This page is still being polished. If you have thoughts, please share them via the feedback form.
Data on this page is preliminary and may change. Please do not share or cite these figures publicly.
Cryptographic protections, access controls, and hardware security.
Also in Non-Model
Use least-privilege principle as the upper bound on agentic system permissions to minimize the number of tools that an agent is permitted to interact with and the actions it is allowed to take. An agentic system’s use of privileges should be contextual and dynamic, adapting to the specific user query and trusted contextual information. This design also applies to agents that have access to user information. For example, an agent asked to fill out a form or answer questions should share only contextually appropriate information and can be designed to dynamically minimize exposed data using reference monitors.
- **Who can implement:** - - Model Consumers - **Risk mapping:** - - [Insecure Integrated System](https://saif.google/secure-ai-framework/risks#insecure-integrated-component), [Sensitive Data Disclosure](https://saif.google/secure-ai-framework/risks#sensitive-data-disclosure), [Rogue Actions](https://saif.google/secure-ai-framework/risks#rogue-actions)
Reasoning
Restricts agent tool access and actions through runtime permission constraints using least-privilege principle.
Privacy Enhancing Technologies
Use technologies that minimize, de-identify, or restrict use of PII data in training or evaluating models.
1.1.1 Training DataTraining Data Management
Ensure that all data used to train and evaluate models is authorized for the intended purposes.
2.3.2 Access & Security ControlsTraining Data Sanitization
Detect and remove or remediate poisoned or sensitive data in training and evaluation.
1.1.1 Training DataUser Data Management
Store, process, and use all user data (e.g. prompts and logs) from AI applications in compliance with user consent.
2.3.2 Access & Security ControlsModel and Data Inventory Management
Ensure that all data, code, models, and transformation tools used in AI applications are inventoried and tracked.
2.3.2 Access & Security ControlsModel and Data Access Controls
Minimize internal access to models, weights, datasets, etc. in storage and in production use.
2.3.2 Access & Security ControlsGoogle Secure AI Framework
Google (2024)
SAIF is Google’s Secure AI Framework, which offers guidance for building and deploying AI responsibly. As AI technology rapidly advances and threats continually evolve, the challenge of protecting AI systems, applications, and users at scale requires that developers have a high-level understanding of AI-specific privacy and security risks in addition to established secure coding best practices. SAIF describes Google’s approach for addressing AI risks—including security of data, models, infrastructure, and applications involved in building AI—and is aligned with Google's Responsible AI practices, to keep more people safe online. SAIF is designed to help mitigate risks specific to AI systems like model exfiltration, data poisoning, injecting malicious inputs through prompt injection, and sensitive data disclosure from training data.
Operate and Monitor
Running, maintaining, and monitoring the AI system post-deployment
User
Individual or organisation that directly uses the AI system
Manage
Prioritising, responding to, and mitigating AI risks
