Cybersecurity: we secure IT systems and AI deployments
Pimento performs security audits and hardening of IT systems and AI deployments - including protection against attacks specific to language models: prompt injection, data leakage and agent abuse. We design security in from day one, not bolt it on at the end.
What is AI security and how does it differ from classic security?
Systems built on language models have new classes of vulnerabilities. Prompt injection is an attack where a malicious instruction hidden in data takes control of the model's behaviour. Data leakage is the model revealing information it shouldn't. Jailbreaking means bypassing the model's built-in safeguards. Classic security tooling doesn't see these attacks - AI deployments need their own protection layer.
What do the audit and hardening cover?
We audit systems and AI deployments: configuration, access control, data isolation and the model's resistance to attacks. After the audit we harden - closing the gaps found, limiting agent permissions and putting monitoring in place. We secure both what we build and the systems you already have.
EU AI Act and GDPR compliance in practice
We classify the AI system under the AI Act risk categories, prepare the required technical documentation and design human oversight of the system's decisions. We're not a certification body - we build and secure systems so that they meet the regulatory requirements.
On-premise vs cloud security
An on-premise deployment shrinks the attack surface related to handing data to external providers, but requires securing your own infrastructure. In the cloud, configuration, encryption and access control are key. We secure both scenarios as well as hybrid setups.
Questions about this service
AI Act obligations come into force in stages and depend on the system's risk category - some provisions already apply, and requirements for high-risk systems phase in gradually. During the audit we determine which categories and deadlines apply to your systems.
Usually not - most chatbots and internal assistants are limited-risk systems, covered mainly by transparency obligations. Classification depends on the use case though: systems affecting e.g. employment or access to services can be high-risk, so we assess each case individually.
Layered protection works: separating instructions from data, limiting the agent's permissions and tools, filtering input and output, and resilience testing (red teaming). A single filter is not enough.
Not always - a large part of the audit runs on a test environment or a copy of the configuration. We agree the access scope before the start and put it in the contract.
Let's talk about your project
A free consultation - no strings attached, focused on your case.