![OWASP LLM人工智能網(wǎng)絡(luò)安全與治理清單(英文版)_第1頁](http://file4.renrendoc.com/view12/M0A/2D/22/wKhkGWdlUSqACHP_AAD1K3qMDu8463.jpg)
![OWASP LLM人工智能網(wǎng)絡(luò)安全與治理清單(英文版)_第2頁](http://file4.renrendoc.com/view12/M0A/2D/22/wKhkGWdlUSqACHP_AAD1K3qMDu84632.jpg)
![OWASP LLM人工智能網(wǎng)絡(luò)安全與治理清單(英文版)_第3頁](http://file4.renrendoc.com/view12/M0A/2D/22/wKhkGWdlUSqACHP_AAD1K3qMDu84633.jpg)
![OWASP LLM人工智能網(wǎng)絡(luò)安全與治理清單(英文版)_第4頁](http://file4.renrendoc.com/view12/M0A/2D/22/wKhkGWdlUSqACHP_AAD1K3qMDu84634.jpg)
![OWASP LLM人工智能網(wǎng)絡(luò)安全與治理清單(英文版)_第5頁](http://file4.renrendoc.com/view12/M0A/2D/22/wKhkGWdlUSqACHP_AAD1K3qMDu84635.jpg)
版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)
文檔簡介
LLMAICybersecurity&GovernanceChecklist
FromtheOWASPTop10forLLMApplicationsTeam
Version:1.0
Published:February19,2024
RevisionHistory
Revision
Date
Author(s)
Description
0.1
2023-11-01
SandyDunn
initialdraft
0.5
2023-12-06
SD,Team
publicdraft
0.9
2023-02-15
SD,Team
pre-releasedraft
1.0
2024-02-19
SD,Team
publicreleasev1.0
Theinformationprovidedinthisdocumentdoesnot,andisnotintendedto,constitutelegaladvice.Allinformationisforgeneralinformationalpurposesonly.
Thisdocumentcontainslinkstootherthird-partywebsites.SuchlinksareonlyforconvenienceandOWASPdoesnotrecommendorendorsethecontentsofthethird-partysites.
1
Overview
5
1.1
ResponsibleandTrustworthyArti?cialIntelligence
6
1.2
WhoisThisFor?
7
1.3
WhyaChecklist?
7
1.4
NotComprehensive
7
1.5
LargeLanguageModelChallenges
7
1.6
LLMThreatCategories
8
1.7
Arti?cialIntelligenceSecurityandPrivacyTraining
9
1.8
IncorporateLLMSecurityandgovernancewithExisting,EstablishedPracticesandControls9
1.9
FundamentalSecurityPrinciples
9
1.10
Risk
10
1.11
VulnerabilityandMitigationTaxonomy
10
2
DeterminingLLMStrategy
11
2.1
DeploymentStrategy
13
3
Checklist
14
3.1
AdversarialRisk
14
3.2
ThreatModeling
14
3.3
AIAssetInventory
14
3.4
AISecurityandPrivacyTraining
15
3.5
EstablishBusinessCases
15
3.6
Governance
16
3.7
Legal
17
3.8
Regulatory
18
3.9
UsingorImplementingLargeLanguageModelSolutions
19
3.10
Testing,Evaluation,Veri?cation,andValidation(TEVV)
19
3.11
ModelCardsandRiskCards
20
3.12
RAG:LargeLanguageModelOptimization
21
3.13
AIRedTeaming
21
4
Resources
22
A
Team
32
Overview
Everyinternetuserandcompanyshouldpreparefortheupcomingwaveofpowerfulgenerativearti?cialintelligence(GenAI)applications.GenAIhasenormouspromiseforinnovation,ef?ciency,andcommercialsuccessacrossavarietyofindustries.Still,likeanypowerfulearlystagetechnology,itbringsitsownsetofobviousandunexpectedchallenges.
Arti?cialintelligencehasadvancedgreatlyoverthelast50years,inconspicuouslysupportingavarietyofcorporateprocessesuntilChatGPT’spublicappearancedrovethedevelopmentanduseofLargeLanguageModels(LLMs)amongbothindividualsandenterprises.Initially,thesetechnologieswerelimitedtoacademicstudyortheexecutionofcertain,butvital,activitieswithincorporations,visibleonlytoaselectfew.However,recentadvancesindataavailability,computerpower,GenAIcapabilities,andthereleaseoftoolssuchasLlama2,ElevenLabs,andMidjourneyhaveraisedAIfromanichetogeneralwidespreadacceptance.TheseimprovementshavenotonlymadeGenAItechnologiesmoreaccessible,buttheyhavealsohighlightedthecriticalneedforenterprisestodevelopsolidstrategiesforintegratingandexploitingAIintheiroperations,representingahugestepforwardinhowweusetechnology.
?Arti?cialintelligence(AI)isabroadtermthatencompassesall?eldsofcomputersciencethatenablemachinestoaccomplishtasksthatwouldnormallyrequirehumanintelligence.MachinelearningandgenerativeAIaretwosubcategoriesofAI.
?MachinelearningisasubsetofAIthatfocusesoncreatingalgorithmsthatcanlearnfromdata.Machinelearningalgorithmsaretrainedonasetofdata,andthentheycanusethatdatatomakepredictionsordecisionsaboutnewdata.
?GenerativeAIisatypeofmachinelearningthatfocusesoncreatingnewdata.
?Alargelanguagemodel(LLM)isatypeofAImodelthatprocessesandgenerateshuman-liketext.Inthecontextofarti?cialintelligencea"model"referstoasystemthatistrainedtomakepredictionsbasedoninputdata.LLMsarespeci?callytrainedonlargedatasetsofnaturallanguageandthenamelargelanguagemodels.
OrganizationsareenteringunchartedterritoryinsecuringandoverseeingGenAIsolutions.TherapidadvancementofGenAIalsoopensdoorsforadversariestoenhancetheirattackstrategies,introducingadualchallengeofdefenseandthreatescalation.
Businessesusearti?cialintelligenceinmanyareas,includingHRforrecruiting,emailspamscreening,SIEMforbehavioralanalytics,andmanageddetectionandresponseapplications.However,thisdocument’sprimaryfocusisonLargeLanguageModelapplicationsandtheirfunctionincreatinggeneratedcontent.
ResponsibleandTrustworthyArti?cialIntelligence
Aschallengesandbene?tsofArti?cialIntelligenceemerge-andregulationsandlawsarepassed-theprinciplesandpillarsofresponsibleandtrustworthyAIusageareevolvingfromidealisticobjectsandconcernstoestablishedstandards.The
OWASPAIExchangeWorkingGroup
ismonitoringthesechangesandaddressingthebroaderandmorechallengingconsiderationsforallaspectsofarti?cialintelligence.
Figure1.1:Imagedepictingthepillarsoftrustworthyarti?cialintelligence
WhoisThisFor?
TheOWASPTop10forLLMApplicationsCybersecurityandGovernanceChecklistisforleadersacrossexecutive,tech,cybersecurity,privacy,compliance,andlegalareas,DevSecOps,MLSecOps,
andCybersecurityteamsanddefenders.Itisintendedforpeoplewhoarestrivingtostayaheadin
thefast-movingAIworld,aimingnotjusttoleverageAIforcorporatesuccessbutalsotoprotectagainsttherisksofhastyorinsecureAIimplementations.Theseleadersandteamsmustcreatetacticstograbopportunities,combatchallenges,andmitigaterisks.
Thischecklistisintendedtohelpthesetechnologyandbusinessleadersquicklyunderstandtherisksandbene?tsofusingLLM,allowingthemtofocusondevelopingacomprehensivelistofcriticalareasandtasksneededtodefendandprotecttheorganizationastheydevelopaLargeLanguageModelstrategy.
ItisthehopeoftheOWASPTop10fortheLLMApplicationsteamthatthislistwillhelporganizationsimprovetheirexistingdefensivetechniquesanddeveloptechniquestoaddressthenewthreatsthatcomefromusingthisexcitingtechnology.
WhyaChecklist?
Checklistsusedtoformulatestrategiesimproveaccuracy,de?neobjectives,preserveuniformity,andpromotefocuseddeliberatework,reducingoversightsandmisseddetails.Followingachecklistnotonlyincreasestrustinasafeadoptionjourney,butalsoencouragesfutureorganizationsinnovationsbyprovidingasimpleandeffectivestrategyforcontinuousimprovement.
NotComprehensive
AlthoughthisdocumentintendstosupportorganizationsindevelopinganinitialLLMstrategyinarapidlychangingtechnical,legal,andregulatoryenvironment,itisnotexhaustiveanddoesnotcovereveryusecaseorobligation.WhileusingthisdocumentisOrganizationsshouldextendassessmentsandpracticesbeyondthescopeoftheprovidedchecklistasrequiredfortheirusecaseorjurisdiction.
LargeLanguageModelChallenges
LargeLanguagemodelsfaceseveralseriousanduniqueissues.OneofthemostimportantisthatwhileworkingwithLLMs,thecontrolanddataplanescannotbestrictlyisolatedorseparable.Anothersigni?cantchallengeisthatLLMsarenondeterministicbydesign,yieldingadifferentoutcomewhenpromptedorrequested.LLMsemploysemanticsearchratherthankeywordsearch.Thekeydistinctionbetweenthetwoisthatthemodel’salgorithmprioritizesthetermsinitsresponse.Thisisasigni?cantdeparturefromhowconsumershavepreviouslyusedtechnology,andithasanimpactontheconsistencyandreliabilityofthe?ndings.Hallucinations,emergingfromthegapsandtraining?awsinthedatathemodelistrainedon,aretheresultofthismethod.
Therearemethodstoimprovereliabilityandreducetheattacksurfaceforjailbreaking,modeltricking,andhallucinations,butthereisatrade-offbetweenrestrictionsandutilityinbothcostandfunctionality.
LLMuseandLLMapplicationsincreaseanorganization’sattacksurface.Somerisksassociated
withLLMsareunique,butmanyarefamiliarissues,suchastheknownsoftwarebillofmaterials(SBoM),supplychain,datalossprotection(DLP),andauthorizedaccess.TherearealsoincreasedrisksnotdirectlyrelatedtoGenAI,butGenAIincreasestheef?ciency,capability,andeffectivenessofattackerswhoattackandthreatenorganizations.
AdversariesareincreasinglyharnessingLLMandGenerativeAItoolstore?neandexpeditetraditional
methodsofattackingorganizations,individuals,andgovernmentsystems.LLMfacilitatestheirabilitytoenhancetechniquesallowingthemtoeffortlesslycraftnewmalware,potentiallyembeddedwithnovelzero-dayvulnerabilitiesordesignedtoevadedetection.Theycanalsogeneratesophisticated,unique,ortailoredphishingschemes.Thecreationofconvincingdeepfakes,whethervideooraudio,furtherpromotestheirsocialengineeringploys.Additionally,thesetoolsenablethemtoexecuteintrusionsanddevelopinnovativehackingcapabilities.Inthefuture,more“tailored”andcompounduseofAItechnologybycriminalactorswilldemandspeci?cresponsesanddedicatedsolutionsfor
anorganization’sappropriatedefenseandresiliencecapabilities.
OrganizationsalsofacethethreatofNOTutilizingthecapabilitiesofLLMssuchasacompetitivedisadvantage,marketperceptionbycustomersandpartnersofbeingoutdated,inabilitytoscalepersonalizedcommunications,innovationstagnation,operationalinef?ciencies,thehigherriskofhumanerrorinprocesses,andinef?cientallocationofhumanresources.
UnderstandingthedifferentkindsofthreatsandintegratingthemwiththebusinessstrategywillhelpweighboththeprosandconsofusingLargeLanguageModels(LLMs)againstnotusingthem,makingsuretheyaccelerateratherthanhinderthebusiness’smeetingbusinessobjectives.
LLMThreatCategories
Figure1.2:ImagedepictingthetypesofAIthreats
Arti?cialIntelligenceSecurityandPrivacyTraining
Employeesthroughoutorganizationsbene?tfromtrainingtounderstandarti?cialintelligence,generativearti?cialintelligence,andthefuturepotentialconsequencesofbuilding,buying,orutilizingLLMs.Trainingforpermissibleuseandsecurityawarenessshouldtargetallemployeesaswellasbemorespecializedforcertainpositionssuchashumanresources,legal,developers,datateams,andsecurityteams.
Fairusepoliciesandhealthyinteractionarekeyaspectsthat,ifincorporatedfromtheverystart,willbeacornerstonetothesuccessoffutureAIcybersecurityawarenesscampaigns.Thiswillnecessarilyprovideuserswithknowledgeofthebasicrulesforinteractionaswellastheabilitytoseparategoodbehaviorfrombadorunethicalbehavior.
IncorporateLLMSecurityandgovernancewithExisting,EstablishedPracticesandControls
WhileAIandgeneratedAIaddanewdimensiontocybersecurity,resilience,privacy,andmeetinglegalandregulatoryrequirements,thebestpracticesthathavebeenaroundforalongtimearestillthebestwaytoidentifyissues,?ndvulnerabilities,?xthem,andmitigatepotentialsecurityissues.
?Con?rmthemanagementofarti?cialintelligencesystemsisintegratedwithexistingorganizationalpractices.
?Con?rmAIMLsystemsfollowexistingprivacy,governance,andsecuritypractices,withAIspeci?cprivacy,governance,andsecuritypracticesimplementedwhenrequired.
FundamentalSecurityPrinciples
LLMcapabilitiesintroduceadifferenttypeofattackandattacksurface.LLMsarevulnerabletocomplexbusinesslogicbugs,suchaspromptinjection,insecureplugindesign,andremotecodeexecution.Existingbestpracticesarethebestwaytosolvetheseissues.Aninternalproductsecurityteamthatunderstandssecuresoftwarereview,architecture,datagovernance,andthird-partyassessmentsThecybersecurityteamshouldalsocheckhowstrongthecurrentcontrolsareto?ndproblemsthatcouldbemadeworsebyLLM,suchasvoicecloning,impersonation,orbypassingcaptchas.Givenrecentadvancementsinmachinelearning,NLP(NaturalLanguageProcessing),NLU(NaturalLanguageUnderstanding),DeepLearning,andmorerecently,LLMs(LargeLanguageModels)andGenerativeAI,itisrecommendedtoincludeprofessionalspro?cientintheseareasalongsidecybersecurityanddevopsteams.Theirexpertisewillnotonlyaidinadoptingthesetechnologiesbutalsoindevelopinginnovativeanalysesandresponsestoemergingchallenges.
Risk
ReferencetoriskusestheISO31000de?nition:Risk="effectofuncertaintyonobjectives."LLMrisksincludedinthechecklistincludesatargetedlistofLLMrisksthataddressadversarial,safety,legal,regulatory,reputation,?nancial,andcompetitiverisks.
VulnerabilityandMitigationTaxonomy
Currentsystemsforclassifyingvulnerabilitiesandsharingthreatinformation,likeOVAL,STIX,CVE,andCWE,arestilldevelopingtheabilitytomonitorandalertdefendersaboutvulnerabilitiesandthreatsspeci?ctoLargeLanguageModels(LLMs)andPredictiveModels.Itisexpectedthatorganizationswillleanontheseestablishedandrecognizedstandards,suchasCVEforvulnerabilityclassi?cationandSTIXfortheexchangeofcyberthreatintelligence(CTI),whenvulnerabilitiesorthreatstoAI/MLsystemsandtheirsupplychainsareidenti?ed.
DeterminingLLMStrategy
TherapidexpansionofLargeLanguageModel(LLM)applicationshasheightenedtheattentionandexaminationofallAI/MLsystemsusedinbusinessoperations,encompassingbothGenerativeAIandlong-establishedPredictiveAI/MLsystems.Thisincreasedfocusexposespotentialrisks,suchasattackerstargetingsystemsthatwerepreviouslyoverlookedandgovernanceorlegalchallengesthatmayhavebeendisregardedintermsoflegal,privacy,liability,orwarrantyissues.ForanyorganizationleveragingAI/MLsystemsinitsoperations,it’scriticaltoassessandestablishcomprehensivepolicies,governance,securityprotocols,privacymeasures,andaccountabilitystandardstoensurethesetechnologiesalignwithbusinessprocessessecurelyandethically.
Attackers,oradversaries,providethemostimmediateandharmfulthreattoenterprises,people,andgovernmentagencies.Theirgoals,whichrangefrom?nancialgaintoespionage,pushthemtostealcriticalinformation,disruptoperations,anddamagecon?dence.Furthermore,theirabilitytoharnessnewtechnologiessuchasAIandmachinelearningincreasesthespeedandsophisticationofattacks,makingitdif?cultfordefensestostayaheadofattacks.
Themostpressingnon-adversaryLLMthreatformanyorganizationsstemfrom"ShadowAI":
employeesusingunapprovedonlineAItools,unsafebrowserplugins,andthird-partyapplicationsthatintroduceLLMfeaturesviaupdatesorupgrades,circumventingstandardsoftwareapprovalprocesses.
Figure2.1:Imageofoptionsfordeploymentstrategy
DeploymentStrategy
Thescopesrangefromleveragingpublicconsumerapplicationstotrainingproprietarymodelsonprivatedata.Factorslikeusecasesensitivity,capabilitiesneeded,andresourcesavailablehelpdeterminetherightbalanceofconveniencevs.control.However,understandingthese?vemodeltypesprovidesaframeworkforevaluatingoptions.
Figure2.2:Imageofoptionsfordeploymenttypes
Checklist
AdversarialRisk
AdversarialRiskincludescompetitorsandattackers.
□Scrutinizehowcompetitorsareinvestinginarti?cialintelligence.AlthoughtherearerisksinAIadoption,therearealsobusinessbene?tsthatmayimpactfuturemarketpositions.
□Investigatetheimpactofcurrentcontrols,suchaspasswordresets,whichusevoicerecognitionwhichmaynolongerprovidetheappropriatedefensivesecurityfromnewGenAIenhancedattacks.
□UpdatetheIncidentResponsePlanandplaybooksforGenAIenhancedattacksandAIMLspeci?cincidents.
ThreatModeling
Threatmodelingishighlyrecommendedtoidentifythreatsandexamineprocessesandsecuritydefenses.Threatmodelingisasetofsystematic,repeatableprocessesthatenablemakingreasonablesecuritydecisionsforapplications,software,andsystems.ThreatmodelingforGenAIacceleratedattacksandbeforedeployingLLMsisthemostcosteffectivewaytoIdentifyandmitigaterisks,protectdata,protectprivacy,andensureasecure,compliantintegrationwithinthebusiness.
□Howwillattackersaccelerateexploitattacksagainsttheorganization,employees,executives,orusers?Organizationsshouldanticipate"hyper-personalized"attacksatscaleusingGenerativeAI.LLM-assistedSpearPhishingattacksarenowexponentiallymoreeffective,targeted,andweaponizedforanattack.
□HowcouldGenAIbeusedforattacksonthebusiness’scustomersorclientsthroughspoo?ngorGenAIgeneratedcontent?
□CanthebusinessdetectandneutralizeharmfulormaliciousinputsorqueriestoLLMsolutions?
□CanthebusinesssafeguardconnectionswithexistingsystemsanddatabaseswithsecureintegrationsatallLLMtrustboundaries?
□Doesthebusinesshaveinsiderthreatmitigationtopreventmisusebyauthorizedusers?
□CanthebusinesspreventunauthorizedaccesstoproprietarymodelsordatatoprotectIntellectualProperty?
□Canthebusinesspreventthegenerationofharmfulorinappropriatecontentwithautomatedcontent?ltering?
AIAssetInventory
AnAIassetinventoryshouldapplytobothinternallydevelopedandexternalorthird-partysolutions.
□CatalogexistingAIservices,tools,andowners.Designateataginassetmanagementforspeci?cinventory.
□IncludeAIcomponentsintheSoftwareBillofMaterial(SBOM),acomprehensivelistofallthesoftwarecomponents,dependencies,andmetadataassociatedwithapplications.
□CatalogAIdatasourcesandthesensitivityofthedata(protected,con?dential,public)
□EstablishifpentestingorredteamingofdeployedAIsolutionsisrequiredtodeterminethecurrentattacksurfacerisk.
□CreateanAIsolutiononboardingprocess.
□EnsureskilledITadminstaffisavailableeitherinternallyorexternally,followingSBoMrequirements.
AISecurityandPrivacyTraining
□ActivelyengagewithemployeestounderstandandaddressconcernswithplannedLLMinitiatives.
□Establishacultureofopen,andtransparentcommunicationontheorganization’suseofpredictiveorgenerativeAIwithintheorganizationprocess,systems,employeemanagementandsupport,andcustomerengagementsandhowitsuseisgoverned,managed,andrisksaddressed.
□Trainallusersonethics,responsibility,andlegalissuessuchaswarranty,license,andcopyright.
□UpdatesecurityawarenesstrainingtoincludeGenAIrelatedthreats.Voicecloningandimage
cloning,aswellasinanticipationofincreasedspearphishingattacks
□AnyadoptedGenAIsolutionsshouldincludetrainingforbothDevOpsandcybersecurityforthedeploymentpipelinetoensureAIsafetyandsecurityassurances.
EstablishBusinessCases
SolidbusinesscasesareessentialtodeterminingthebusinessvalueofanyproposedAIsolution,balancingriskandbene?ts,andevaluatingandtestingreturnoninvestment.Thereareanenormousnumberofpotentialusecases;afewexamplesareprovided.
□Enhancecustomerexperience
□Betteroperationalef?ciency
□Betterknowledgemanagement
□Enhancedinnovation
□MarketResearchandCompetitorAnalysis
□Documentcreation,translation,summarization,andanalysis
Governance
CorporategovernanceinLLMisneededtoprovideorganizationswithtransparencyandaccountability.IdentifyingAIplatformorprocessownerswhoarepotentiallyfamiliarwiththetechnologyorthe
selectedusecasesforthebusinessisnotonlyadvisedbutalsonecessarytoensureadequate
reactionspeedthatpreventscollateraldamagestowellestablishedenterprisedigitalprocesses.
□Establishtheorganization’sAIRACIchart(whoisresponsible,whoisaccountable,whoshouldbeconsulted,andwhoshouldbeinformed)
□DocumentandassignAIrisk,riskassessments,andgovernanceresponsibilitywithintheorganization.
□Establishdatamanagementpolicies,includingtechnicalenforcement,regardingdataclassi?cationandusagelimitations.Modelsshouldonlyleveragedataclassi?edfortheminimumaccesslevelofanyuserofthesystem.Forexample,updatethedataprotectionpolicytoemphasizenottoinputprotectedorcon?dentialdataintononbusiness-managedtools.
□CreateanAIPolicysupportedbyestablishedpolicy(e.g.,standardofgoodconduct,dataprotection,softwareuse)
□PublishanacceptableusematrixforvariousgenerativeAItoolsforemployeestouse.
□DocumentthesourcesandmanagementofanydatathattheorganizationusesfromthegenerativeLLMmodels.
Legal
ManyofthelegalimplicationsofAIareunde?nedandpotentiallyverycostly.AnIT,security,andlegalpartnershipiscriticaltoidentifyinggapsandaddressingobscuredecisions.
□Con?rmproductwarrantiesareclearintheproductdevelopmentstreamtoassignwhoisresponsibleforproductwarrantieswithAI.
□ReviewandupdateexistingtermsandconditionsforanyGenAIconsiderations.
□ReviewAIEULAagreements.End-userlicenseagreementsforGenAIplatformsareverydifferentinhowtheyhandleuserprompts,outputrightsandownership,dataprivacy,compliance,liability,privacy,andlimitsonhowoutputcanbeused.
□OrganizationsEULAforcustomers,Modifyend-useragreementstopreventtheorganizationfromincurringliabilitiesrelatedtoplagiarism,biaspropagation,orintellectualpropertyinfringementthroughAI-generatedcontent.
□ReviewexistingAI-assistedtoolsusedforcodedevelopment.Achatbot’sabilitytowritecodecanthreatenacompany’sownershiprightstoitsproductifachatbotisusedtogeneratecodefortheproduct.Forexample,itcouldcallintoquestionthestatusandprotectionofthegeneratedcontentandwhoholdstherighttousethegeneratedcontent.
□Reviewanyriskstointellectualproperty.Intellectualpropertygeneratedbyachatbotcouldbeinjeopardyifimproperlyobtaineddatawasusedduringthegenerativeprocess,whichissubjecttocopyright,trademark,orpatentprotection.IfAIproductsuseinfringingmaterial,itcreatesariskfortheoutputsoftheAI,whichmayresultinintellectualpropertyinfringement.
□Reviewanycontractswithindemni?cationprovisions.Indemni?cationclausestrytoputtheresponsibilityforaneventthatleadstoliabilityonthepersonwhowasmoreatfaultforitorwhohadthebestchanceofstoppingit.EstablishguardrailstodeterminewhethertheprovideroftheAIoritsusercausedtheevent,givingrisetoliability.
□ReviewliabilityforpotentialinjuryandpropertydamagecausedbyAIsystems.
□Reviewinsurancecoverage.Traditional(D&O)liabilityandcommercialgeneralliabilityinsurancepoliciesarelikelyinsuf?cienttofullyprotectAIuse.
□Identifyanycopyrightissues.Humanauthorshipisrequiredforcopyright.Anorganizationmayalsobeliableforplagiarism,propagationofbias,orintellectualpropertyinfringementifLLMtoolsaremisused.
□EnsureagreementsareinplaceforcontractorsandappropriateuseofAIforanydevelopmentorprovidedservices.
□RestrictorprohibittheuseofgenerativeAItoolsforemployeesorcontractorswhereenforceablerightsmaybeanissueorwherethereareIPinfringementconcerns.
□AssessandAIsolutionsusedforemployeemanagementorhiringcouldresultindisparatetreatmentclaimsordisparateimpactclaims.
□MakesuretheAIsolutionsdonotcollectorsharesensitiveinformationwithoutproperconsentorauthorization.
Regulatory
TheEUAIActisanticipatedtobethe?rstcomprehensiveAIlawbutwillapplyin2025attheearliest.TheEU?GeneralDataProtectionRegulation(GDPR)doesnotspeci?callyaddressAIbutincludesrulesfordatacollection,datasecurity,fairnessandtransparency,accuracyandreliability,andaccountability,whichcanimpactGenAIuse.IntheUnitedStates,AIregulationisincludedwithinbroaderconsumerprivacylaws.TenUSstateshavepassedlawsorhavelawsthatwillgointoeffectbytheendof2023.
FederalorganizationssuchastheUSEqualEmploymentOpportunityCommission(EEOC),theConsumerFinancialProtectionBureau(CFPB),theFederalTradeCommission(FTC),andtheUSDepartmentofJustice?CivilRightsDivision(DOJ)arecloselymonitoringhiringfairness.
□DetermineCountry,State,orotherGovernmentspeci?cAIcompliancerequirements.
□Determinecompliancerequirementsforrestrictingelectronicmonitoringofemployeesandemployment-relatedautomateddecisionsystems(Vermont,California,Maryland,NewYork,NewJersey)
□DeterminecompliancerequirementsforconsentforfacialrecognitionandtheAIvideoanalysisrequired(Illinois,Maryland,Washington,Vermont)
□ReviewanyAItoolsinuseorbeingconsideredforemployeehiringormanagement.
□Con?rmthevendor?compliancewithapplicableAIlawsandbestpractices.
□AskanddocumentanyproductsusingAIduringthehiringprocess.Askhowthemodelwastrained,andhowitismonitored,andtrackanycorrectionsmadetoavoiddiscriminationandbias.
□Askanddocumentwhataccommodationoptionsareincluded.
□Askanddocumentwhetherthevendorcollectscon?dentialdata.
□Askhowthevendorortoolstoresanddeletesdataandregulatestheuseoffacialrecognitionandvideoanalysistoolsduringpre-employment.
□Reviewotherorganization-speci?cregulatoryrequirementswithAIthatmayraisecomplianceissues.TheEmployeeRetirementIncomeSecurityActof1974,forinstance,has?duciarydutyrequirementsforretirementplansthatachatbotmightnotbeabletomeet.
UsingorImplementingLargeLanguageModelSolutions
□ThreatModelLLMcomponentsandarchitecturetrustboundaries.
□DataSecurity,verifyhowdataisclassi?edandprotectedbasedonsensitivity,includingpersonalandproprietarybusinessdata.(Howareuserpermissionsmanaged,andwhatsafeguardsareinplace?)
□AccessControl,implementleastprivilegeaccesscontrolsandimplementdefense-in-depthmeasures
□TrainingPi
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
最新文檔
- 臨時市場場地租賃定金合同
- 專利使用權(quán)授權(quán)合同范本
- 個人建房合作開發(fā)合同
- 專業(yè)技術(shù)服務(wù)承包合同
- 上海房屋交易合同范本
- 二手房購房合同定金支付協(xié)議
- 鄉(xiāng)村住宅買賣合同范本
- 個人農(nóng)田種植承包合同范本
- 臨時攤位租賃合同細則
- 個人買賣合同范本
- 2023年檢驗檢測機構(gòu)質(zhì)量手冊(依據(jù)2023年版評審準(zhǔn)則編制)
- 興??h索拉溝銅多金屬礦礦山地質(zhì)環(huán)境保護與土地復(fù)墾方案
- 三相分離器原理及操作
- 新教科版五年級下冊科學(xué)全冊每節(jié)課后練習(xí)+答案(共28份)
- 輪值安全員制度
- 葫蘆島尚楚環(huán)??萍加邢薰踞t(yī)療廢物集中處置項目環(huán)評報告
- 全國物業(yè)管理項目經(jīng)理考試試題
- 水文水利課程設(shè)計報告
- 600字A4標(biāo)準(zhǔn)作文紙
- GB/T 18015.2-2007數(shù)字通信用對絞或星絞多芯對稱電纜第2部分:水平層布線電纜分規(guī)范
- DJI 產(chǎn)品交付理論試題
評論
0/150
提交評論