Google’s Secure AI Framework (SAIF) Cheat Sheet

Google’s Secure AI Framework (SAIF) is a conceptual framework designed to help organizations secure AI systems. It addresses top-of-mind concerns for security professionals, such as AI/ML model risk management, security, and privacy. SAIF helps ensure that when AI models are implemented, they are secure by default.

Six Core Elements of SAIF

1. Expand strong security foundations to the AI ecosystem
Organizations can build on secure by default infrastructure protections developed over the last two decades to protect AI systems, applications and users. They should develop organizational expertise to keep pace with advances in AI and adapt infrastructure protections in the context of AI and evolving threat models. For example, injection techniques like SQL injection have existed for some time, and organizations can adapt mitigations such as input sanitization and limiting to help defend against prompt injection style attacks.

2. Extend detection and response to bring AI into an organization’s threat universe
Timeliness is critical in detecting and responding to AI-related cyber incidents. Organizations should monitor inputs and outputs of generative AI systems to detect anomalies and use threat intelligence to anticipate attacks. This effort typically requires collaboration with trust and safety, threat intelligence, and counter abuse teams.

3. Automate defenses to keep pace with existing and new threats
Adversaries will likely use AI to scale their impact, so organizations should use AI and its current and emerging capabilities to stay nimble and cost effective in protecting against them.

4. Harmonize platform level controls to ensure consistent security across the organization
Consistency across control frameworks can support AI risk mitigation and scale protections across different platforms and tools. Organizations should extend secure by default protections to AI platforms like Vertex AI and Security AI Workbench, and build controls and protections into the software development lifecycle.

5. Adapt controls to adjust mitigations and create faster feedback loops for AI deployment
Constant testing through continuous learning helps ensure detection and protection capabilities address the changing threat environment. This includes techniques like reinforcement learning based on incidents and user feedback. Organizations should update training data sets, fine-tune models to respond strategically to attacks, and conduct regular red team exercises.

6. Contextualize AI system risks in surrounding business processes
Organizations should conduct end-to-end risk assessments related to how they will deploy AI. This includes assessment of data lineage, validation, and operational behavior monitoring for certain types of applications. Organizations should also construct automated checks to validate AI performance.

Secure AI Framework Ecosystem and Initiatives

• SAIF.Google
  • SAIF.Google is a resource hub to help security professionals navigate the evolving landscape of AI security. It provides a collection of AI security risks and controls, including a Risk self-assessment report to guide practitioners in understanding the risks that could affect them and how to implement SAIF in their organizations.
• Coalition for Secure AI (CoSAI)
  • Google formed the Coalition for Secure AI with founding members including Anthropic, Cisco, GenLab, IBM, Intel, Nvidia and PayPal. CoSAI addresses critical challenges in implementing secure AI systems.
• Government and Standards Collaboration
  • Google collaborates with governments and organizations to help mitigate AI security risks. This includes working with policymakers and standards organizations such as NIST to contribute to evolving regulatory frameworks.

Google Cloud Security Controls for AI Risks

Data Poisoning Protections

• Google Cloud provides controls that customers can configure to protect their usage of models. VPC Service Controls prevent data exfiltration by creating isolation perimeters around cloud resources, including Vertex AI-specific policies. Organizational Policy Service provides security guardrails to enforce which resource configurations are allowed or denied. Vertex AI Model Registry helps organize, track, and manage the life cycle of ML models. Confidential AI powered by Confidential Computing extends hardware-based data and model protection with confidentiality, integrity, and isolation from CPU to GPUs. Google Privileged Access Management provides control over data and encryption key access with Access Approval, Access Transparency and Key Access Justifications.

Denial of ML Service Protections

• Security Command Center protects Vertex AI applications with preventative and detective controls, including responding to Vertex AI security events and attack path simulation. Cloud Armor protects against DDoS and application layer attacks. Model Armor helps inspect, route, and protect foundation model prompts and responses, mitigating risks such as prompt injections, jailbreaks, toxic content, and sensitive data leakage.

Secure AI Framework and Responsible AI

Google’s AI Principles describe the company’s commitment to developing technology with dimensions such as Fairness, Interpretability, Security, and Privacy. SAIF is the framework for creating a standardized approach to integrating security and privacy measures into ML-powered applications. SAIF aligns with the Security and Privacy dimensions of building AI responsibly.

Additional Resources

• Enhancing AI security: Google’s AI Red Team – Insights from Google’s AI Red Team on tactics to enhance security for AI systems

• Securing AI systems with Mandiant – Guidance from Mandiant on proactive security integration in AI systems

• Android: Secure development guidelines – Real-time vulnerability alerts and secure development guidelines for machine-learning code

• Securing AI with Google Cloud – Resources for boards of directors focusing on cybersecurity, AI deployment, risk governance, and secure transformation

• Securing the AI software supply chain – White paper addressing AI supply-chain security using provenance information

References

Google Safety Centre – Secure AI Framework (SAIF)

Secure AI Framework (SAIF) and Google Cloud

Google Blog –  Introducing Google’s Secure AI Framework