Guidelines for securing AI models start to emerge

As securing artificial intelligence (AI) models will become a major priority in the coming year the number of guidelines being made available to help secure them is increasing rapidly. The National Institute of Standards and Technology (NIST), for example, has published an Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations report describing the tactics and techniques cybercriminals are most likely to adapt as they attempt to compromise AI models.

At the same time, the Cloud Security Alliance (CSA) has launched an AI Safety Initiative in partnership with Amazon, Anthropic, Google, Microsoft, and OpenAI to create a coalition of AI security experts from industry, academia, and government agencies such as the Cybersecurity & Infrastructure Security Agency (CISA).

Previously, CISA and the National Cyber Security Centre (NCSC) in the United Kingdom announced they are also collaborating on guidelines for building secure AI systems, which have been adopted by 21 other international agencies.

Each of these efforts will enable the organization to comply with an executive order from the Biden administration that established requirements for AI safety and security, including a requirement for NIST to set rigorous standards for extensive red-team testing to ensure safety before the public release of any foundational AI model that might pose a threat to national security. The Department of Homeland Security is also being tasked with applying those standards to critical infrastructure sectors and establishing an AI Safety and Security Board.

Collectively, these initiatives should help address some fundamental flaws in the way AI models are being developed and deployed in production environments. AI models are, at their core, another type of software artifact that is subject to the same vulnerability issues that plague other applications. The malware that cybercriminals inject into software repositories can quickly find its way into an AI model. The issue is that once discovered, the cost of rebuilding an AI model is several orders of magnitude more expensive than patching an application.

In addition, cybercriminals may attempt to deliberately make an AI model hallucinate by poisoning the pool of data used to train it. As the output from a model becomes less reliable, an organization is going to reduce the trust it might otherwise have in a model that was trained using a pristine data set.

Cybersecurity professionals have a unique opportunity to insert themselves into the AI model development and deployment process before they wind up being pervasively embedded into almost every application. Rather than trying to address issues in the wake of an incident, the goal should be to put the processes and practices needed to prevent cybersecurity incidents from occurring tomorrow. Of course, there is no such thing as perfect security, but given the mission-critical nature of applications, a proactive approach to AI security is already imperative.

The challenge, as always, is the data science and the developers building AI applications don’t always have the greatest appreciation for security. In fact, cybersecurity professionals will need to seek out these projects simply because many of the teams building AI models will, not surprisingly, view cybersecurity as an afterthought. The good news is that with the help of a few well-defined frameworks cybersecurity teams should be better prepared to help secure AI models than they have previously been able to secure previous types of new types of software artifacts as they initially emerged.