版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
LLMAICybersecurity&GovernanceChecklist
FromtheOWASPTop10forLLMApplicationsTeam
Version:1.0
Published:February19,2024
RevisionHistory
Revision
Date
Author(s)
Description
0.1
2023-11-01
SandyDunn
initialdraft
0.5
2023-12-06
SD,Team
publicdraft
0.9
2023-02-15
SD,Team
pre-releasedraft
1.0
2024-02-19
SD,Team
publicreleasev1.0
Theinformationprovidedinthisdocumentdoesnot,andisnotintendedto,constitutelegaladvice.Allinformationisforgeneralinformationalpurposesonly.
Thisdocumentcontainslinkstootherthird-partywebsites.SuchlinksareonlyforconvenienceandOWASPdoesnotrecommendorendorsethecontentsofthethird-partysites.
1
Overview
5
1.1
ResponsibleandTrustworthyArtificialIntelligence
6
1.2
WhoisThisFor?
7
1.3
WhyaChecklist?
7
1.4
NotComprehensive
7
1.5
LargeLanguageModelChallenges
7
1.6
LLMThreatCategories
8
1.7
ArtificialIntelligenceSecurityandPrivacyTraining
9
1.8
IncorporateLLMSecurityandgovernancewithExisting,EstablishedPracticesandControls9
1.9
FundamentalSecurityPrinciples
9
1.10
Risk
10
1.11
VulnerabilityandMitigationTaxonomy
10
2
DeterminingLLMStrategy
11
2.1
DeploymentStrategy
13
3
Checklist
14
3.1
AdversarialRisk
14
3.2
ThreatModeling
14
3.3
AIAssetInventory
14
3.4
AISecurityandPrivacyTraining
15
3.5
EstablishBusinessCases
15
3.6
Governance
16
3.7
Legal
17
3.8
Regulatory
18
3.9
UsingorImplementingLargeLanguageModelSolutions
19
3.10
Testing,Evaluation,Verification,andValidation(TEVV)
19
3.11
ModelCardsandRiskCards
20
3.12
RAG:LargeLanguageModelOptimization
21
3.13
AIRedTeaming
21
4
Resources
22
A
Team
32
Overview
Everyinternetuserandcompanyshouldpreparefortheupcomingwaveofpowerfulgenerativeartificialintelligence(GenAI)applications.GenAIhasenormouspromiseforinnovation,efficiency,andcommercialsuccessacrossavarietyofindustries.Still,likeanypowerfulearlystagetechnology,itbringsitsownsetofobviousandunexpectedchallenges.
Artificialintelligencehasadvancedgreatlyoverthelast50years,inconspicuouslysupportingavarietyofcorporateprocessesuntilChatGPT’spublicappearancedrovethedevelopmentanduseofLargeLanguageModels(LLMs)amongbothindividualsandenterprises.Initially,thesetechnologieswerelimitedtoacademicstudyortheexecutionofcertain,butvital,activitieswithincorporations,visibleonlytoaselectfew.However,recentadvancesindataavailability,computerpower,GenAIcapabilities,andthereleaseoftoolssuchasLlama2,ElevenLabs,andMidjourneyhaveraisedAIfromanichetogeneralwidespreadacceptance.TheseimprovementshavenotonlymadeGenAItechnologiesmoreaccessible,buttheyhavealsohighlightedthecriticalneedforenterprisestodevelopsolidstrategiesforintegratingandexploitingAIintheiroperations,representingahugestepforwardinhowweusetechnology.
•Artificialintelligence(AI)isabroadtermthatencompassesallfieldsofcomputersciencethatenablemachinestoaccomplishtasksthatwouldnormallyrequirehumanintelligence.MachinelearningandgenerativeAIaretwosubcategoriesofAI.
•MachinelearningisasubsetofAIthatfocusesoncreatingalgorithmsthatcanlearnfromdata.Machinelearningalgorithmsaretrainedonasetofdata,andthentheycanusethatdatatomakepredictionsordecisionsaboutnewdata.
•GenerativeAIisatypeofmachinelearningthatfocusesoncreatingnewdata.
•Alargelanguagemodel(LLM)isatypeofAImodelthatprocessesandgenerateshuman-liketext.Inthecontextofartificialintelligencea"model"referstoasystemthatistrainedtomakepredictionsbasedoninputdata.LLMsarespecificallytrainedonlargedatasetsofnaturallanguageandthenamelargelanguagemodels.
OrganizationsareenteringunchartedterritoryinsecuringandoverseeingGenAIsolutions.TherapidadvancementofGenAIalsoopensdoorsforadversariestoenhancetheirattackstrategies,introducingadualchallengeofdefenseandthreatescalation.
Businessesuseartificialintelligenceinmanyareas,includingHRforrecruiting,emailspamscreening,SIEMforbehavioralanalytics,andmanageddetectionandresponseapplications.However,thisdocument’sprimaryfocusisonLargeLanguageModelapplicationsandtheirfunctionincreatinggeneratedcontent.
ResponsibleandTrustworthyArtificialIntelligence
AschallengesandbenefitsofArtificialIntelligenceemerge-andregulationsandlawsarepassed-theprinciplesandpillarsofresponsibleandtrustworthyAIusageareevolvingfromidealisticobjectsandconcernstoestablishedstandards.The
OWASPAIExchangeWorkingGroup
ismonitoringthesechangesandaddressingthebroaderandmorechallengingconsiderationsforallaspectsofartificialintelligence.
Figure1.1:Imagedepictingthepillarsoftrustworthyartificialintelligence
WhoisThisFor?
TheOWASPTop10forLLMApplicationsCybersecurityandGovernanceChecklistisforleadersacrossexecutive,tech,cybersecurity,privacy,compliance,andlegalareas,DevSecOps,MLSecOps,
andCybersecurityteamsanddefenders.Itisintendedforpeoplewhoarestrivingtostayaheadin
thefast-movingAIworld,aimingnotjusttoleverageAIforcorporatesuccessbutalsotoprotectagainsttherisksofhastyorinsecureAIimplementations.Theseleadersandteamsmustcreatetacticstograbopportunities,combatchallenges,andmitigaterisks.
ThischecklistisintendedtohelpthesetechnologyandbusinessleadersquicklyunderstandtherisksandbenefitsofusingLLM,allowingthemtofocusondevelopingacomprehensivelistofcriticalareasandtasksneededtodefendandprotecttheorganizationastheydevelopaLargeLanguageModelstrategy.
ItisthehopeoftheOWASPTop10fortheLLMApplicationsteamthatthislistwillhelporganizationsimprovetheirexistingdefensivetechniquesanddeveloptechniquestoaddressthenewthreatsthatcomefromusingthisexcitingtechnology.
WhyaChecklist?
Checklistsusedtoformulatestrategiesimproveaccuracy,defineobjectives,preserveuniformity,andpromotefocuseddeliberatework,reducingoversightsandmisseddetails.Followingachecklistnotonlyincreasestrustinasafeadoptionjourney,butalsoencouragesfutureorganizationsinnovationsbyprovidingasimpleandeffectivestrategyforcontinuousimprovement.
NotComprehensive
AlthoughthisdocumentintendstosupportorganizationsindevelopinganinitialLLMstrategyinarapidlychangingtechnical,legal,andregulatoryenvironment,itisnotexhaustiveanddoesnotcovereveryusecaseorobligation.WhileusingthisdocumentisOrganizationsshouldextendassessmentsandpracticesbeyondthescopeoftheprovidedchecklistasrequiredfortheirusecaseorjurisdiction.
LargeLanguageModelChallenges
LargeLanguagemodelsfaceseveralseriousanduniqueissues.OneofthemostimportantisthatwhileworkingwithLLMs,thecontrolanddataplanescannotbestrictlyisolatedorseparable.AnothersignificantchallengeisthatLLMsarenondeterministicbydesign,yieldingadifferentoutcomewhenpromptedorrequested.LLMsemploysemanticsearchratherthankeywordsearch.Thekeydistinctionbetweenthetwoisthatthemodel’salgorithmprioritizesthetermsinitsresponse.Thisisasignificantdeparturefromhowconsumershavepreviouslyusedtechnology,andithasanimpactontheconsistencyandreliabilityofthefindings.Hallucinations,emergingfromthegapsandtrainingflawsinthedatathemodelistrainedon,aretheresultofthismethod.
Therearemethodstoimprovereliabilityandreducetheattacksurfaceforjailbreaking,modeltricking,andhallucinations,butthereisatrade-offbetweenrestrictionsandutilityinbothcostandfunctionality.
LLMuseandLLMapplicationsincreaseanorganization’sattacksurface.Somerisksassociated
withLLMsareunique,butmanyarefamiliarissues,suchastheknownsoftwarebillofmaterials(SBoM),supplychain,datalossprotection(DLP),andauthorizedaccess.TherearealsoincreasedrisksnotdirectlyrelatedtoGenAI,butGenAIincreasestheefficiency,capability,andeffectivenessofattackerswhoattackandthreatenorganizations.
AdversariesareincreasinglyharnessingLLMandGenerativeAItoolstorefineandexpeditetraditional
methodsofattackingorganizations,individuals,andgovernmentsystems.LLMfacilitatestheirabilitytoenhancetechniquesallowingthemtoeffortlesslycraftnewmalware,potentiallyembeddedwithnovelzero-dayvulnerabilitiesordesignedtoevadedetection.Theycanalsogeneratesophisticated,unique,ortailoredphishingschemes.Thecreationofconvincingdeepfakes,whethervideooraudio,furtherpromotestheirsocialengineeringploys.Additionally,thesetoolsenablethemtoexecuteintrusionsanddevelopinnovativehackingcapabilities.Inthefuture,more“tailored”andcompounduseofAItechnologybycriminalactorswilldemandspecificresponsesanddedicatedsolutionsfor
anorganization’sappropriatedefenseandresiliencecapabilities.
OrganizationsalsofacethethreatofNOTutilizingthecapabilitiesofLLMssuchasacompetitivedisadvantage,marketperceptionbycustomersandpartnersofbeingoutdated,inabilitytoscalepersonalizedcommunications,innovationstagnation,operationalinefficiencies,thehigherriskofhumanerrorinprocesses,andinefficientallocationofhumanresources.
UnderstandingthedifferentkindsofthreatsandintegratingthemwiththebusinessstrategywillhelpweighboththeprosandconsofusingLargeLanguageModels(LLMs)againstnotusingthem,makingsuretheyaccelerateratherthanhinderthebusiness’smeetingbusinessobjectives.
LLMThreatCategories
Figure1.2:ImagedepictingthetypesofAIthreats
ArtificialIntelligenceSecurityandPrivacyTraining
Employeesthroughoutorganizationsbenefitfromtrainingtounderstandartificialintelligence,generativeartificialintelligence,andthefuturepotentialconsequencesofbuilding,buying,orutilizingLLMs.Trainingforpermissibleuseandsecurityawarenessshouldtargetallemployeesaswellasbemorespecializedforcertainpositionssuchashumanresources,legal,developers,datateams,andsecurityteams.
Fairusepoliciesandhealthyinteractionarekeyaspectsthat,ifincorporatedfromtheverystart,willbeacornerstonetothesuccessoffutureAIcybersecurityawarenesscampaigns.Thiswillnecessarilyprovideuserswithknowledgeofthebasicrulesforinteractionaswellastheabilitytoseparategoodbehaviorfrombadorunethicalbehavior.
IncorporateLLMSecurityandgovernancewithExisting,EstablishedPracticesandControls
WhileAIandgeneratedAIaddanewdimensiontocybersecurity,resilience,privacy,andmeetinglegalandregulatoryrequirements,thebestpracticesthathavebeenaroundforalongtimearestillthebestwaytoidentifyissues,findvulnerabilities,fixthem,andmitigatepotentialsecurityissues.
•Confirmthemanagementofartificialintelligencesystemsisintegratedwithexistingorganizationalpractices.
•ConfirmAIMLsystemsfollowexistingprivacy,governance,andsecuritypractices,withAIspecificprivacy,governance,andsecuritypracticesimplementedwhenrequired.
FundamentalSecurityPrinciples
LLMcapabilitiesintroduceadifferenttypeofattackandattacksurface.LLMsarevulnerabletocomplexbusinesslogicbugs,suchaspromptinjection,insecureplugindesign,andremotecodeexecution.Existingbestpracticesarethebestwaytosolvetheseissues.Aninternalproductsecurityteamthatunderstandssecuresoftwarereview,architecture,datagovernance,andthird-partyassessmentsThecybersecurityteamshouldalsocheckhowstrongthecurrentcontrolsaretofindproblemsthatcouldbemadeworsebyLLM,suchasvoicecloning,impersonation,orbypassingcaptchas.Givenrecentadvancementsinmachinelearning,NLP(NaturalLanguageProcessing),NLU(NaturalLanguageUnderstanding),DeepLearning,andmorerecently,LLMs(LargeLanguageModels)andGenerativeAI,itisrecommendedtoincludeprofessionalsproficientintheseareasalongsidecybersecurityanddevopsteams.Theirexpertisewillnotonlyaidinadoptingthesetechnologiesbutalsoindevelopinginnovativeanalysesandresponsestoemergingchallenges.
Risk
ReferencetoriskusestheISO31000definition:Risk="effectofuncertaintyonobjectives."LLMrisksincludedinthechecklistincludesatargetedlistofLLMrisksthataddressadversarial,safety,legal,regulatory,reputation,financial,andcompetitiverisks.
VulnerabilityandMitigationTaxonomy
Currentsystemsforclassifyingvulnerabilitiesandsharingthreatinformation,likeOVAL,STIX,CVE,andCWE,arestilldevelopingtheabilitytomonitorandalertdefendersaboutvulnerabilitiesandthreatsspecifictoLargeLanguageModels(LLMs)andPredictiveModels.Itisexpectedthatorganizationswillleanontheseestablishedandrecognizedstandards,suchasCVEforvulnerabilityclassificationandSTIXfortheexchangeofcyberthreatintelligence(CTI),whenvulnerabilitiesorthreatstoAI/MLsystemsandtheirsupplychainsareidentified.
DeterminingLLMStrategy
TherapidexpansionofLargeLanguageModel(LLM)applicationshasheightenedtheattentionandexaminationofallAI/MLsystemsusedinbusinessoperations,encompassingbothGenerativeAIandlong-establishedPredictiveAI/MLsystems.Thisincreasedfocusexposespotentialrisks,suchasattackerstargetingsystemsthatwerepreviouslyoverlookedandgovernanceorlegalchallengesthatmayhavebeendisregardedintermsoflegal,privacy,liability,orwarrantyissues.ForanyorganizationleveragingAI/MLsystemsinitsoperations,it’scriticaltoassessandestablishcomprehensivepolicies,governance,securityprotocols,privacymeasures,andaccountabilitystandardstoensurethesetechnologiesalignwithbusinessprocessessecurelyandethically.
Attackers,oradversaries,providethemostimmediateandharmfulthreattoenterprises,people,andgovernmentagencies.Theirgoals,whichrangefromfinancialgaintoespionage,pushthemtostealcriticalinformation,disruptoperations,anddamageconfidence.Furthermore,theirabilitytoharnessnewtechnologiessuchasAIandmachinelearningincreasesthespeedandsophisticationofattacks,makingitdifficultfordefensestostayaheadofattacks.
Themostpressingnon-adversaryLLMthreatformanyorganizationsstemfrom"ShadowAI":
employeesusingunapprovedonlineAItools,unsafebrowserplugins,andthird-partyapplicationsthatintroduceLLMfeaturesviaupdatesorupgrades,circumventingstandardsoftwareapprovalprocesses.
Figure2.1:Imageofoptionsfordeploymentstrategy
DeploymentStrategy
Thescopesrangefromleveragingpublicconsumerapplicationstotrainingproprietarymodelsonprivatedata.Factorslikeusecasesensitivity,capabilitiesneeded,andresourcesavailablehelpdeterminetherightbalanceofconveniencevs.control.However,understandingthesefivemodeltypesprovidesaframeworkforevaluatingoptions.
Figure2.2:Imageofoptionsfordeploymenttypes
Checklist
AdversarialRisk
AdversarialRiskincludescompetitorsandattackers.
□Scrutinizehowcompetitorsareinvestinginartificialintelligence.AlthoughtherearerisksinAIadoption,therearealsobusinessbenefitsthatmayimpactfuturemarketpositions.
□Investigatetheimpactofcurrentcontrols,suchaspasswordresets,whichusevoicerecognitionwhichmaynolongerprovidetheappropriatedefensivesecurityfromnewGenAIenhancedattacks.
□UpdatetheIncidentResponsePlanandplaybooksforGenAIenhancedattacksandAIMLspecificincidents.
ThreatModeling
Threatmodelingishighlyrecommendedtoidentifythreatsandexamineprocessesandsecuritydefenses.Threatmodelingisasetofsystematic,repeatableprocessesthatenablemakingreasonablesecuritydecisionsforapplications,software,andsystems.ThreatmodelingforGenAIacceleratedattacksandbeforedeployingLLMsisthemostcosteffectivewaytoIdentifyandmitigaterisks,protectdata,protectprivacy,andensureasecure,compliantintegrationwithinthebusiness.
□Howwillattackersaccelerateexploitattacksagainsttheorganization,employees,executives,orusers?Organizationsshouldanticipate"hyper-personalized"attacksatscaleusingGenerativeAI.LLM-assistedSpearPhishingattacksarenowexponentiallymoreeffective,targeted,andweaponizedforanattack.
□HowcouldGenAIbeusedforattacksonthebusiness’scustomersorclientsthroughspoofingorGenAIgeneratedcontent?
□CanthebusinessdetectandneutralizeharmfulormaliciousinputsorqueriestoLLMsolutions?
□CanthebusinesssafeguardconnectionswithexistingsystemsanddatabaseswithsecureintegrationsatallLLMtrustboundaries?
□Doesthebusinesshaveinsiderthreatmitigationtopreventmisusebyauthorizedusers?
□CanthebusinesspreventunauthorizedaccesstoproprietarymodelsordatatoprotectIntellectualProperty?
□Canthebusinesspreventthegenerationofharmfulorinappropriatecontentwithautomatedcontentfiltering?
AIAssetInventory
AnAIassetinventoryshouldapplytobothinternallydevelopedandexternalorthird-partysolutions.
□CatalogexistingAIservices,tools,andowners.Designateataginassetmanagementforspecificinventory.
□IncludeAIcomponentsintheSoftwareBillofMaterial(SBOM),acomprehensivelistofallthesoftwarecomponents,dependencies,andmetadataassociatedwithapplications.
□CatalogAIdatasourcesandthesensitivityofthedata(protected,confidential,public)
□EstablishifpentestingorredteamingofdeployedAIsolutionsisrequiredtodeterminethecurrentattacksurfacerisk.
□CreateanAIsolutiononboardingprocess.
□EnsureskilledITadminstaffisavailableeitherinternallyorexternally,followingSBoMrequirements.
AISecurityandPrivacyTraining
□ActivelyengagewithemployeestounderstandandaddressconcernswithplannedLLMinitiatives.
□Establishacultureofopen,andtransparentcommunicationontheorganization’suseofpredictiveorgenerativeAIwithintheorganizationprocess,systems,employeemanagementandsupport,andcustomerengagementsandhowitsuseisgoverned,managed,andrisksaddressed.
□Trainallusersonethics,responsibility,andlegalissuessuchaswarranty,license,andcopyright.
□UpdatesecurityawarenesstrainingtoincludeGenAIrelatedthreats.Voicecloningandimage
cloning,aswellasinanticipationofincreasedspearphishingattacks
□AnyadoptedGenAIsolutionsshouldincludetrainingforbothDevOpsandcybersecurityforthedeploymentpipelinetoensureAIsafetyandsecurityassurances.
EstablishBusinessCases
SolidbusinesscasesareessentialtodeterminingthebusinessvalueofanyproposedAIsolution,balancingriskandbenefits,andevaluatingandtestingreturnoninvestment.Thereareanenormousnumberofpotentialusecases;afewexamplesareprovided.
□Enhancecustomerexperience
□Betteroperationalefficiency
□Betterknowledgemanagement
□Enhancedinnovation
□MarketResearchandCompetitorAnalysis
□Documentcreation,translation,summarization,andanalysis
Governance
CorporategovernanceinLLMisneededtoprovideorganizationswithtransparencyandaccountability.IdentifyingAIplatformorprocessownerswhoarepotentiallyfamiliarwiththetechnologyorthe
selectedusecasesforthebusinessisnotonlyadvisedbutalsonecessarytoensureadequate
reactionspeedthatpreventscollateraldamagestowellestablishedenterprisedigitalprocesses.
□Establishtheorganization’sAIRACIchart(whoisresponsible,whoisaccountable,whoshouldbeconsulted,andwhoshouldbeinformed)
□DocumentandassignAIrisk,riskassessments,andgovernanceresponsibilitywithintheorganization.
□Establishdatamanagementpolicies,includingtechnicalenforcement,regardingdataclassificationandusagelimitations.Modelsshouldonlyleveragedataclassifiedfortheminimumaccesslevelofanyuserofthesystem.Forexample,updatethedataprotectionpolicytoemphasizenottoinputprotectedorconfidentialdataintononbusiness-managedtools.
□CreateanAIPolicysupportedbyestablishedpolicy(e.g.,standardofgoodconduct,dataprotection,softwareuse)
□PublishanacceptableusematrixforvariousgenerativeAItoolsforemployeestouse.
□DocumentthesourcesandmanagementofanydatathattheorganizationusesfromthegenerativeLLMmodels.
Legal
ManyofthelegalimplicationsofAIareundefinedandpotentiallyverycostly.AnIT,security,andlegalpartnershipiscriticaltoidentifyinggapsandaddressingobscuredecisions.
□ConfirmproductwarrantiesareclearintheproductdevelopmentstreamtoassignwhoisresponsibleforproductwarrantieswithAI.
□ReviewandupdateexistingtermsandconditionsforanyGenAIconsiderations.
□ReviewAIEULAagreements.End-userlicenseagreementsforGenAIplatformsareverydifferentinhowtheyhandleuserprompts,outputrightsandownership,dataprivacy,compliance,liability,privacy,andlimitsonhowoutputcanbeused.
□OrganizationsEULAforcustomers,Modifyend-useragreementstopreventtheorganizationfromincurringliabilitiesrelatedtoplagiarism,biaspropagation,orintellectualpropertyinfringementthroughAI-generatedcontent.
□ReviewexistingAI-assistedtoolsusedforcodedevelopment.Achatbot’sabilitytowritecodecanthreatenacompany’sownershiprightstoitsproductifachatbotisusedtogeneratecodefortheproduct.Forexample,itcouldcallintoquestionthestatusandprotectionofthegeneratedcontentandwhoholdstherighttousethegeneratedcontent.
□Reviewanyriskstointellectualproperty.Intellectualpropertygeneratedbyachatbotcouldbeinjeopardyifimproperlyobtaineddatawasusedduringthegenerativeprocess,whichissubjecttocopyright,trademark,orpatentprotection.IfAIproductsuseinfringingmaterial,itcreatesariskfortheoutputsoftheAI,whichmayresultinintellectualpropertyinfringement.
□Reviewanycontractswithindemnificationprovisions.Indemnificationclausestrytoputtheresponsibilityforaneventthatleadstoliabilityonthepersonwhowasmoreatfaultforitorwhohadthebestchanceofstoppingit.EstablishguardrailstodeterminewhethertheprovideroftheAIoritsusercausedtheevent,givingrisetoliability.
□ReviewliabilityforpotentialinjuryandpropertydamagecausedbyAIsystems.
□Reviewinsurancecoverage.Traditional(D&O)liabilityandcommercialgeneralliabilityinsurancepoliciesarelikelyinsufficienttofullyprotectAIuse.
□Identifyanycopyrightissues.Humanauthorshipisrequiredforcopyright.Anorganizationmayalsobeliableforplagiarism,propagationofbias,orintellectualpropertyinfringementifLLMtoolsaremisused.
□EnsureagreementsareinplaceforcontractorsandappropriateuseofAIforanydevelopmentorprovidedservices.
□RestrictorprohibittheuseofgenerativeAItoolsforemployeesorcontractorswhereenforceablerightsmaybeanissueorwherethereareIPinfringementconcerns.
□AssessandAIsolutionsusedforemployeemanagementorhiringcouldresultindisparatetreatmentclaimsordisparateimpactclaims.
□MakesuretheAIsolutionsdonotcollectorsharesensitiveinformationwithoutproperconsentorauthorization.
Regulatory
TheEUAIActisanticipatedtobethefirstcomprehensiveAIlawbutwillapplyin2025attheearliest.TheEUśGeneralDataProtectionRegulation(GDPR)doesnotspecificallyaddressAIbutincludesrulesfordatacollection,datasecurity,fairnessandtransparency,accuracyandreliability,andaccountability,whichcanimpactGenAIuse.IntheUnitedStates,AIregulationisincludedwithinbroaderconsumerprivacylaws.TenUSstateshavepassedlawsorhavelawsthatwillgointoeffectbytheendof2023.
FederalorganizationssuchastheUSEqualEmploymentOpportunityCommission(EEOC),theConsumerFinancialProtectionBureau(CFPB),theFederalTradeCommission(FTC),andtheUSDepartmentofJusticeśCivilRightsDivision(DOJ)arecloselymonitoringhiringfairness.
□DetermineCountry,State,orotherGovernmentspecificAIcompliancerequirements.
□Determinecompliancerequirementsforrestrictingelectronicmonitoringofemployeesandemployment-relatedautomateddecisionsystems(Vermont,California,Maryland,NewYork,NewJersey)
□DeterminecompliancerequirementsforconsentforfacialrecognitionandtheAIvideoanalysisrequired(Illinois,Maryland,Washington,Vermont)
□ReviewanyAItoolsinuseorbeingconsideredforemployeehiringormanagement.
□ConfirmthevendorścompliancewithapplicableAIlawsandbestpractices.
□AskanddocumentanyproductsusingAIduringthehiringprocess.Askhowthemodelwastrained,andhowitismonitored,andtrackanycorrectionsmadetoavoiddiscriminationandbias.
□Askanddocumentwhataccommodationoptionsareincluded.
□Askanddocumentwhetherthevendorcollectsconfidentialdata.
□Askhowthevendorortoolstoresanddeletesdataandregulatestheuseoffacialrecognitionandvideoanalysistoolsduringpre-employment.
□Reviewotherorganization-specificregulatoryrequirementswithAIthatmayraisecomplianceissues.TheEmployeeRetirementIncomeSecurityActof1974,forinstance,hasfiduciarydutyrequirementsforretirementplansthatachatbotmightnotbeabletomeet.
UsingorImplementingLargeLanguageModelSolutions
□ThreatModelLLMcomponentsandarchitecturetrustboundaries.
□DataSecurity,verifyhowdataisclassifiedandprotectedbasedonsensitivity,includingpersonalandproprietarybusinessdata.(Howareuserpermissionsmanaged,andwhatsafeguardsareinplace?)
□AccessControl,implementleastprivilegeaccesscontrolsandimplementdefense-in-depthmeasures
□TrainingPi
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 护理内科易错试题与清晰答案解析
- 2025年电工(高级)资格证考试真题汇编含答案详解(a卷)
- 蜘蛛常识题目解析及答案
- 电工(高级)资格证考试能力测试B卷附完整答案详解(夺冠)
- 电工(高级)资格证考试通关模拟题库附参考答案详解(综合题)
- 2026学校语言文字工作总结
- 国庆目录标题内容介绍4950
- 人工智能培训指南
- 法律就业方向与前景
- 同济大学人工智能研究
- CJ/T 313-2009生活垃圾采样和分析方法
- 储罐脱水管理制度
- T/CMMA 8-2020镁质胶凝材料制品硫氧镁平板
- 网红饮品品牌总部直营店授权与原物料供应合同
- 解读语文课程标准2025版
- 福建省漳州2024-2025高二语文上学期期末教学质量检测试题
- 装卸服务协议书样式
- 江苏《精神障碍社区康复服务规范》
- 职工食堂承包经营投标书-1
- 生命体征监测考核评分标准
- 河北省2011中考数学试题及答案
评论
0/150
提交评论