Compliances and Data privacy: AWS GenAI security scoping matrix.
Use the scope to nail your story & an example of auditing with GenAI.
This week, we will review AWS GenAI Security Scoping Matrix with Compliances/ Government along with Data Privacy/ Legal with the latest updates for July 2024.
Data Privacy Considerations by Scope
Scopes 1 & 2: Consumer and Enterprise Apps
Data Classification: Understand what data is used within the application and its classification level.
Access Control: Ensure the provider offers role-based access control aligned with your organization's structure.
Data Usage: Clarify how the provider uses your data (prompts and responses) and for what purpose (service improvement, model training).
Data Location: Determine data storage jurisdictions and any cross-border data transfer policies.
Scopes 3 & 4: Building Applications with Pre-trained or Fine-tuned Models
Access Control: Implement robust access control on data sources used for RAG to prevent unauthorized access.
Prompt and Response Handling: Understand how the model provider handles sensitive data in inputs and outputs.
Data Location: Clarify data storage, processing locations, and adherence to data localization requirements.
Training Data Source (Fine-tuning):
Carefully select training data to avoid incorporating sensitive information that is difficult to remove later.
Acknowledge that data used for fine-tuning cannot be segregated at inference time, impacting access control.
Scope 5: Self-built and Trained Models
Model Provider Responsibility: You assume all responsibilities of a model provider, including:
Data source transparency, copyright compliance, and data usage agreements.
Data cleaning, validation, and mitigation of harmful bias or misleading content.
Compliance with all relevant regulatory and ethical considerations.
Key Compliance Themes and Actionable Steps
1. Data Privacy
Action: Minimize data collection to only what is absolutely necessary.
Resources:
ICO's Eight Questions for Developers
AWS Macie
AWS S3 from AWS Labs
Financial Services Data Cleansing Example
Bedrock Opt-in Data Usage
2. Transparency and Explainability
Action: Disclose AI usage to customers, document data sources and model creation processes, and offer alternatives for interaction (e.g., human support).
Resources:
ISO 42001 Standard for AI Governance
Standard Contractual Clauses for Data Protection
AWS Generative AI Best Practices & Audit Manager (More in the below)
SageMaker Clarify
3. Automated Decision Making and Human Oversight
Action: Ensure human oversight for AI-driven decisions with legal impact, provide a right of appeal for individuals, and implement mechanisms for detecting and mitigating potential bias.
Resources:
ICO Guidance on Maintaining Individual Rights in AI Systems
AWS Step Functions for Human Intervention in Workflows
4. Regulatory Classification
Action: Understand the risk classification of your AI workload based on its potential impact and adhere to relevant regulations (e.g., outright bans, high-risk designations).
Resources:
European Union AI Act (Effective)
OECD Generative AI Legal Website/ AI principles.
ICO List of High-Risk AI Workloads
5. Profiling
Action: Minimize the use of sensitive personal data for profiling and ensure compliance with regulations protecting individual rights.
Resources:
ICO Guidance on Automated Decision Making and Profiling
6. Safety
Action: Prioritize safety in AI systems that could pose risks to life or property, implement rigorous testing, and consider independent verification.
Resources:
President Biden's Executive Order on Safe, Secure, and Trustworthy AI
UK AI Safetey Institute
Others:
Risk management:
NIST Framework
OWASP Top 10 for LLMs
Demo: GenAI audit | AWS Cloud trail
Learn more about a step by step process for compliance and security investitation with Gen AI on AWS with Saavi, a compliance and security engineer with tasks:
AWS audit reporting;
AWS resources compliances;
AWS security investigation;
AWS operational troubleshooting.
By diving deep into her daily job with
Identify S3 butket not compliant.
Identify users whose actions led to non compliance.
Analyze all actions taken by this user to determine next step.