Part 1 explained how we have to bound behavior instead of asserting exact outputs. This post maps where to place those boundaries. AI systems expose attack surfaces at three runtime checkpoints (i.e., input, processing and output) and the checks differ by system type (classical ML, LLM-based, or hybrid).

This is the first of five posts on testing AI systems securely. If you've shipped or evaluated AI in production, you've probably felt it: the test suite passes, coverage looks good, and something still nags. *What are we actually validating?* That gap is what this series addresses.