Where AI runs - the cloud

Almost every AI system you’ll test lives in the cloud, and the connections between AI and cloud services are where a large share of real risk sits (II.7, II.12, II.13). Here’s the plain-language map of what’s what.

The three service models

• IaaS (Infrastructure as a Service) - raw building blocks you manage: virtual machines, GPUs, storage, networking (AWS EC2/S3, Azure VMs, GCP Compute). You patch and configure it; misconfiguration is yours to own.
• PaaS (Platform as a Service) - managed platforms you build on without running the servers (managed databases, Kubernetes, model-serving platforms like SageMaker, Vertex AI, Azure ML).
• SaaS (Software as a Service) - finished applications you just use (a hosted chatbot, a model API). The provider runs everything; you configure access and data.

A managed model API (OpenAI, Anthropic, Bedrock, Vertex) is effectively SaaS/PaaS: you send prompts, you don’t run the model. That convenience is why the connections - keys, data flows, tool access - become the surface, not the model’s internals.

flowchart TB
  U["User / client"] --> APP["AI application<br/>(orchestration + agent logic)"]
  APP --> API["Model API / serving<br/>OpenAI · Bedrock · Vertex · self-hosted"]
  APP --> VDB[("Vector DB<br/>RAG store")]
  APP --> DATA[("Data lake / warehouse<br/>S3 · Snowflake · BigQuery")]
  APP --> TOOLS["Tools / MCP servers<br/>APIs · functions"]
  IAM["Cloud IAM<br/>roles · keys · tokens"] -. governs .- APP
  IAM -. governs .- VDB
  IAM -. governs .- DATA
  IAM -. governs .- TOOLS
  classDef a fill:#0f1a18,stroke:#5bd1c5,color:#bdeee2;
  classDef i fill:#1d1708,stroke:#e4a23f,color:#f0d8a8;
  class U,APP,API,VDB,DATA,TOOLS a; class IAM i;

The AI app is the hub; everything it touches - the model, the vector store, the data lake, the tools - is a cloud connection mediated by IAM (identity and access management). Each arrow is an attack surface, and each is only as safe as the credential behind it.

The pieces an AI system connects to

• Compute & serving - where the model runs or is called from (II.7).
• Object storage & data lakes/warehouses - S3, Snowflake, BigQuery holding training/RAG data (II.13).
• Vector databases - the RAG retrieval store (II.13).
• Tools & MCP servers - the APIs and functions an agent can call to act (II.5, II.6).
• IAM - the identity-and-access layer (roles, keys, short-lived tokens) that gates all of the above. For agents, this is the non-human-identity problem (III.2), and over-broad IAM is a leading way a small AI bug becomes a big breach.

Why this matters for testing

The recurring failure mode isn’t exotic: an exposed serving endpoint or vector DB with no auth, an over-permissive role on the data lake, or an agent holding a standing key far broader than its task needs. When you assess an AI system, map these connections first - the cloud wiring is the threat model’s backbone (I.9), and the controls are least-privilege IAM, network segmentation, and scoped short-lived credentials (II.7, II.12, III.2).