Basic Concept: When implementing guardrails for compliance purposes, organizations need a recognized framework or standard that provides authoritative guidance on what guardrails should address and how to implement them. Compliance guardrails require industry-recognized standards as their basis. CompTIA SecAI+ Study Guide identifies OWASP as the primary reference for LLM application security controls including guardrails.
Why B is Correct: OWASP provides the OWASP Top 10 for Large Language Model Applications, which is a recognized industry resource defining the most critical vulnerabilities in LLM applications and the guardrails needed to mitigate them. Using OWASP as the reference for compliance-required guardrails provides a defensible, industry-standard basis for the security controls implemented, satisfying compliance requirements with authoritative guidance on what guardrails should prevent and how they should function.
Why A is Wrong: RAG is an AI architecture that enhances LLM responses with retrieved external context. It is a capability enhancement technique, not a framework for defining or implementing security guardrails for compliance purposes.
Why C is Wrong: LLM libraries are software development toolkits that provide functions for working with language models. While they may include built-in guardrail features, they are implementation tools, not the governance resource or standard that compliance guardrail requirements should be based upon.
Why D is Wrong: A SIEM is a security monitoring and alerting platform that aggregates and analyzes log data. It is a detection and monitoring tool, not a framework that defines what guardrails are required for LLM application compliance.
Submit