Use technologies that minimize, de-identify, or restrict use of PII data in training or evaluating models.

Ensure that all data used to train and evaluate models is authorized for the intended purposes.

Detect and remove or remediate poisoned or sensitive data in training and evaluation.

Store, process, and use all user data (e.g. prompts and logs) from AI applications in compliance with user consent.

Ensure that all data, code, models, and transformation tools used in AI applications are inventoried and tracked.

Minimize internal access to models, weights, datasets, etc. in storage and in production use.

Ensure that all data, models, and code used to produce AI models are verifiably integrity-protected during development and deployment.

Use secure-by-default frameworks, libraries, software systems, and hardware components for AI development or deployment to protect confidentiality and integrity of AI assets and outputs

Block or restrict adversarial queries to AI models.

Block, nullify, or sanitize insecure output from AI models before passing it to applications, extensions or users.

Use techniques to make AI models robust to adversarial inputs (i.e. prompts) in the context of their use in applications.

Ensure that only authorized users and endpoints can access specific resources for authorized actions.

Inform users of relevant AI risks with disclosures, and provide transparency and control experiences for use of their data in AI applications.

Ensure user approval for any actions performed by agents/plugins that alter user data or act on the user’s behalf.

Use least-privilege principle as the upper bound on agentic system permissions to minimize the number of tools that an agent is permitted to interact with and the actions it is allowed to take. An agentic system’s use of privileges should be contextual and dynamic, adapting to the specific user query and trusted contextual information. This design also applies to agents that have access to user information. For example, an agent asked to fill out a form or answer questions should share only contextually appropriate information and can be designed to dynamically minimize exposed data using reference monitors.

Ensure an agent's actions, tool use, and reasoning are transparent and auditable through logging, allowing for debugging, security oversight, and user insights into agent activity.

Identify security and privacy improvements through self-driven adversarial attacks on AI infrastructure and products.

Proactively and continually test and monitor production infrastructure and products for security and privacy regressions.

Detect and alert on internal or external attacks on AI assets, infrastructure, and products.

Manage response to AI security and privacy incidents.

Publish easy to understand AI security and privacy policies and education for users.

Publish comprehensive AI security and privacy policies and education for your employees.

Validate that all AI models and products meet the established security and privacy requirements.

Inventory, measure, and monitor residual risk to AI in your organization.