1.24 or later
  • Helm 3.0+ installed
  • At least 1 GPU and 16 GB of memory available for one replica of AI Guard

Procedure

  1. Go to AI SecurityAI Application Security.
  2. Click the AI Guard tab then click Set Up.
  3. Click Add a Cluster. Each customer has a limit of 25 clusters.
  4. Provide the Cluster name. Each cluster name must be unique across your organization and have a maximum of 64 characters. If a cluster name is already in use, provide a different name.
  5. Click Update.
  6. Add a short Description with up to 129 characters.
  7. Click Update.
  8. Copy the overrides file content and save it as overrides.yaml.
  9. Run the following command in your terminal to deploy AI Guard into your cluster: 
    helm install ai-guard oci://public.ecr.aws/trendmicro/ai-security/ai-guard-chart \                  
--version <version> \                                                                             
-f overrides.yaml \
-n trend-ai-security --create-namespace
    • When deployment completes, your cluster appears in the AI Guard dashboard.
    • The device token expires in seven days.
  10. Use the following commands to verify the deployment is ready:
    Verification
    Command
    Pods are running
    kubectl get pods -n trend-ai-security
    All containers are ready
    kubectl describe pod -n trend-ai-security -l app.kubernetes.io/name=ai-guard
    Local test
    kubectl port-forward svc/ai-guard 8080:8080 -n trend-ai-security
    Health endpoint in another terminal
    curl http://localhost:8080/health
  11. On the AI Guard tab, click gear icon to view a list of your clusters and their current status.
    Status
    Meaning
    Ready
    Your cluster is registered, but AI Guard has not been deployed yet.
    Active
    AI Guard is deployed and running on this cluster.
    Inactive
    AI Guard was previously active, but has not reported any usage in the last 15 minutes. This may indicate the deployment was removed or the cluster is unreachable.

Upgrade a cluster Parent topic

Procedure

  1. On the AI Guard tab, click gear icon then click the Version Control tab to determine whether the Component version is behind the Latest component versions.
    • If the Component version matches the Latest component version, you do not need to do anything.
    • If the Component version matches the Latest component version, continue with the below steps.
  2. Click Copy latest helm script.
  3. In a terminal with kubectl access to the target cluster, run one of the following upgrade commands:
    • If you have your original overrides.yaml, use this command:
      helm upgrade ai-guard oci://public.ecr.aws/trendmicro/ai-security/ai-guard-chart \
--version <latest-version> \                                                                      
-f overrides.yaml \                                                                               
-n trend-ai-security
    • If you no longer have overrides.yaml, use this command
      helm upgrade ai-guard oci://public.ecr.aws/trendmicro/ai-security/ai-guard-chart \                  
--version <latest-version> \                                                                      
--reuse-values \                                                                                  
-n trend-ai-security
  4. Wait for the rollout to complete.
    kubectl rollout status deployment/ai-guard -n trend-ai-security
  5. On the AI Guard tab, click gear icon then click the Version Control tab to confirm that the cluster's Component version and Last updated time have updated.

Remove a cluster Parent topic

Procedure

  1. Remove the Helm deployment from your Kubernetes cluster:
    helm uninstall ai-guard -n trend-ai-security
  2. If no other workloads use the namespace, delete it.
    kubectl delete namespace trend-ai-security
  3. Deregister the cluster from the portal:
    1. Select the clusters you want to remove.
      Select all selects only the clusters visible on the current page.
    2. Click Delete.
    3. Review the list of clusters you are removing, then click Confirm.