New Video from @NoLimitSecu Discusses Information Security Policy for AI

In this new video from No Limit Secu, Michel Dubois, deputy director of cybersecurity for a major French group and associate researcher at the ESA's digital security laboratory, discusses the Information Security Policy (PSSI) for Artificial Intelligence (AI). He is joined by several contributors, including Nicolas Ruf, Paul Amar, and Hervé Shower. Context and Objectives of the PSSI Document for AI The PSSI document for AI was created in response to a lack of French resources on AI system security. Although many documents and standards exist, often in English, there was nothing specific to guide Information Security Managers (RSSI) in implementing a PSSI dedicated to AI. The document, about thirty pages long, covers three main parts: securing AI development, acquiring and integrating AI into a corporate environment, and securing generative AI. Document Structure The first part of the document focuses on securing AI development, emphasizing the need to secure each step of the development process. The second part addresses the acquisition and integration of AI, emphasizing awareness and user training on the specific risks associated with generative AI. The third part deals with securing generative AI, highlighting the importance of controlling and verifying the responses provided by these systems. Rules and Recommendations Among the 22 specific rules of the document, some are particularly notable. For example, it is recommended to prohibit the direct use of responses from a generative AI in a development process without human review. Additionally, the document emphasizes the need to secure the supply chain of data used to train AI models. Michel Dubois stresses that the most important part of the PSSI is the secure design of AI, relying on classic development cycles but with increased vigilance. Challenges and Complexities One of the major challenges is the rapid evolution of generative AI. Vendor offerings change quickly, forcing companies to constantly adapt. For example, Microsoft Copilot recently changed its data processing rules, requiring adjustments in corporate security policies. Additionally, employees' personal use of AI tools complicates the implementation of security rules. Feedback and Adaptations The PSSI document has already received feedback, particularly on the complexity of implementing the rules and the need to quickly adapt to changes in vendor offerings. Companies must also manage unauthorized use (shadow IT) and the unexpected addition of generative AI to existing products, which can challenge existing security assurance plans. Compliance and Regulation The document complies with the European AI Act, although Michel Dubois expresses some disappointment with the limited attention to cybersecurity in this regulatory framework. Europe focuses more on the ethics and authorized aspects of AI, leaving aside crucial security issues. Conclusion and Perspectives Michel Dubois concludes by emphasizing the importance of user awareness and training, as well as conducting in-depth risk analyses. He also suggests using open-source tools to audit AI security and envisions creating an inventory of available tools to facilitate the work of RSSI. The PSSI document for AI will be made public six months after its release, providing a valuable resource for all cybersecurity professionals. To learn more, watch the full video: https://www.youtube.com/watch?v=wvBJzqFSB_k