Integrate AI Guard within your application to scan your AI usage for harmful content
generation, sensitive information leakage, and prompt injections.
For Trend-hosted integration, see Integrate Trend-hosted AI Guard. For data sovereignty, deploy and host the Trend Micro Artifact Scanner in your AWS
environment. Trend Vision One receives only the scan results.
AI Application Security uses credits for model scanning. Plan monthly credit usage based on expected model scans.
Prerequisites:
-
A Trend Vision One role with permission to create API keys and run scans.
-
Verify that your AWS account has enough quota for on-demand G and VT instance types. Trend Micro recommends adding a buffer to handle potential changes in instance sizing.
-
Enable CloudWatch logging permissions in your AWS account..
Procedure
- Go to to connect or update your AWS account.
- To configure a new AWS account:
- Click Add Account.
- For Deployment Method, select CloudFormation.
- Select the account type:
-
Single AWS Account
-
AWS Organization
-
- Provide an Account name and Description to display in Cloud Accounts.
- Specify the Organizational Unit ID. When you add the AWS Organization, all member accounts without a specified alias in AWS receive an automatically generated name in Cloud Accounts.
- To configure an existing AWS account:
- Click Update AWS account then click the account name.
- In Cloud Accounts Settings, click the Stack Update tab.
- Select the AWS region for CloudFormation template deployment.
- To add custom tags to the resources deployed by Trend Vision One, select Resource tagging and specify the key-value pairs.
-
To add up to three tags, click Create a new tag.
-
- Click Next.
- Enable AI Application Security.
- Select the Deployment.
- Select Enable AI Guard.
- In a new tab in the same browser session, sign in to the AWS account you want to connect using a role that has administrator privileges.
- For an existing AWS account:
- Under Update the CloudFormation template, click Copy S3 URL.
- If the API key has expired, click Copy Vision One API key then replace the API key in CloudFormation. The Trend Vision One API key is valid for 90 days.
- To review the template before deploying, click Download and Review Template.
- Go to Stacks and click the stack name for the stack you want to update.
-
Vision-One-Cloud-Account-Management
-
- Click Update.
- Select Replace current template.
- Paste the template S3 URL into Amazon S3 URL.
- Click Next.
- For a new AWS account:
- Click Next.
- To use automated deployment:
-
Select Automated for the deployment type.
-
Click Launch stack to launch the CloudFormation template in the AWS console.
-
Complete the steps in Quick Create Stack.
-
- To use manual deployment:
-
Select Manual for the deployment type.
-
Click Download the template and stack parameters as a .zip.
-
Go to Stacks under CloudFormation.
-
Create a new stack using the parameters in the .zip file.
-
- In Trend Vision One, click Done.
- In another tab, log in to the AWS management console and open the CloudFormation stack.
- Go to Outputs tab and copy the GuardAPIEndpoint.
- Integrate AI Guard with your application. Refer to the following code snippet for
the integration.
import os import requests # Get your Trend Vision One API key from environment variable api_key = os.environ.get("V1_API_KEY") if not api_key: raise ValueError("Missing V1_API_KEY environment variable") # Get your Trend Micro AI Guard URL from environment variable ai_guard_url = os.environ.get("AI_GUARD_URL") if not ai_guard_url: raise ValueError("Missing AI_GUARD_URL environment variable") # Configure headers headers = { "Authorization": f"Bearer {api_key}", "Content-Type": "application/json", "TMV1-Application-Name": "your-application-name" # Required } # Prepare the payload payload = { "prompt": "Your prompt or message here" } # Copy AI Guard URL from AWS template Stack Output url = f"{ai_guard_url}" # Make the API request response = requests.post( url, headers=headers, json=payload ) # Check response status if response.status_code == 200: result = response.json() # API returns action and optional reasons action = result.get("action") reasons = result.get("reasons", []) if action == "Allow": print("Request allowed by AI Guard") elif action == "Block": print(f"Request blocked by AI Guard") print(f"Reasons: {', '.join(reasons)}") print(f"Response ID: {result.get('id')}") else: print(f"Error: {response.status_code} - {response.text}")-
Set the AI_GUARD_URL value using the value from GuardAPIEndpoint.
Request options
ParameterValuesDescriptionRequest typeSimple request or OpenAI chat formatsSelect withTMV1-Request-Typeheader.Response detailMinimal or representationControl withPreferheader.AuthBearer API keyAuthorization:Bearer <token>.For more information, see the AI Guard API Reference and code examples and the Trend Micro Automation Center. -
Disable self-hosted AI Guard 
Procedure
- Go to Cloud SecurityCloud AccountsAWS.
- Record which accounts have the AI Security feature enabled.
- In Cloud Accounts Settings, click the Stack Update tab.
- Disable AI Application Security.
- Under Update the CloudFormation template, click Copy S3 URL.
- Go to Stacks and click the stack name for the stack you want to update.
-
Vision-One-Cloud-Account-Management
-
- Click Update.
- If the API key has expired, click Copy Vision One API key then replace the API key in CloudFormation. The Trend Vision One API key is valid for 90 days.
- Verify removal of the AI Security feature stack.
Next steps
Troubleshooting
|
Issue
|
Cause
|
Action
|
|
401 or 403 from API
|
Invalid or expired API key; role lacks permissions
|
Re‑generate key or assign a role with AI Guard scan permission.
|
|
action=block unexpectedly
|
Policy too aggressive
|
Lower to Moderate or adjust category toggles.
|
|
No results in Trend Vision One
|
Self‑hosted not connected or CloudFormation not applied
|
Re‑run Update AWS account and confirm stack completed.
|
|
Parsing errors
|
Wrong
TMV1-Request-Type for payload |
Match header to request format.
|