Disable AI Applications' Direct Access to External Public Data Sources
AI applications that handle classified (sensitive) information must not be able to reach out to external public data sources on their own.
Plain language
Some AI (artificial intelligence) applications can connect to the public internet to look things up or pull in outside information. When an AI application works with classified data (highly sensitive or restricted information), that direct connection to external public data sources must be switched off. This stops the AI from accidentally sending protected information out to the wider internet, and stops it pulling in untrusted outside content that could mislead it or expose your organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
OS, P, S, TS
ISM last updated
June 2026
Control Stack last updated
18 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
User Application HardeningOfficial control statement
AI applications that process classified data have their ability to directly access external public data sources disabled.
Why it matters
If an AI application handling classified data can reach the public internet directly, it may leak sensitive information outside the organisation or ingest untrusted content, causing a serious data breach.
Operational notes
Re-verify these settings after every application or vendor update, since upgrades often re-enable external access by default and can silently undo the control.
Implementation tips
- The system owner should first identify which AI applications in the organisation process classified or sensitive data, and record each one in a simple register so it is clear which applications this control applies to.
- The IT team should turn off any built-in feature that lets these AI applications fetch information directly from the public internet, for example web browsing, live web search, or external plug-ins and connectors, by changing the application's configuration or admin settings.
- The IT administrator should use network controls such as firewall rules or an allow-list to block the AI application's servers from reaching external public addresses, so the restriction holds even if an application setting is changed by mistake.
- Where the AI application genuinely needs outside information, the IT team should route that data through an approved, controlled intermediary (for example a vetted internal data store or a reviewed feed) rather than letting the AI connect to public sources itself.
- The system owner should document the configuration in a short procedure and re-check the settings after every application update or upgrade, because vendor updates can quietly switch external access back on.
Audit / evidence tips
- Askthe list of AI applications that process classified data Look atwhether each one is named with its data classification and owner Goodis a current register that clearly maps each AI application to the sensitive data it handles
- Askto see the configuration settings for each of those AI applications Look atwhether web browsing, live search, external plug-ins and connectors are turned off Goodis a screenshot or exported config showing external public data access is explicitly disabled
- Askthe network or firewall rules that block these AI applications from reaching the public internet Look atwhether the rules actually deny outbound external connections for the relevant systems Goodis rule sets plus a test result showing the connection is blocked
- Askhow outside information reaches the AI application when it is genuinely needed Look atwhether it flows through an approved, controlled intermediary rather than a direct public link Gooddescribes a vetted internal feed or store with named approvers
- Askevidence the settings are re-checked after updates Look atchange records or a checklist showing the control was verified following recent application upgrades Goodshows dated re-verification tied to specific update events
Cross-framework mappings
How ISM-2112 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.15 | ISM-2112 requires a specific logical access restriction: AI applications processing classified data must not directly access external pub... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.23 | ISM-2112 requires disabling AI applications’ direct access to external public data sources when processing classified data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.