update module

Co-authored-by: Copilot <[email protected]>

Author: ceperezb

learn-pr/advocates/ai-security-controls/includes/2-review-ai-open-source-libraries.md

@@ -9,13 +9,7 @@ AI OSS libraries carry some risks that go beyond those of traditional software d
 - **Serialization risks**: AI models are frequently saved and loaded using serialization formats (such as pickle in Python). Deserializing untrusted model files can lead to arbitrary code execution.
 - **Rapid release cycles**: AI libraries evolve quickly, with frequent breaking changes. Organizations that pin to older versions may miss critical security patches.
 
-<!-- IMAGE PLACEHOLDER: Conceptual diagram
-Alt text: Diagram showing four AI-specific supply chain risks for open-source libraries
-Suggested source: Custom diagram needed
-Capture instructions: Create a diagram with four risk categories (pre-trained models with backdoors, data pipeline vulnerabilities, serialization/deserialization risks, rapid release cycles) branching from a central "AI OSS Library" node.
-Suggested filename: ai-oss-supply-chain-risks.png
-Priority: Medium
--->
+:::image type="content" source="../media/ai-open-source-supply-chain-risks.png" alt-text="Diagram showing four AI-specific supply chain risks for open-source libraries: pre-trained models with backdoors, data pipeline vulnerabilities, serialization and deserialization risks, and rapid release cycles." lightbox="../media/ai-open-source-supply-chain-risks.png":::
 
 ## Assess the suitability of OSS libraries
 
@@ -51,4 +45,4 @@ Don't assume that others have performed vulnerability checks. Apply your own ass
 - **Prioritized remediation**: If vulnerabilities are detected, assess their impact and exploitability. Prioritize fixes based on severity and exposure.
 - **Continuous monitoring**: OSS vulnerability databases are updated regularly. Set up automated alerts for new CVEs affecting libraries in your AI stack.
 
-:::image type="content" source="../media/ai-oss-library-review-process.png" alt-text="Flowchart of the AI open-source library security review process from assessment to approval." lightbox="../media/ai-oss-library-review-process.png":::
+:::image type="content" source="../media/ai-open-source-library-review-process.png" alt-text="Flowchart of the AI open-source library security review process from assessment to approval." lightbox="../media/ai-open-source-library-review-process.png":::

learn-pr/advocates/ai-security-controls/includes/5-create-metaprompts.md

@@ -13,7 +13,7 @@ For example, a good metaprompt might instruct: "If a user requests large quantit
 
 Industry research shows that well-designed metaprompts significantly reduce the risk of security defects and harmful outputs.
 
-:::image type="content" source="../media/metaprompts.png" alt-text="Screenshot showing metaprompts and the types of security issues they help mitigate.":::
+:::image type="content" source="../media/system-prompts.png" alt-text="Screenshot showing metaprompts and the types of security issues they help mitigate." lightbox="../media/system-prompts.png":::
 
 ## Key components of an effective metaprompt
 
@@ -25,7 +25,7 @@ A comprehensive metaprompt typically includes several types of instructions incl
 - Anti-manipulation defenses
 - Output formatting rules
 
-:::image type="content" source="../media/metaprompt-components.png" alt-text="Diagram showing the five key components of an effective security metaprompt: role and scope definition, safety and compliance rules, grounding instructions, anti-manipulation defenses, and output formatting rules.":::
+:::image type="content" source="../media/system-prompt-components.png" alt-text="Diagram showing the five key components of an effective security metaprompt: role and scope definition, safety and compliance rules, grounding instructions, anti-manipulation defenses, and output formatting rules." lightbox="../media/system-prompt-components.png":::
 
 ### Role and scope definition
 

learn-pr/advocates/ai-security-controls/includes/7-implement-application-security-best-practices-for-ai-enabled-applications.md

@@ -59,11 +59,3 @@ Conduct ongoing security assessments that include AI-specific scenarios:
 - **Penetration testing**: Include AI-specific attack scenarios (prompt injection, jailbreaking, data exfiltration) in penetration tests
 - **Code reviews**: Review code that handles prompt construction, tool-call routing, and data retrieval for security flaws
 - **Red team exercises**: Conduct regular AI-focused red team exercises to test the effectiveness of security controls. The next module in this learning path covers AI red teaming in detail.
-
-<!-- IMAGE PLACEHOLDER: Conceptual diagram
-Alt text: Diagram showing layered AI application security from SDLC through monitoring
-Suggested source: Custom diagram needed
-Capture instructions: Create a concentric or layered diagram with the secure SDLC as the outermost ring, then inner layers for agent tool security, data protection (encryption, secrets management), monitoring and observability, and regular security testing at the core. This visualizes the defense-in-depth approach for AI applications.
-Suggested filename: ai-app-security-layers.png
-Priority: Medium
--->