SlideShare a Scribd company logo

cybersecurity-for-ai-and-genai-updated.pdf

J
jeroen339954

cybersecurity-for-ai-and-genai

Technology
1 of 9
Download to read offline
1
2
3
4
5
6
7
8
9
Cybersecurity meets AI and GenAI October 2024
© 2024. For information, contact Deloitte Global. Table of contents Dimensions of Cybersecurity within AI and GenAI 1 03 2 AI and GenAI induced change in Cybersecurity threat landscape 04-05 Cybersecurity for AI and GenAI Framework legend 5 08 4 AI and GenAI Cybersecurity roadmap – discover your next steps 07 3 Cybersecurity for AI and GenAI Framework 06
© 2024. For information, contact Deloitte Global. Cybersecurity considerations with regards to Artificial Intelligence (AI) and Generative AI (GenAI) have to be viewed from three different angles: Securing AI and GenAI Systems, using AI and GenAI for improving Cybersecurity, and using AI and GenAI for malicious actions. Dimensions of Cybersecurity within AI and GenAI 1 3 Cybersecurity For AI and GenAI Protecting AI and GenAI systems from Cybersecurity threats, by providing guidance to secure implemented or planned AI and GenAI use-cases. Cybersecurity With AI and GenAI Improving Cybersecurity capabilities and boosting Cybersecurity processes by including AI and GenAI. Cybersecurity From AI and GenAI Changing Cybersecurity threat landscape due to launch of more sophisticated and new kinds of cyberattacks. Use Case Ideation & Development AI and GenAI Training & Labs C y b e r s e c u r i t y F o r A I a n d G e n A I C y b e r - s e c u r i t y W i t h A I a n d G e n A I C y b e r - s e c u r i t y F r o m A I a n d G e n A I Cybersecurity for AI and GenAI Framework Trusted & Secure AI Focus of the following “Futurecasting” AI and GenAI Tabletop Exercises AI Threat Intel & Attack Surface Management
© 2024. For information, contact Deloitte Global. The rise of AI and GenAI not only comes with new opportunities but also with a change in security-related threats that will continue to evolve, making it imperative to secure AI systems. AI and GenAI induced change in Cybersecurity threat landscape* 1 4 M O D E L Attacker Cybersecurity Threat Landscape The increasing usage and availability of AI and GenAI leads to a change in the Cybersecurity threat landscape. On the one hand it enables attacker to intensify their attack frequency, efficiency and complexity due to the use of AI and GenAI, on the other hand it is leading to completely new threats for AI and GenAI like adversarial attacks. Moreover, the attack surface presented by AI and GenAI solutions is unfamiliar territory for many. It’s not only the infrastructure, data and application that require safeguarding, but also the underlying model on which any AI and GenAI System is build. It contains many sensitive information and requires additional protection. Additionally, the increasing amount of data being processed and stored is leading to an increasing focus of data security. A p p l i c a t i o n M o d e l I n f r a s t r u c t u r e D a t a *based on ISO standard (ISO/SAE42001:2023), OWASP (threats for LLM and ML) and ENISA publications
© 2024. For information, contact Deloitte Global. Based on the publications of OWASP, ISO and ENISA, Deloitte consolidated the Top 10 threats for AI and GenAI. AI and GenAI is expanding the Cybersecurity threat landscape* 1 5 Excessive agency abuse Causing AI applications to gain excessive authority or using such authority to perform unintended actions beyond desired functionality. Model inversion Utilizing an AI model's output to reconstruct sensitive data samples used for training, effectively reverse- engineering the model to extract information. Model poisoning directly manipulating AI model's parameters to influence its behavior negatively. Model stealing Unauthorized access, copying, or exfiltration of an AI model. Input Injection Compromising AI applications with malicious inputs that override controls or alter model behavior e.g. Prompt injection for Large Language Models (LLMs). Training data poisoning Introducing vulnerabilities or biases into AI models by tampering their training data, compromising security, effectiveness, or ethical behavior. Information breach Unauthorized exposure of private data and/or metadata leading to unwarranted data access, privacy (GDPR) violations, and security breaches. Supply chain vulnerabilities Incorporating compromised or insecure third-party components like third-party datasets, pre-trained models, and plugins leading to security risks. Adversarial examples Utilizing adversarial learning to create malicious inputs, which deceive AI models during the inference phase, e.g. by causing a misclassification. Model denial of service Triggering resource-intensive operations through inputs that lead to AI model disruptions. Current AI and GenAI Threats *based on ISO standard (ISO/SAE42001:2023), OWASP (threats for LLM and ML) and ENISA publications
© 2024. For information, contact Deloitte Global. Overarching & AI and GenAI domain specific security capabilities ensure the secure development, implementation, and usage of AI and GenAI solutions. Cybersecurity for AI and GenAI Framework* 1 6 Lifecycle Security Secure supply chain Governance, Risk & Compliance The domains constitute the core structure of AI and GenAI systems and are used to cluster security capabilities The Data Domain includes all data handled by the model during training, testing, validation, and for inference after deployment. The AI and GenAI Model Domain involves the model architecture, training, testing and validation processes, in addition to the model’s unique parameters. The Application Domain is the external layer of the AI and GenAI system that hosts the model and sits on the infrastructure. It serves as the user interface. The Infrastructure Domain encompasses the underlying hardware and networking components that are used for developing and hosting the AI and GenAI system. Data Integrity & Quality Data Lineage & Provenance Model Security Testing Adversarial Machine Learning Model Access Controls User Access Controls Application Logging & Monitoring Model Behavior Monitoring Application Architecture Sec. Network Security Infrastructure Security Cloud Security Secure Model Development User Abuse Monitoring Data Privacy & Privacy Enhancing Technologies A Security Capability is a category for grouping of controls that are designed to help address specific Cybersecurity threats in each domain. Capabilities to maintain the security of AI and GenAI solutions across each domains. Secure development process Data loss prevention (DLP) Asset management AI and GenAI Domains AI and GenAI Security Capabilities Overarching Security Capabilities Regulatory compliance Third-party risk management AI and GenAI security risk management AI and GenAI specific policies, standards & architecture Business continuity management *based on ISO standard (ISO/SAE42001:2023), OWASP (threats for LLM and ML) and ENISA publications D a t a A I a n d G e n A I M o d e l A p p l i c a t i o n I n f r a s t r u c t u r e
© 2024. For information, contact Deloitte Global. The AI and GenAI Cybersecurity Roadmap is designed to help organizations on the journey toward secure implementation, deployment, and usage of AI and GenAI applications. AI and GenAI Cybersecurity roadmap – discover your next steps 1 7 Understand the basics: delve into foundational concepts of Cybersecurity for AI and GenAI including threat landscape, encryption, network security, and access controls with AI labs and future casting table- top exercises (TTX) Familiarize yourself with AI and GenAI: gain a basic understanding of AI and GenAI principles and its implementation, algorithms, and its applications in Cybersecurity. Hold a AI and GenAI Cybersecurity lab 01 03 02 04 05 Assess your AI risk level (AIRL) Measure your maturity/risk level: to gauge your organization's readiness and maturity, we have Framework devised a broad assessment and security. Deloitte's solution can help you define the AIRL of each component you are hoping to secure scoring it on a 1 to 5 scale. Your components’ AIRL will inform the specific controls families to be considered and prioritized. Identify tailored Security controls Identify the tailored set of Cybersecurity controls. Deloitte’s Cybersecurity for AI and GenAI Framework has over 500 controls from legislation, industry standards, and existing frameworks mapped to four domains to meet the needs of your AIRL. Implement tailored Security controls Begin with individual quick wins: Deloitte’s approach begins with implementing individual quick wins derived from our maturity assessment to focus on near-term security enhancements. These quick wins are actionable steps that are designed to help you yield significant improvements in your security posture. Actively monitor your AI and GenAI systems. Though implementing tailored security controls is crucial to harden your AI and GenAI systems against threats, the ever-evolving threat landscape and new legislation/regulations are pushing organizations to continuously monitor their environments to stay abreast of attacks. To bolster your confidence in the security of your AI systems, Deloitte’s attack surface monitoring (ASM) and threat intel, and AI red teaming services are next steps to help you bolster the Cybersecurity for and from AI systems and threat actors. Engage in continuous monitoring
© 2024. For information, contact Deloitte Global. The Deloitte Cybersecurity for AI and GenAI Framework synthesizes best practices from ISO standards, MITRE ATT&CK, OWASP and ENISA to secure your AI and GenAI system to combat known and novel threats. Cybersecurity for AI and GenAI Framework legend 1 8 Controls For each of the capabilities, security controls are summarized to mitigate all potential threats. Extract of controls • Robust access control • Regular validation of SBOM • Watermarking • Input injection testing • Data Minimization • Data Separation System domains AI and GenAI threats identified can be exploited in different stages of the AI and GenAI lifecycle. Building appropriate mitigation mechanisms against the new and traditional vulnerabilities, the AI and GenAI system is organized in four different domains. Cybersecurity for AI and GenAI Framework structure Threats As a special type of software, there are new and traditional Cybersecurity threats to AI and GenAI systems. Regulations We have conducted geography- specific research to comply with regulations and follow standards. This is a major focal point of this Framework and is being continuously updated to keep up with this evolving space. Domain-specific capabilities For each domain, there are different capabilities which group security controls to address all the potential attack vectors and threats for AI and GenAI. Overarching capabilities As AI and GenAI is a software at its core, overarching capabilities ensures Governance, Risk, and Compliance for the AI and GenAI Lifecycle across domains. External drivers D a t a All data used in training, testing, validation, and post-deployment inference. A I a n d G e n A I M o d e l The model’s architecture, its training, testing, validation, and parameters. Hardware and networking components for developing and hosting the system. I n f r a s t r u c t u r e The external layer hosting the model, acting as the user interface. A p p l i c a t i o n Stay tuned for our next publication! Lifecycle Security Secure supplychain Secure developmentprocess Data loss prevention (DLP) Asset management Governance, Risk & Compliance Regulatory compliance Third-party risk management AI and GenAI securityrisk management AI and GenAI specificpolicies,standards & architecture Business continuitymanagement
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (DTTL), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more. Deloitte provides industry-leading audit and assurance, tax and legal, consulting, financial advisory, and risk advisory services to nearly 90% of the Fortune Global 500® and thousands of private companies. Our people deliver measurable and lasting results that help reinforce public trust in capital markets, enable clients to transform and thrive, and lead the way toward a stronger economy, a more equitable society, and a sustainable world. Building on its 175-plus year history, Deloitte spans more than 150 countries and territories. Learn how Deloitte’s approximately 457,000 people worldwide make an impact that matters at www.deloitte.com. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (DTTL), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related identities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities. © 2024. For information, contact Deloitte Global Thank you. Volker Burgers Partner vburgers@deloitte.de Tim LI Principal timli@deloitte.com Jordan McKenzie Manager jormckenzie@deloitte.de Lucie Wollenhaupt Manager lwollenhaupt@deloitte.de

More Related Content

PDF
Generative AI Cybersecurity Solutions Shaping the Future of Cyber Protection ...
Austin Joy
 
PDF
Role of Generative AI in Strengthening Cybersecurity Measures | USCSI®
United States Cybersecurity Institute (USCSI®)
 
PDF
The Security Challenge: What's Next?
Cognizant
 
PDF
Future of Penetration Testing Trends to Watch.
kandrasupriya99
 
PDF
Introduction to Generative AI for IT Security
RituPatel551417
 
PDF
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Trupti Shiralkar, CISSP
 
PDF
AI for Cyber Security and Adversarial AI
ssusere6073a
 
PDF
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
Generative AI Cybersecurity Solutions Shaping the Future of Cyber Protection ...
Austin Joy
 
Role of Generative AI in Strengthening Cybersecurity Measures | USCSI®
United States Cybersecurity Institute (USCSI®)
 
The Security Challenge: What's Next?
Cognizant
 
Future of Penetration Testing Trends to Watch.
kandrasupriya99
 
Introduction to Generative AI for IT Security
RituPatel551417
 
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Trupti Shiralkar, CISSP
 
AI for Cyber Security and Adversarial AI
ssusere6073a
 
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 

Similar to cybersecurity-for-ai-and-genai-updated.pdf (20)

PPTX
AI_ML_Penetration_Testing_Safeguarding_AI-Driven_Systems.pptx
defencerabbit Team
 
PDF
Cloud Security Services: Protect Data with Cutting-Edge Solutions
privaxic
 
PPTX
2024 Most Influential Cyber Security Technologies_ A Detailed Recap.pptx
infosprintseo
 
PPTX
swamy_ppt[1]_[Read-Only][1].pptxswamy_ppt[1]_[Read-Only][1].pptx
ajayrm685
 
PDF
Agile Gurugram 30-31Aug 2024 | Unleashing the Impact of Generative AI, Data, ...
AgileNetwork
 
PDF
Presentation on Securing-Data-in-the-Age-of-AI.pdf
yoyonawazsingh
 
PDF
Top Cybersecurity Trends for 2024: Stay Ahead of Emerging Threats
privaxic
 
PDF
The Top 8 Cybersecurity Trends You Need to Know in 2024
civil hospital parasia
 
PDF
Data security in AI systems
Benjaminlapid1
 
PDF
AI Safety in Parliaments: Latest Standards and Compliance Challenges
Dr. Fotios Fitsilis
 
PDF
Role of Generative AI in Cybersecurity.pdf
imoliviabennett
 
PPT
Smart security solutions for SMBs
Jyothi Satyanathan
 
PDF
Role of Generative AI in Cybersecurity.pdf
SoluLab1231
 
PPTX
SaaStr Annual 2024: How AI Affects Data Breaches with Skyflow
saastr
 
PDF
Top 10 Cybersecurity Trends in 2024: Benefits, Challenges | Insider Market Re...
Insider Market Research
 
PPTX
Aristiun Whitepaper- Automated Threat Modelling with Aribot
Aristiun B.V.
 
PDF
Protecting Your Business Best Practices for Data Security Management.pdf
HawkShield
 
PDF
Transforming UAE Data - The Dawn of CyberPod AI
tekmuzammil
 
RTF
Ijisa
ijfcst journal
 
PDF
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
itnewsafrica
 
AI_ML_Penetration_Testing_Safeguarding_AI-Driven_Systems.pptx
defencerabbit Team
 
Cloud Security Services: Protect Data with Cutting-Edge Solutions
privaxic
 
2024 Most Influential Cyber Security Technologies_ A Detailed Recap.pptx
infosprintseo
 
swamy_ppt[1]_[Read-Only][1].pptxswamy_ppt[1]_[Read-Only][1].pptx
ajayrm685
 
Agile Gurugram 30-31Aug 2024 | Unleashing the Impact of Generative AI, Data, ...
AgileNetwork
 
Presentation on Securing-Data-in-the-Age-of-AI.pdf
yoyonawazsingh
 
Top Cybersecurity Trends for 2024: Stay Ahead of Emerging Threats
privaxic
 
The Top 8 Cybersecurity Trends You Need to Know in 2024
civil hospital parasia
 
Data security in AI systems
Benjaminlapid1
 
AI Safety in Parliaments: Latest Standards and Compliance Challenges
Dr. Fotios Fitsilis
 
Role of Generative AI in Cybersecurity.pdf
imoliviabennett
 
Smart security solutions for SMBs
Jyothi Satyanathan
 
Role of Generative AI in Cybersecurity.pdf
SoluLab1231
 
SaaStr Annual 2024: How AI Affects Data Breaches with Skyflow
saastr
 
Top 10 Cybersecurity Trends in 2024: Benefits, Challenges | Insider Market Re...
Insider Market Research
 
Aristiun Whitepaper- Automated Threat Modelling with Aribot
Aristiun B.V.
 
Protecting Your Business Best Practices for Data Security Management.pdf
HawkShield
 
Transforming UAE Data - The Dawn of CyberPod AI
tekmuzammil
 
Ijisa
ijfcst journal
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
itnewsafrica
 
Ad

Recently uploaded (20)

PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Modernising the Digital Integration Hub
Daniel Toomey
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Ad

cybersecurity-for-ai-and-genai-updated.pdf

  • 1. Cybersecurity meets AI and GenAI October 2024
  • 2. © 2024. For information, contact Deloitte Global. Table of contents Dimensions of Cybersecurity within AI and GenAI 1 03 2 AI and GenAI induced change in Cybersecurity threat landscape 04-05 Cybersecurity for AI and GenAI Framework legend 5 08 4 AI and GenAI Cybersecurity roadmap – discover your next steps 07 3 Cybersecurity for AI and GenAI Framework 06
  • 3. © 2024. For information, contact Deloitte Global. Cybersecurity considerations with regards to Artificial Intelligence (AI) and Generative AI (GenAI) have to be viewed from three different angles: Securing AI and GenAI Systems, using AI and GenAI for improving Cybersecurity, and using AI and GenAI for malicious actions. Dimensions of Cybersecurity within AI and GenAI 1 3 Cybersecurity For AI and GenAI Protecting AI and GenAI systems from Cybersecurity threats, by providing guidance to secure implemented or planned AI and GenAI use-cases. Cybersecurity With AI and GenAI Improving Cybersecurity capabilities and boosting Cybersecurity processes by including AI and GenAI. Cybersecurity From AI and GenAI Changing Cybersecurity threat landscape due to launch of more sophisticated and new kinds of cyberattacks. Use Case Ideation & Development AI and GenAI Training & Labs C y b e r s e c u r i t y F o r A I a n d G e n A I C y b e r - s e c u r i t y W i t h A I a n d G e n A I C y b e r - s e c u r i t y F r o m A I a n d G e n A I Cybersecurity for AI and GenAI Framework Trusted & Secure AI Focus of the following “Futurecasting” AI and GenAI Tabletop Exercises AI Threat Intel & Attack Surface Management
  • 4. © 2024. For information, contact Deloitte Global. The rise of AI and GenAI not only comes with new opportunities but also with a change in security-related threats that will continue to evolve, making it imperative to secure AI systems. AI and GenAI induced change in Cybersecurity threat landscape* 1 4 M O D E L Attacker Cybersecurity Threat Landscape The increasing usage and availability of AI and GenAI leads to a change in the Cybersecurity threat landscape. On the one hand it enables attacker to intensify their attack frequency, efficiency and complexity due to the use of AI and GenAI, on the other hand it is leading to completely new threats for AI and GenAI like adversarial attacks. Moreover, the attack surface presented by AI and GenAI solutions is unfamiliar territory for many. It’s not only the infrastructure, data and application that require safeguarding, but also the underlying model on which any AI and GenAI System is build. It contains many sensitive information and requires additional protection. Additionally, the increasing amount of data being processed and stored is leading to an increasing focus of data security. A p p l i c a t i o n M o d e l I n f r a s t r u c t u r e D a t a *based on ISO standard (ISO/SAE42001:2023), OWASP (threats for LLM and ML) and ENISA publications
  • 5. © 2024. For information, contact Deloitte Global. Based on the publications of OWASP, ISO and ENISA, Deloitte consolidated the Top 10 threats for AI and GenAI. AI and GenAI is expanding the Cybersecurity threat landscape* 1 5 Excessive agency abuse Causing AI applications to gain excessive authority or using such authority to perform unintended actions beyond desired functionality. Model inversion Utilizing an AI model's output to reconstruct sensitive data samples used for training, effectively reverse- engineering the model to extract information. Model poisoning directly manipulating AI model's parameters to influence its behavior negatively. Model stealing Unauthorized access, copying, or exfiltration of an AI model. Input Injection Compromising AI applications with malicious inputs that override controls or alter model behavior e.g. Prompt injection for Large Language Models (LLMs). Training data poisoning Introducing vulnerabilities or biases into AI models by tampering their training data, compromising security, effectiveness, or ethical behavior. Information breach Unauthorized exposure of private data and/or metadata leading to unwarranted data access, privacy (GDPR) violations, and security breaches. Supply chain vulnerabilities Incorporating compromised or insecure third-party components like third-party datasets, pre-trained models, and plugins leading to security risks. Adversarial examples Utilizing adversarial learning to create malicious inputs, which deceive AI models during the inference phase, e.g. by causing a misclassification. Model denial of service Triggering resource-intensive operations through inputs that lead to AI model disruptions. Current AI and GenAI Threats *based on ISO standard (ISO/SAE42001:2023), OWASP (threats for LLM and ML) and ENISA publications
  • 6. © 2024. For information, contact Deloitte Global. Overarching & AI and GenAI domain specific security capabilities ensure the secure development, implementation, and usage of AI and GenAI solutions. Cybersecurity for AI and GenAI Framework* 1 6 Lifecycle Security Secure supply chain Governance, Risk & Compliance The domains constitute the core structure of AI and GenAI systems and are used to cluster security capabilities The Data Domain includes all data handled by the model during training, testing, validation, and for inference after deployment. The AI and GenAI Model Domain involves the model architecture, training, testing and validation processes, in addition to the model’s unique parameters. The Application Domain is the external layer of the AI and GenAI system that hosts the model and sits on the infrastructure. It serves as the user interface. The Infrastructure Domain encompasses the underlying hardware and networking components that are used for developing and hosting the AI and GenAI system. Data Integrity & Quality Data Lineage & Provenance Model Security Testing Adversarial Machine Learning Model Access Controls User Access Controls Application Logging & Monitoring Model Behavior Monitoring Application Architecture Sec. Network Security Infrastructure Security Cloud Security Secure Model Development User Abuse Monitoring Data Privacy & Privacy Enhancing Technologies A Security Capability is a category for grouping of controls that are designed to help address specific Cybersecurity threats in each domain. Capabilities to maintain the security of AI and GenAI solutions across each domains. Secure development process Data loss prevention (DLP) Asset management AI and GenAI Domains AI and GenAI Security Capabilities Overarching Security Capabilities Regulatory compliance Third-party risk management AI and GenAI security risk management AI and GenAI specific policies, standards & architecture Business continuity management *based on ISO standard (ISO/SAE42001:2023), OWASP (threats for LLM and ML) and ENISA publications D a t a A I a n d G e n A I M o d e l A p p l i c a t i o n I n f r a s t r u c t u r e
  • 7. © 2024. For information, contact Deloitte Global. The AI and GenAI Cybersecurity Roadmap is designed to help organizations on the journey toward secure implementation, deployment, and usage of AI and GenAI applications. AI and GenAI Cybersecurity roadmap – discover your next steps 1 7 Understand the basics: delve into foundational concepts of Cybersecurity for AI and GenAI including threat landscape, encryption, network security, and access controls with AI labs and future casting table- top exercises (TTX) Familiarize yourself with AI and GenAI: gain a basic understanding of AI and GenAI principles and its implementation, algorithms, and its applications in Cybersecurity. Hold a AI and GenAI Cybersecurity lab 01 03 02 04 05 Assess your AI risk level (AIRL) Measure your maturity/risk level: to gauge your organization's readiness and maturity, we have Framework devised a broad assessment and security. Deloitte's solution can help you define the AIRL of each component you are hoping to secure scoring it on a 1 to 5 scale. Your components’ AIRL will inform the specific controls families to be considered and prioritized. Identify tailored Security controls Identify the tailored set of Cybersecurity controls. Deloitte’s Cybersecurity for AI and GenAI Framework has over 500 controls from legislation, industry standards, and existing frameworks mapped to four domains to meet the needs of your AIRL. Implement tailored Security controls Begin with individual quick wins: Deloitte’s approach begins with implementing individual quick wins derived from our maturity assessment to focus on near-term security enhancements. These quick wins are actionable steps that are designed to help you yield significant improvements in your security posture. Actively monitor your AI and GenAI systems. Though implementing tailored security controls is crucial to harden your AI and GenAI systems against threats, the ever-evolving threat landscape and new legislation/regulations are pushing organizations to continuously monitor their environments to stay abreast of attacks. To bolster your confidence in the security of your AI systems, Deloitte’s attack surface monitoring (ASM) and threat intel, and AI red teaming services are next steps to help you bolster the Cybersecurity for and from AI systems and threat actors. Engage in continuous monitoring
  • 8. © 2024. For information, contact Deloitte Global. The Deloitte Cybersecurity for AI and GenAI Framework synthesizes best practices from ISO standards, MITRE ATT&CK, OWASP and ENISA to secure your AI and GenAI system to combat known and novel threats. Cybersecurity for AI and GenAI Framework legend 1 8 Controls For each of the capabilities, security controls are summarized to mitigate all potential threats. Extract of controls • Robust access control • Regular validation of SBOM • Watermarking • Input injection testing • Data Minimization • Data Separation System domains AI and GenAI threats identified can be exploited in different stages of the AI and GenAI lifecycle. Building appropriate mitigation mechanisms against the new and traditional vulnerabilities, the AI and GenAI system is organized in four different domains. Cybersecurity for AI and GenAI Framework structure Threats As a special type of software, there are new and traditional Cybersecurity threats to AI and GenAI systems. Regulations We have conducted geography- specific research to comply with regulations and follow standards. This is a major focal point of this Framework and is being continuously updated to keep up with this evolving space. Domain-specific capabilities For each domain, there are different capabilities which group security controls to address all the potential attack vectors and threats for AI and GenAI. Overarching capabilities As AI and GenAI is a software at its core, overarching capabilities ensures Governance, Risk, and Compliance for the AI and GenAI Lifecycle across domains. External drivers D a t a All data used in training, testing, validation, and post-deployment inference. A I a n d G e n A I M o d e l The model’s architecture, its training, testing, validation, and parameters. Hardware and networking components for developing and hosting the system. I n f r a s t r u c t u r e The external layer hosting the model, acting as the user interface. A p p l i c a t i o n Stay tuned for our next publication! Lifecycle Security Secure supplychain Secure developmentprocess Data loss prevention (DLP) Asset management Governance, Risk & Compliance Regulatory compliance Third-party risk management AI and GenAI securityrisk management AI and GenAI specificpolicies,standards & architecture Business continuitymanagement
  • 9. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (DTTL), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more. Deloitte provides industry-leading audit and assurance, tax and legal, consulting, financial advisory, and risk advisory services to nearly 90% of the Fortune Global 500® and thousands of private companies. Our people deliver measurable and lasting results that help reinforce public trust in capital markets, enable clients to transform and thrive, and lead the way toward a stronger economy, a more equitable society, and a sustainable world. Building on its 175-plus year history, Deloitte spans more than 150 countries and territories. Learn how Deloitte’s approximately 457,000 people worldwide make an impact that matters at www.deloitte.com. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (DTTL), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related identities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities. © 2024. For information, contact Deloitte Global Thank you. Volker Burgers Partner vburgers@deloitte.de Tim LI Principal timli@deloitte.com Jordan McKenzie Manager jormckenzie@deloitte.de Lucie Wollenhaupt Manager lwollenhaupt@deloitte.de