实现安全使用生成式 AI 的实用步骤.pdf

《实现安全使用生成式 AI 的实用步骤.pdf》由会员分享，可在线阅读，更多相关《实现安全使用生成式 AI 的实用步骤.pdf（25页珍藏版）》请在三个皮匠报告上搜索。

1、Practical Steps to Enable the Safe Use of Generative AIConor McCaffrey Go to Market Lead,SecuritiGraham Thomas Privacy Director,KPMGCIPP/EWELCOME AND INTRODUCTIONSEnabling Safe Use of GenAIAI GovernanceSecuriti AIGEN AIS ANNUAL POTENTIAL IMPACT ACROSSINDUSTRIES$2.6-$4.4 trillionSource:McKinsey&Compa

2、nyBy 2026,AI models from organizations that operationalize AI transparency,trust and security will achieve a 50%improvement in terms of adoption,business goals and user acceptance.Source:Gartner:Innovation Guide for Generative AI in Trust,Risk and Security ManagementGartner Poll:Which Risks of GenAI

3、 Are You Most Worried About?Are AI Models compliant with global regulations?Which AI Models exist?Agents&Assistants CodeNew Category of AppsInsights&AutomationsWhat Controls are there on prompts,agents,assistants?What data is beingused in AI Models?What is the Risk Rating of AI Models?Which security

4、 controls are enabled for AI Models?Discover AI ModelsFROM FEAR TO CONTROL:5-STEP APPROACH TO AI GOVERNANCEAssess AI Model RisksMap Data+AI FlowsImplement Data+AI ControlsComply with ConfidenceDiscover AI ModelsDiscover and catalog AI models in use across public clouds,SaaS applications,and private

5、environments.STEP 1Assess AI Models RisksEvaluate risks related to data and AI models from IaaS and SaaS,and classify AI models as per global regulatory requirements.STEP 2Map Data+AI FlowsConnect models to data sources,data processing paths,vendors,potential risks,compliance obligations,and continu

6、ously monitor data flow.STEP 3Implement Data+AI ControlsEstablish data controls on model inputs and outputs,securing AI systems from unauthorized access or manipulation.STEP 4Comply with ConfidenceConduct assessments to comply with standards such as NIST AI RMF and generate AI ROPA reports and AI sy

7、stem event logs.STEP 5STEP 1.DISCOVER&CATALOG AI MODELSDiscover and catalog AI models in use across public clouds,SaaS applications,and private environments.Automatically discover all AI models active across Public Clouds,including those in both production and non-production environments.Collect com

8、prehensive details on AI models operating within your SaaS applications and internal projects via Assessments.Catalog all AI models present across your entire environment,ensuring visibility into every aspect of your AI landscape,including shadow AI.Discover AI ModelsAssess AI Model RisksMap Data+AI

9、 FlowsImplement Data+AI ControlsComply with ConfidenceEvaluate risks related to data and AI models from IaaS and SaaS,and classify AI models as per global regulatory requirements.Ratings of popular open source and commercial AI models coveringToxicity/MaliciousnessBiasEfficiency(e.g.,training energy

10、 consumption,inference runtime)Copyright considerationsDisinformation/Hallucination risksClassify AI systems and models as per classifications imposed by global regulatory bodies.Discover AI ModelsAssess AI RisksMap Data+AI FlowsImplement Data+AI ControlsComply with ConfidenceSTEP 2.ASSESS&CLASSIFY

11、AI MODEL RISKSModel CreatorModel NameAccuracyFairnessBiasToxicitySummaryAnthropicAnthropic Claude81.50%83.00%58.30%63.30%53.10%OpenAIGPT 3.5 Mar 1st78.20%67.80%44.00%57.00%50.00%MetaOPT(175B)65.60%68.00%58.00%43.80%59.50%GoogleT5(11B)16.20%18.10%46.70%57.20%11.90%GoogleUL2(20B)20.50%23.40%54.60%28.8

12、0%11.90%STEP 3.MAP&MONITOR DATA+AI FLOWSUnderstand Relationship of AI models to:Data sourcesData processingData flowsVendors/SaaSPotential risksCompliance obligationsDiscover AI ModelsAssess AI Model RisksMap Data+AI FlowsImplement Data+AI ControlsComply with ConfidenceSTEP 4.IMPLEMENT DATA+AI CONTR

13、OLSEstablish data controls on model inputs and outputs,securing sensitive data throughout its lifecycle.Safe ingestion of data into AI models,in alignment with enterprise data policies and entitlements.Classification,redaction/anonymization and sanitization of data before providing it to AI models.D

14、iscover AI ModelsAssess AI Model RisksMap Data+AI FlowsImplement Data+AI ControlsComply with ConfidenceSafe Ingestion of DataSecurity Controls&LLM FirewallsCredit Card Number 3846STEP 5.IMPLEMENT DATA+AI CONTROLSAI assistants,AI bots,and AI agents will be focus of external attacks,malicious internal

15、 use and configuration mistakes.Examples:-Prompt Injection-Training Data Exfiltration-Jailbreak Attempts-Prompt Entitlements-Prompt DDOS-Insecure Output HandlingDiscover AI ModelsAssess AI Model RisksMap Data+AI FlowsImplement Data+AI ControlsComply with ConfidenceSafe Ingestion of DataSecurity Cont

16、rols&LLM FirewallsAUTOMATE MANAGEMENT AND REPORTING OF COMPLIANCE WITH OVER TWENTY REGULATORY STANDARDS,SUCH AS NIST AI RMF AND EU AI ACT.Stay ahead of the curve with continuous compliance assessments,mitigating legal and reputational risks.Extensive library of global AI regulationsAutomated complia

17、nce checks for technical controls associated with global AI regulations,including NIST AI RMF,EU AI Act,Data and AI Act,AI Bill etc.AI ROPA reportsDiscover AI ModelsAssess AI Model RisksMap Data+AI FlowsImplement Data+AI ControlsComply with ConfidenceData ControlsSecurity|Privacy|Governance|Complian

18、ceModel Discovery Approved models,versions Identify data sets Model evaluation results Fairness scoringModel Consumption Use case risk assessment Lifecycle approvals Map data&Al flows ExplainabilityContinuous Monitoring Accuracy,drift,bias Prompts,hallucination Performance,relevance User,usage patte

19、rns Entitlements,policiesRisk Management Workflows Dashboards Risk incident management Regulatory complianceBUILDING BLOCKS OF AN AI GOVERNANCE PROGRAMYOUR DATA COMMAND CENTERCONTEXTUAL DATA+AI INTELLIGENCE AND UNIFIED CONTROLSRegulations3rd PartiesEnterprise Data ProcessesData CloudsPrivate CloudsS

20、aaS CloudDataCommand GraphSingle Source of TruthDataCommand APIsCommand&Control via APIsOther AppsData PrivacyData SecurityComplianceData GovernanceAI GovernanceAI ModelsData CloudsPrivate CloudsSaaS CloudsPublic CloudsKey risks and concerns associated with AI Security Data Leakage Data Tempering Pr

21、ompt Injection Malicious Use Phishing ScamsData Privacy Personal Data Breach Right to Erasure Proprietary Data Use Poor Data Quality Lack of TransparencyEthical Lack of Human Oversight Plagiarism Unintended Harm Unforeseen Bias Lack of Explainability Environmental ImpactLegal&Compliance IP&Copyright

22、 Infringement Liability Misrepresentation Fraud&Scams Breaches of the LawFactual Accuracy Hallucinations Gaps in Training Data Inaccurate Results MisinformationGeneral Job Security Lack of Oversight Limited Knowledge Tech Limitations Significant Tech Expertise Complex Technology Algorithmic Bias Sou

23、rce:KPMG,GenAI from-promise-to-practice,The risks and governance approach of generative AI,2023Privacy PrinciplesMitigation examples10 Key Privacy Risks in AI Processing for considerationLarge scale collection of dataPossible re-use of datasetsOver-retained data in datasetsLack of legal basis for al

24、l AI use casesDiscrimination in datasetsUnable to explain the AI/ML processingData breaches of AI datasets/LLMPoor quality data in datasetsUnable to locate personal data in datasets Unable to stop automated decision making 01020304050607080910Data minimisation principlePrivacy by Design,PIAsPurpose

25、limitation principlePrivacy by Design,RoPAs,PIAsStorage limitation principleRetention Policy,Privacy ControlsLawfulness principle Privacy by Design,RoPAsFairness principleEthical Impact Assessments(including PIA)Transparency principlePrivacy Notice,CommunicationsSecurity of processing principleSecur

26、ity&Data Protection Controls,Data MinimisationAccurate and update to date principlePrivacy&Data GovernanceData subject requestsPrivacy Controls,Data MappingAutomated decision making(Article 22)Privacy by Design,Privacy ControlsSource:KPMG,Trust-Responsible AI,Data and Ethics,2023Key considerations a

27、ssociated with Gen AI The following are some of the risk management challenges of generative AI models:Questions to considerCybersecurity&PrivacyAdversarial attacks1.How can you ensure confidentiality and accuracy are maintained while using generative AI models?2.How can you ensure your generative A

28、I models comply with growing global regulations?3.How can you automate reviewing and managing compliance policies?4.What should your workforce know about generative AI in terms of its risks and benefits?1.How can you ensure generative AI applications are managed effectively to avoid financial penalt

29、y due to not complying with regulations?2.Can you trust the applications you use?3.How can you proactively manage your applications and be aware of and watching for potential bias or discrimination?4.Is using generative AI applications in line with your ethics,values and brand?1.How secure are your

30、generative AI applications from cyberattacks,bad actors and insider threats?2.Are your security controls working?How can they be improved?3.Do the applications you use violate anyones privacy?1.What are the basic known adversarial vulnerabilities of the technologies youre using?2.How can you test li

31、kely attacks and harden existing and new solutions to be prepared for them?3.What monitoring do you have in place to identify adversarial attacks?Breaking confidentiality and intellectual propertyEmployee misuse and inaccuraciesGenerative AI evolvesMisinformation,bias and discriminationCybersecurity

32、&PrivacyFinancial,brand and reputational riskTalent implicationsIP&Copyright InfringementAdversarial attacksRisk and considerationsInternal risksExternal risksInternal risksExternal risksSource:KPMG,Generative AI models the risks and potential rewards in business,2023Working collaboratively to incor

33、porate the Data and AI Trusted frameworkThere are a multitude of stakeholders throughout the organisation that require or are impacted by a Data and AI Trusted Framework,with the overarching objective of building and maintaining trust.It is essential to engage and work collaboratively with the vario

34、us stakeholders across the organisation to start a collaborative dialogue to address the AI data risk challenges.C-Suite ExecutivesProgramme LeadsInternal Depts.Chief Data OfficerI want to embed data ethics into the data culture,and showcase to our customers/clients the ethical considerations given

35、to their data.Chief Risk OfficerI want to ensure data ethics principles and framework are incorporated into our policies and procedures in order to minimize and reduce business risk.Digital Transformation LeadI want to ensure that we are accountable for an agreed and socialised data ethics framework

36、,that is understood organisation-wide.General CounselI want to ensure that the organisation is compliant with legislation and that there are appropriate measures in place to protects us from data ethics breaches.Data Privacy OfficerI want to ensure that our workforce follow their obligations under f

37、uture and current legislation,and that a data ethics framework aligns with or enhances data controls.Chief Security OfficerIn addition to safeguarding our organisations data,I want to ensure that we maintain public trust by having a reputation as a good steward of data.Chief Compliance Officer I wan

38、t to monitor that the organisation and all employees comply with the internal and external policies that have been defined in consideration of an ethics framework.Product and Business HeadsI want our products and services to be aligned to data ethics e.g.taking into account unfair bias in our datase

39、ts.Internal Audit LeadI want to develop a clear audit to assess AAAI and associated data risk across our AAAI products and services.Chief Operations OfficerI want to embed data ethics into the design and implementation of our business strategies,plans and procedures.Board Executives and Data Science

40、 CommunityI want to data ethics to be included in our data strategy,frameworks and governance efforts.Human Resource DirectorI want to evaluate and updated our policies to incorporate data ethics so that our people and information is protected.Source:KPMG,Trust-Responsible AI,Data and Ethics,2023Key

41、 TakeawaysGo beyond Laws and StandardsActive dialogue balancing permissibility of confidential,.sensitive and personal data with ethical useMonitor regulatory guidance on designated high risk use cases(GDPR,EU AI Act)Watch for uses of AI that trigger hidden complication(e.g.third party services).Pro

42、tect Privacy to Build Trust Create plain language data usage agreementsProvide transparency,explainability and auditability to model decisionsEnsure security of infrastructure and consumer end points used by analyticsManage Bias to Create FairnessDefine techniques to seek out bias/imbalance in data

43、used in machine learning.Train decision-makers about sources of data bias and implicationsAcquire tooling to monitor the change in model outcomes.Create Accountability with People in the Loop Formal requirements and KPIs to drive prioritization of ethicsEmpower ethical responsibilities across the da

44、ta supply chain and AI lifecycleManage lineage of end point systems and users for distributed AI outputsSource:Desk Research KPMG AnalysisFireside Chat:Practical Steps to Enable the Safe Use of Generative AIPanelistsConor McCaffreyGo to Market LeadSecuritiGraham ThomasPrivacy DirectorKPMGEnabling Sa

45、fe Use of Data and AILearnMoreAIGovernance.centerAI GovernanceCertificationEnroll NowLearn MoreResources addressing emerging regulations&the governance of AI,Thank Youconor.mccaffreysecuriti.aigraham.thomaskpmg.co.ukor visitDataCommand.CenterHOW DID THINGS GO?(WE REALLY WANT TO KNOW)Did you enjoy th

46、is session?Is there any way we could make it better?Let us know by filling out a speaker evaluation.1.Open the Cvent Events app.2.Enter IAPP DPI24(case and space sensitive)in search bar.3.Tap“Schedule”on the bottom navigation bar.4.Find this session.Click“Rate this Session”within the description.5.Once youve answered all three questions,tap“Done”.Thank you!