DSP · Data Security and Privacy Lifecycle Management

DSP-24AI-Specific

Data Differentiation and Relevance

Specification

Ensure training-data differentiation and relevance to the intended use of the AI Model.

Threat coverage

Model manipulation

Data poisoning

Sensitive data disclosure

Model theft

Model/Service Failure

Insecure supply chain

Insecure apps/plugins

Denial of Service

Loss of governance

Architectural relevance

Physical infrastructure

Network

Compute

Storage

Application

Data

Lifecycle

Preparation

Data collection, Data storage, Data curation

Development

Design, Training, Guardrails

Evaluation

Evaluation, Validation/Red Teaming, Re-evaluation

Deployment

Orchestration, AI Services supply chain, AI applications

Delivery

Operations, Continuous monitoring, Continuous improvement

Retirement

Data deletion, Archiving

Ownership / SSRM

Owned by the Customer (AIC)

The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.

Model

Owned by the Customer (AIC)

Orchestrated

Shared Model Provider-Orchestrated Service Provider (Shared MP-OSP)

The MP and OSP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Application

Owned by the Customer (AIC)

Implementation guidelines

[All Actors]
1. Data Assessment and Classification - Implement data quality assessment frameworks such as Data Quality for AI (DQAI framework) that evaluate AI aspects like correctness, completeness, consistency , timeliness and bias.

2. Use-case Alignment
a. Define the real world problem AI is being designed to solve, document AI objective and expected output, this will determine the selection of dataset for AI model.
b. Evaluate relevance of training data periodically to ensure if aligns with defined business use case.

3. Monitoring - Implement a feedback loop among all stakeholders to monitor and obtain feedback on model behavior.

Auditing guidelines

1. Verify if the infrastructure provider complies with applicable privacy regulations and updates policies to reflect evolving AI governance and compliance standards.

2. Verify that data governance policies are adhered to within infrastructure services, including compliance with privacy regulations.

3. Verify that mechanisms exist to protect sensitive information and maintain data integrity at the infrastructure level.

4. Verify if continuous monitoring tools track the performance and integrity of AI-related data and systems hosted on the infrastructure.

Standards mappings

ISO 42001No Gap

42001: A.4.3 Data Resource
42001: A.5.5 Assessing societal impacts of AI systems
42001: A.6.1.3 Processes for responsible design and development of AI systems
42001: A.7.2 Data for development and enhancement of AI system
42001: A.7.3 Acquisition of data
42001: A.7.4 Quality of data for AI systems

Addendum

N/A

EU AI ActNo Gap

Article 10 (2)
Article 10 (3)
Article 15

Addendum

N/A

NIST AI 600-1No Gap

GV-1.1-001
MG-2.2-004
MP-4.1-004
MS-1.1-007
MS-2.2-001
MS-2.5-005
MS-2.10-003
MS-2.11-005

Addendum

N/A

BSI AIC4No Gap

DQ-01
DQ-02
DQ-03

Addendum

N/A

AI-CAIQ questions (1)

DSP-24.1

Is training-data differentiation and relevance to the intended use of the AI Model, ensured?