Basic Concept: API-based AI systems are susceptible to DoS attacks where excessive requests overwhelm the system ' s ability to respond to legitimate users. Rate limiting is the standard control for preventing both intentional and unintentional API abuse. CompTIA SecAI+ Study Guide covers rate limiting as a key availability control for AI APIs.

Why C is Correct: Rate limiting restricts the number of requests a client can make to an API within a defined time window. In this scenario, a brute-force DoS attack works by sending a massive volume of requests to exhaust the model ' s resources. Rate limiting would have automatically throttled or blocked the excessive request volume, preventing the attack from succeeding and preserving service availability for legitimate hospital users.

Why A is Wrong: Tokenization replaces sensitive data values with non-sensitive placeholders. It is a data security control for protecting sensitive information such as patient identifiers, not a control for managing API request volumes or preventing DoS attacks.

Why B is Wrong: Model guardrails filter and constrain model inputs and outputs for safety and policy compliance. They inspect content quality, not request volume, and cannot prevent a volume-based DoS attack.

Why D is Wrong: A prompt firewall inspects the content of prompts for malicious patterns or policy violations. Like guardrails, it analyzes content rather than controlling request frequency and cannot prevent resource exhaustion from a high-volume brute-force attack.