Module 4

Question 1

List 5 security risks related to generative AI

Answer 1

• Hallucinations
• Deepfakes
• Training data poisoning
• Data leakage
• Filter bubbles (echo chambers)

Question 2

What are hallucinations?

Answer 2

Instances where a generative AI model creates content that either contradicts the source or creates factually incorrect output under the appearance of fact

Question 3

What is the problem with deepfakes?

Answer 3

You don’t know what is real and what is not

Question 4

What is training data poisoning?

Answer 4

• Common approach when using AI to hack other AI models
• Hackers try to poison your training data pools

Question 5

Where is data leakage common?

Answer 5

Federated learning

Question 6

What are filter bubbles (or echo chambers)?

Answer 6

• The AI model repeats back to you what you already believe and what you have already told it
• It is not producing new insights

Question 7

List 6 security risks of general AI

Answer 7

• AI can concentrate the power on a few individuals or organizations
• Overreliance on AI which provides a false sense of security
• AI systems are vulnerable to attack
• Misuse of AI
• AI algorithms that are used to attack other AI systems
• Storing training data outside of production

Question 8

Why is it bad for AI to concentrate power on a few individuals or organizations?

Answer 8

It erodes individual freedom

Question 9

What do you call it when an attacker manipulates input data to obtain a different output?

Answer 9

Adversarial machine learning attack

Question 10

What is the potential impact of an adversarial machine learning attack?

Answer 10

Can lead to incorrect decisions which could lead to security breaches or data loss

Question 11

What is the potential impact of the misuse of AI?

Answer 11

• May lead to security risks
• Like in transfer of learning attacks

Question 12

Why should you never store training data outside of production?

Answer 12

• Those environments do not have the same level of security
• You may put this data out in a less secure environment

Question 13

What operational risks are associated with AI?

Answer 13

How you use the AI
- High cost to run the AI algorithm - hardware (CPUs, GPUs, …)
Operating and running the AI
- Environmental costs
- Data corruption and poisoning

Question 14

What environmental costs could AI generate?

Answer 14

• Increased carbon footprint
• Greater resource utilization
• Costs for running green

Question 15

List 4 privacy risks associated with AI

Answer 15

• Data persistence
• Data repurposing
• Data spillover
• Data collected or derived from AI itself

Question 16

Describe privacy issues related to data persistence

Answer 16

• Data exists longer than the human subjects that created it
• Once the data subject is gone, best practice would be to delete it

Question 17

Describe privacy issues related to data repurposing

Answer 17

• Data being used beyond the originally specified purpose
• May be intentional or not

Question 18

Describe privacy issues related to data spillover

Answer 18

• Data is collected on people who are not the target of the data collection
• Can happen in something like surveillance

Question 19

Describe privacy issues related to data that is collected from the AI itself

Answer 19

• How can you do informed, freely-given, consent when the AI is collecting it
• How does the individual opt out
• How to you limit data collection or limit the creation of certain pieces of derived data
• How do you describe the nature of the AI process to the data subject
• How do you go back to delete data on request

Question 20

List 9 regulation and legal risks related to AI

Answer 20

• Compliance with laws and regulations
• Liability for harm caused by the AI system
• Intellectual property disputes
• Human rights violations
• Reputational damage
• Socio-economic inequality
• Social manipulation
• Opaque decision making
• Lack of human oversight

Question 21

What did Citron and Solove develop?

Answer 21

An approach to identifying privacy harms which includes multiple categories and sub-categories of harm

Question 22

List the categories of harm according to Citron and Solove

Answer 22

• Physical Harms
• Economic Harms
• Reputational Harms
• Psychological Harms
• Autonomy Harms
• Discrimination Harms
• Relationship Harms

Question 23

List the sub-categories of psychological harms according to Citron and Solove

Answer 23

• Emotional distress
• Disturbance

Question 24

List the sub-categories of autonomy harms according to Citron and Solove

Answer 24

• Coercion
• Manipulation
• Failure to Inform
• Thwarted Expectations
• Lack of Control
• Chilling Effects

Question 25

List 8 types of prospective (potential) AI harms to use as a starting point

Answer 25

• Use of force – use of autonomous weapons systems
• Safety and certification – the role of government in preventing humans from experiencing harms
• Privacy – shielding an individual’s information from society
• Personhood – development of self, assigning human rights and responsibilities to non-humans
• Displacement of labour – technology replacing humans in the workforce and not just manual labour but processes as well
• Justice system – effect of technology on the operation of the courts
• Accountability – responsibility for pecuniary (financial) and non-pecuniary harms
• Using labels to discriminate – classification of individuals (peoples, nationalities, etc.)

Question 26

List 7 organizational considerations in implementing AI risk management

Answer 26

• Adopt a pro-innovation mindset
• Ensure planning and design is consensus-driven
• Ensure the team is outcome-focused
• Ensure the framework is law-, industry- and technology-agnostic
• Adopt a non-prescriptive approach to allow for intelligent self-management
• Ensure governance is risk-centric
• Create policies to manage third party risk, to ensure end-to-end accountability

Question 27

How do you adopt a pro-innovation mindset?

Answer 27

• Does not refer to “innovation for the sake of innovation”
• Be prepared for changes, new products and possibilities
• Consider these questions:
  
  • Will the new product fill a gap or meet a need?
  • Does it align with principles?
  • Is it fiscally responsible?

Question 28

How do you ensure planning and design is consensus-driven?

Answer 28

• Does not refer to “best two out of three”
• Consider these questions:
  
  • Have you involved all necessary stakeholders?
  • Did you include people from various teams across the organization?
  • Does each stakeholder understand the needs vs. risks?

Question 29

How do you ensure the team is outcome-focused?

Answer 29

• Does not refer to only the “bottom line”
• Consider these questions:
  
  • Does the team understand what the desired outcome is from the AI product?
  • Will the product serve the purpose for which it is being created/utilized/designed/applied?
  • Is there a better way to achieve the goal than that which is being proposed?

Question 30

How do you ensure the framework is law-, industry- and technology agnostic?

Answer 30

The framework should:
- Be interoperable across systems
- Ideally be flexible, able to solve a business “problem,” and able to explain why an approach was taken
- Not be biased toward a specific business process or practice, law, industry or technology

Question 31

How do you adopt a non-prescriptive approach to allow for intelligent self-management?

Answer 31

Risks should be approached in a context-specific and use-case manner to allow for adjustment and evolution as needs and uses change

Question 32

How do you create policies to manage third party risk, to ensure end-to-end accountability?

Answer 32

• Identify the purpose for AI and ensure the program meets the need
• Determine who needs access to the AI programs and specify use
• Identify risks from the specific program or use, and work to mitigate those risks
• Be clear on who owns the output of the AI process, especially once the contract or use is complete/terminated

Question 33

How are risks assessed?

Answer 33

The severity of harm x the probability of occurrence

Question 34

What does the NIST Risk Management Framework suggest to ensure proper oversight?

Answer 34

Senior and independent oversight within a company is required to review and hold account the risk management structures

Question 35

What does the NIST Risk Management Framework include to support oversight?

Answer 35

Declaring risk tolerances
Supporting AI risk management and risk executives
- Ensuring appropriate authority and resources are available to perform risk management
- Equipping the right people with the right tools
- Determining and documenting roles and responsibilities and delegating authority

Question 36

Provide the detailed steps for calculating risk

Answer 36

1. Determine who needs to be involved
2. Understand the business purposes and planned usage of the AI
3. Enumerate the potential harms
4. Describe the data
5. Determine whether the AI has or will be evaluated against alternative approaches
6. Evaluate the harm against the potential

Question 37

How do you assess fairness in an AI system?

Answer 37

• What is the the intended task
• How does it function – what are its performance metrics
• Is it robust – is it scalable, can it withstand greater or less use
• Have we been sufficiently transparent around how it works and what the intended consequences might be

Question 38

What should you consider when establishing AI governance and strategy?

Answer 38

• Look to existing stakeholders
• Establish and understand the roles and responsibilities
• Assist personnel to understand their roles, where to seek assistance, how to empower themselves in the development and release process
• Communicate with research, data scientists, AI and ML engineers, and non-AI engineers
• Decide who will maintain and update an inventory of AI applications and algorithms
• As practitioners begin to build AI assessment processes, look to external frameworks
• Work with internal stakeholders to establish the organizational risk strategy and tolerance
• Focus on key AI risks and needs tied to the organization’s AI principles, values and standards

Question 39

Who should you include as stakeholders when establishing AI governance and strategy?

Answer 39

• Privacy
• Security
• Accessibility
• Digital safety

Question 40

What are 3 aspects to consider when engaging with leadership?

Answer 40

• Identify leadership already using AI and would be supporters of improved governance and structure to streamline activities
• Identify where and how responsible AI is a differentiator
• Show why and how your organization and leadership can get ahead of AI

Question 41

How can responsible AI be a differentiator?

Answer 41

When current programs and public or customer-focused information is insufficient
(for example, when privacy and security do not sufficiently address the risks of AI bias and improved forms of AI focused transparency, grounded in governance, can make products more appealing to customers and the public)

Question 42

How can you show why and how your organization and leadership can get ahead of AI?

Answer 42

• Explain current legislation coming to the fore that will impact the organization
• Showcase existing regulatory statements
• Express concerns and statements on AI to emphasize why a strong governance program can help mitigate AI risks and demonstrate the organization’s commitment to building trustworthy products

Question 43

List 3 different types of AI governance models

Answer 43

• Centralized - controlled by a single team in the organization
• Federated - hybrid
• Decentralized - highly technical and integrated into development tools

Question 44

How can you incentivize effective and safe AI?

Answer 44

• Highlighting customer value and increased trust by customers
• Strongly defining responsible AI as a discipline to reinforce the value of AI for an organization
• Engaging HR to identify work roles and success measures for AI practitioners so that they are rewarded and can help highlight the value of responsible AI and foster a strong governance community and responsibly minded AI engineers