Eighteen countries have signed an agreement on AI safety, based on the principle that it should be secure by design. The Guidelines for Secure AI System Development, led by the U.K.’s National Cyber Security Centre and developed with the U.S.’ Cybersecurity and Infrastructure Security Agency, are touted as the first global agreement of their kind.
They’re aimed mainly at providers of AI systems that are using models hosted by an organisation, or that are using external application programming interfaces. The aim is to help developers make sure that cybersecurity is baked in as an essential precondition of AI system safety and integral to the development process, from the start and throughout.
“The guidelines jointly issued today by CISA, NCSC, and our other international partners, provide a common sense path to designing, developing, deploying, and operating AI with cyber security at its core,” said secretary of homeland security Alejandro Mayorkas.
“By integrating ‘secure by design’ principles, these guidelines represent an historic agreement that developers must invest in, protecting customers at each step of a system’s design and development,” he added.
They cover secure design—including understanding risks and threat modelling, as well as the trade-offs that need to be considered around system and model design—as well as development guidelines including supply chain security, documentation and asset and technical debt management.
Secure deployment covers protecting infrastructure and models from compromise, threat or loss, developing incident-management processes and responsible release. Secure operation and maintenance cover logging and monitoring, update management and information sharing.
The guidelines are broadly based on the NCSC’ Secure development and deployment guidance, NIST’s Secure Software Development Framework and the secure by design principles published by CISA, the NCSC and other international cyber agencies.
They have been approved by Australia, Canada, Chile, Czechia, Estonia, France, Germany, Israel, Italy, Japan, New Zealand, Nigeria, Norway, Poland, South Korea and Singapore, as well as the U.K. and U.S. However, one notable absence is China—currently the world’s leading developer of AI.