As artificial intelligence (AI) systems become more integrated with our daily lives, safeguarding AI from malicious misuse and abuse becomes a critical responsibility for organisations, developers, and users. This blog discusses the best practices for security and compliance based on the AWS Certified AI Practitioner AIF C01 exam. The exam helps you learn AI security topics such as identity management, encryption, and regulatory compliance. Further, you will learn the best practices for building AI safely on AWS.

Overview of Security, Compliance, and Governance for AI Solutions

Domain 5 in the AWS Certified AI Practitioner exam covers Security, Compliance, and Governance with 14% exam coverage. The domain has two sections: one covers the methods to secure AI systems, and the other explains the governance and compliance regulations for AI systems.

The best practices for AI security, compliance, and governance are based on the following AWS models:

  • AWS Generative AI Security Scoping Matrix
  • AWS Shared Responsibility Model
  • AWS AI stack
  • Defense-in-depth

By understanding these models, you gain relevant security tips for the exam

AI Security, Compliance, and Governance

AWS supports 143 security standards and compliance certifications. Although the phrases security, compliance, and governance are related, they are not synonymous.

AI Security, Compliance, and Governance

Design your Security Best Practices using AWS Generative AI Security Scoping Matrix

The scope of your AI solution also defines the scope of security measures. The AWS Generative AI Security Scoping Matrix is a readymade framework that classifies five generative AI use cases to help you assess the scope of your AI solution and the required security measures. The model further provides guidance on when to buy or build security measures.

generative ai security scoping matrix

The model lists five AI security standards:

  • Governance and compliance – The policies, procedures, and reporting needed to empower the business while minimizing risk.
  • Legal and privacy – The specific regulatory, legal, and privacy requirements for using or creating generative AI solutions.
  • Risk management – Identification of potential threats to generative AI solutions and recommended mitigations.
  • Controls – The implementation of security controls that are used to mitigate risk.
  • Resilience – How to architect generative AI solutions to maintain availability and meet business SLAs.

AWS offers different tools and services to enable tailored security and compliance measures for these use cases.

AWS Shared Responsibility Model

AI security and compliance is an ongoing effort that the cloud provider and the customer equally share. However, it can become difficult to determine who is responsible for what when two parties are involved. The Shared Responsibility Model precisely lays out how customers and cAWS  share duties:

  • AWS secures the foundation (physical, infrastructure, and global network-level security).
  • Customer secures the usage (data, access, and configuration of services).

responsibility of customer and aws

The AI stack

The AI (Artificial Intelligence) stack is a  broad technical framework that includes the tools and technologies used for creating, deploying, and maintaining AI systems, where each layer in the stack supports specific stages in the AI lifecycle. The best practice is to ensure data security at each layer of the AI stack through access control, encryption, and regular compliance audits.

the-ai-stack

Defense-in-depth for AI on AWS

The Defense-in-depth paradigm helps organizations integrate their security, governance, and compliance functions while building on AWS. Defense-in-depth security mitigates many of the common risks that any workload faces by layering controls, helping teams govern generative AI workloads using familiar tools.
defense-in-depth-for-ai-on-aws

Best Practices for Securing AI Systems

Here are common AI security best practices and the AWS services and tools that enable them:

  • Identify sensitive data before training models.

Use Amazon Macie to scan S3 buckets for personally identifiable information (PII), personal health information (PHI), financial information, and other sensitive data.

  • Manage identities and access to AWS services and resources.

Specify who or what can access services and resources in AWS AWS Identity and Access Management (IAM).

IAM entities such as IAM users and IAM user groups, IAM roles, and IAM policies help you manage fine-grained permissions, and analyze access to refine permissions across AWS.

  • Limit access to data, model, and outputs.

Apply a policy of least privilege to training data, models, and applications using AWS IAM.

  • Protect data theft and manipulation.

Launch AWS resources in a logically isolated virtual network through Amazon VPC. Use AWS PrivateLink to establish private connectivity from your Amazon VPC to Amazon Bedrock, without having to expose your VPC to internet traffic.

  • Protect AI works with intelligent threat detection.
    Use Amazon Inspector to continually scan AWS workloads for software vulnerabilities and unintended network exposure.
  • Automate incident response and compliance.

Combine multiple services such as AWS Config, AWS Audit Manager, AWS Artifact to continually enforce your security and compliance controls .

Best Practices for Governance and Compliance

Effective AI governance begins with a strong governance framework. Here are some best practices for developing the governance framework.

  • Establish an AI governance board or committee
  • Define roles and responsibilities
  • Implement policies and procedures
  • Review the board’s performance regularly

Failure to comply with your governance policies and procedures can have high adverse effects. One of the best practices to avoid such a situation is to keep monitoring your AI systems. The following AWS services can help you with compliance automation:

  • AWS Config helps you demonstrate compliance by providing access to the historical configurations of your resources.
  • AWS Audit Manager helps you continually audit your AWS usage to streamline how you manage risk and compliance with regulations and industry standards.
  • AWS Artifact provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, PCI reports, and SOC Reports.
  • CloudTrail can help you comply with internal policies and regulatory standards by providing a history of events in your AWS account.

Conclusion

For any business to deliver its primary business, it must implement security, governance, and compliance functions. In the context of AI solutions, security, governance, and compliance enable us to use AI safely. The AWS Certified AI Practitioner (AIF-C01) enables you to demonstrate your skills in all aspects of AI, including machine learning (ML), generative AI, responsible AI, and security, compliance, and governance for AI solutions. Sign up for the Whizlabs AWS Certified AI Practitioner course to earn this certificate. For additional hands-on experience with the services, check  AWS hands-on labs and AWS sandboxes.