Cybersecurity

Least Privilege access

Deployers of an AI system can restrict its permissions to a whitelisted set of predetermined options, such that all options not on the whitelist are not accessible to the AI [200, 146]. The entries on the whitelist can be chosen to be as small as possible for the AI system to fulfill its intended purpose, to reduce the attack surface of external attackers, and to decrease the probability that the AI system accidentally takes actions with large unintended side-effects

Protect proprietary or unreleased AI model architecture and parameters

The developers of AI models can invest in cybersecurity to prevent compute resources, training source code, model weights, and other critical resources from being accessed and copied by unauthorized third parties (e.g., through insider threats or supply chain attacks). Access to model source code and weights can be restricted through an access control scheme, such as role-based access control. If access to model outputs by third parties is required, it can be provided through an API. Air gaps can block unauthorized remote access. In the case of necessary interaction with an external network, network bandwidth limitations can also be enforced to increase the detection window of potential breaches [108].

Hardware limitations on data center network connections

Hardware-enforced bandwidth limitations on data center network connections can protect AI model weights from unauthorized access or exfiltration, by limiting the speed of model weight access on the connections between data centers and the outside world. Such limitations can be put in place in multiple ways, for example by only constructing connections with a specific bandwidth. The output rate on all data channels can be set low enough that copying the weights is possible in principle (e.g., to enable regular backups), but would take so long that an unauthorized exfiltration of the weights could be detected and prevented. Such rate-limiting is only effective if it applies to all output connections for all storage locations on which the weights of the model are stored [139].

Structured access to a model

Structured access refers to methods which limit users’ or deployers’ direct access to a model’s parameters by constraining access to a model through a centralized access point (e.g., an API) [88]. This access point can be monitored for usage, and access can be revoked to users or downstream deployers in cases of misuse [105]. Within this centralized access point, automated filtering-based monitoring can be done on both inputs and outputs to ensure the model’s intended use is preserved [36]. This filtering can sometimes be supplemented by human oversight, depending on desired robustness levels.

Structured access refers to methods which limit users’ or deployers’ direct access to a model’s parameters by constraining access to a model through a centralized access point (e.g., an API) [88]. This access point can be monitored for usage, and access can be revoked to users or downstream deployers in cases of misuse [105]. Within this centralized access point, automated filtering-based monitoring can be done on both inputs and outputs to ensure the model’s intended use is preserved [36]. This filtering can sometimes be supplemented by human oversight, depending on desired robustness levels.

AI systems can be developed and tested within a sandbox, (a secure and isolated environment used for separating running programs), such that outside access to information within the sandbox is restricted. Within this environment, resources such as storage and memory space, and network access, would be disallowed or heavily restricted [15]. With sandboxing, dangerous or harmful outputs generated during testing will be contained.