Is this AI tool secure? Here's the most important answers to look for.
Understanding whether a tool using AI will securely handle your data can be hard. Here are the information you should be looking for.
Is this AI tool secure? You shouldn't leave it to chance, but check it. I recently had to assess the security measures of an AI service. Here's the answers I look for when I assess an AI tool:
1. Where is my data stored?
Here I’ll look for the location, are the servers/database in a cloud? Is it AWS?
2. What data gets in the tool?
I want to know the type of data collecte, the meta data, how is it protected (encryption at rest and in transit).
3. Does the company staff access the data without permission?
I’m expecting that the vendor does not access user content by default, except for support purpose with the permission of the user. If the vendor does not make this clear, it’s a red flag.
4. Do they use our data to train their AI?
THIS is really important: let's say the AI tool relies on OpenAI API to operate. Did the vendor sign a business associate agreement that would make sure user data isn't used for training purposes?
5. What's the retention policy of the AI models? Is the data retained for 0 days? 30 days? Forever?
This is linked with which AI provider they use. For example, if they mention OpenAI API as the model under their AI features, it means the retention is either 30 days (default) or 0 (if they negotiated 0-day retention policy with the vendors accessing your data).
6. What are the subprocessors they use? Where is the data flowing and does the purpose of these data transfers look consistent/proportionate with the product?
I expect the vendor to communicate a list with the name of their sub-processors, their location, the purpose of using it, and the website of subprocessor for more information.
7. Can we choose the location where the data will be stored?
For GDPR compliance, I’m looking for the option to host data in the EU. If the vendor allows to choose storage location, that’s a promising sign.
8. Is this vendor compliant with key data protection and security regulations? GDPR? Do they have SOC 2 Type 2?
Ideally, they should allow us to verify such claims. Some vendors share their SOC 2 Type 2 reports if you first sign an NDA.
9. What are the data security measures they have in place? As Walter Haydock suggested, if they have a vulnerability disclosure policy or a bug bounty program, that's a good sign.
10. Are they transparent on data retention measures?
The data retention policy of the vendor should be clear. How long do they keep your data in their database, how much control do you have on it, and how do they actually make sure it is deleted once the deadline is reached.
Ok, the list is already long. But as you can see, there are questions we can almost always ask when analyzing an AI tool.
Of course, this will not guarantee security. Let me say this again: even if looking at the vendor websites or asking questions gives you all the answers, it won’t mean going with the vendor will be necessarily secure.
Evidence remains key, and this is why the vendor’s ability to show SOC 2 Type 2 report is important, as much as negotiating the right to audit the vendor.
I believe that performing such checks and making a decision based on these security verifications enable us to be open to innovations, but at the same time being aware of the risks, mitigating them, in accordance with our risk appetite.
What do you think? AI security risks are an emerging risks with their own challenges, so it’s sometimes hard to navigate, and uncertainty regarding a provider’s security is never at 0.
I’m enthusiastic about initiatives to have better visibility on the risks implied by relying on a vendor using AI.
On the same topic, I just found
‘s post on the questions we can ask to potential AI vendors to understand how they protect our data.I recommend you to give a look at it.
Securely,
Tristan