2.3. Manage, Monitor, and Secure Azure AI Services

💡 First Principle: Security isn't just about keeping bad actors out—it's about limiting blast radius when (not if) something goes wrong. Every credential can be leaked, every endpoint can be probed. The question is: when your API key ends up in a GitHub commit (it happens to everyone eventually), what can an attacker actually do with it?

What breaks without proper security and monitoring:

• Authentication failure: API keys in source code get leaked. Your AI services get abused. You get a surprise $50,000 bill for someone else's GPT-4 experiments.
• RBAC failure: A developer with Owner permissions accidentally deletes production resources. With proper RBAC, they would only have Cognitive Services User—enough to call APIs, not enough to cause catastrophic damage.
• Monitoring failure: Rate limiting starts blocking legitimate users. Without alerts, you don't know until customers complain. By then, you've lost hours of business.

Think of it like securing a building. API keys are door keys—easy to copy, hard to revoke, dangerous if lost. Managed identities are like biometric access—tied to a specific identity, automatically managed, impossible to accidentally share on Slack. The exam tests whether you understand that managed identity is the production standard, not an optional nice-to-have.