News from NIST: Dioptra, AI Risk Management Framework (AI RMF) Generative AI Profile, and How PII Identification and Redaction can Support Suggested Best Practices

Aug 20, 2024

Share this post

Acting on its obligations flowing from a 2023 Executive Order, the US Department of Commerce’s National Institute of Standards and Technology (NIST) has recently released two new tools to aid companies developing Generative AI models (GenAI) do so responsibly and securely.

Dioptra

The first tool is geared towards the GenAI system developers themselves, instead of governance professionals. Citing from the GitHub repository:

Dioptra is a software test platform for assessing the trustworthy characteristics of artificial intelligence (AI). Trustworthy AI is: valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair - with harmful bias managed. Dioptra supports the Measure function of the NIST AI Risk Management Framework by providing functionality to assess, analyze, and track identified AI risks.

Dioptra is designed to serve a variety of use cases across different stages of AI model development, evaluation, and deployment. For model testing, it offers comprehensive assessment capabilities throughout the development lifecycle for first-party developers. Second-party users can leverage Dioptra to evaluate AI models during acquisition processes or within controlled lab environments. Third-party auditors and compliance professionals can utilize the platform to conduct thorough assessments as part of their regulatory or quality assurance activities.

In the research domain, Dioptra aids trustworthy AI researchers by providing a robust system for tracking experiments, ensuring reproducibility and facilitating collaboration. For evaluations and challenges, it serves as a common platform, offering standardized resources and environments for participants to compete fairly and effectively.

Lastly, Dioptra supports red-teaming activities by providing a controlled environment where models and resources can be exposed to security experts. This allows for the identification of vulnerabilities and the improvement of model robustness in a safe and managed setting. Overall, Dioptra's versatility makes it a valuable tool for a wide range of stakeholders in the AI ecosystem, from developers and researchers to auditors and security professionals.

Dioptra is designed with several key properties that enhance its functionality and user experience. At its core, Dioptra emphasizes reproducibility by automatically creating snapshots of resources, ensuring that experiments can be accurately reproduced and validated. This is complemented by its traceability feature, which maintains a comprehensive history of experiments and their inputs, allowing for detailed analysis and auditing.

The platform's extensibility is achieved through a plugin system that supports the expansion of functionality and seamless integration of existing Python packages. Interoperability between these plugins is facilitated by a robust type system, promoting smooth interaction between different components.Dioptra's modular architecture allows users to compose new experiments from pre-existing components using simple YAML files, enhancing flexibility and ease of use. Security is prioritized with user authentication, and access controls are in development to further strengthen data protection.

Users benefit from an intuitive web interface that provides interactive access to Dioptra's features. Furthermore, the platform is designed for shareability and reusability, supporting multi-tenant deployment. This enables users to share and reuse components efficiently, fostering collaboration and knowledge exchange within the AI research and development community.

AI RMF Generative AI Profile

The second tool is the AI RMF Generative AI Profile, an expansion on the AI Risk Management Framework NIST published in January 2023 that addresses GenAI risks and mitigation strategies. The AI Profile lists 12 risk categories and almost 200 recommended actions that should be taken to mitigate these risks. These actions focus on governance mechanisms like establishing and implementing policies, oversight and incident reporting mechanisms, and engaging diversely composed teams and representative populations throughout the AI system lifecycle.

In this table we are listing the Suggested Actions that Private AI’s solutions can support, including a brief explanation of Private AI’s relevant capabilities.

Action ID	Suggested Action	Relevant functionality Private AI offers
GOVERN 1.2: The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures, and practices
GV-1.2-001	Establish transparency policies and processes for documenting the origin and history of training data and generated data for GAI applications to advance digital content transparency, while balancing the proprietary nature of training approaches.	Private AI’s solutions can scan large amounts of unstructured data and issue detailed reports on the PII and Confidential Corporate Information (CCI) contained in such data (“Detection & Reporting Capability”), which can support the documentation of the origin and history of data indirectly, by providing insights into which datasets to prioritize for this Suggested Action.
GOVERN 1.4: The risk management process and its outcomes are established through transparent policies, procedures, and other controls based on organizational risk priorities.
GV-1.4-002	Establish transparent acceptable use policies for GAI that address illegal use or applications of GAI.	Private AI’s PrivateGPT gives control to businesses over what PII and CCI is permitted to be included in prompts sent to LLMs by their employees. This solution can support and enforce an acceptable use policy, as it unlocks use cases that might otherwise not be aligned with the business’s risk appetite but would be beneficial to its efficiency.
GOVERN 6.1: Policies and procedures are in place that address AI risks associated with third-party entities, including risks of infringement of a third-party’s intellectual property or other rights.
GV-6.1-001	Categorize different types of GAI content with associated third-party rights (e.g., copyright, intellectual property, data privacy).	Insofar as GAI content means training data, Private AI’s Detection and Reporting Capability can provide clarity on what it contained in the data the model is trained on. Insofar this term covers prompts sent to LLMs, PrivateGPT detects, categorizes, and replaces sensitive information before it is sent to the LLM provider.
MAP 4.1: Approaches for mapping AI technology and legal risks of its components – including the use of third-party data or software – are in place, followed, and documented, as are risks of infringement of a third-party’s intellectual property or other rights
MP-4.1-001	Conduct periodic monitoring of AI-generated content for privacy risks; address any possible instances of PII or sensitive data exposure.	The Detection and Reporting Capability can automate much of this requirement, in particular because it distinguishes between PII and sensitive information, e.g., PHI and PCI information.
MP-4.1-005	Establish policies for collection, retention, and minimum quality of data, in consideration of the following risks: Disclosure of inappropriate CBRN information; Use of Illegal or dangerous content; Offensive cyber capabilities; Training data imbalances that could give rise to harmful biases; Leak of personally identifiable information, including facial likenesses of individuals	While we can’t write a policy for you, Private AI’s solution can be implemented at every state of the data life cycle, including to filter out PII at the time of collection to ensure that it is never ingested in the first place. This enables you to write policies that require selective collection of data bare of PII.
MP-4.1-009	Leverage approaches to detect the presence of PII or sensitive data in generated output text, image, video, or audio.	The Detection and Reporting Capability works on multiple file types.
MP-4.1-010	Conduct appropriate diligence on training data use to assess intellectual property, and privacy, risks, including to examine whether use of proprietary or sensitive training data is consistent with applicable laws.	The Detection and Reporting Capability supports this requirement by providing quick and reliable insights into the PII and sensitive data contained in the training corpus.
MEASURE 2.2: Evaluations involving human subjects meet applicable requirements (including human subject protection) and are representative of the relevant population.
MS-2.2-002	Document how content provenance data is tracked and how that data interacts with privacy and security. Consider: Anonymizing data to protect the privacy of human subjects; Leveraging privacy output filters; Removing any personally identifiable information (PII) to prevent potential harm or misuse.	Private AI’s solution leverages a proprietary algorithm to not only identify over 50 entities of PII in unstructured and structured data, across 53 languages, but it also has the ability to redact, replace, or generate synthetic data in place of the PII (“Redaction Capability”). This will always be the first step when anonymizing data, although additional ones may be necessary. Additionally, PrivateGPT serves as a privacy output filter.
MS-2.2-004	Use techniques such as anonymization, differential privacy or other privacy enhancing technologies to minimize the risks associated with linking AI-generated content back to individual human subjects.	The Redaction Capability can remove direct identifiers such as names, emails, numerical identifiers like SSN and driver’s license number, as well as indirect identifiers, e.g., data of birth, age, or physical attribute, thereby enhancing the privacy of the dataset and minimizing risk for individuals.
MEASURE 2.6: The AI system is evaluated regularly for safety risks – as identified in the MAP function. The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits. Safety metrics reflect system reliability and robustness, real-time monitoring, and response times for AI system failures.
MS-2.6-002	Assess existence or levels of harmful bias, intellectual property infringement, data privacy violations, obscenity, extremism, violence, or CBRN information in system training data.	The Detection and Reporting Capability can support the bias assessment requirement by identifying entities in the data with which bias is often associated, such as gender, sexual orientation, age, nationality, race, disability, and income. The identification of PII can aid the inquiry into whether training data infringes upon privacy obligations.
MEASURE 2.7: AI system security and resilience – as identified in the MAP function – are evaluated and documented.
MS-2.7-001	Apply established security measures to: Assess likelihood and magnitude of vulnerabilities and threats such as backdoors, compromised dependencies, data breaches, eavesdropping, man-in-the-middle attacks, reverse engineering, autonomous agents, model theft or exposure of model weights, AI inference, bypass, extraction, and other baseline security concerns	Pseudonymization is a well-established security technique that helps minimize the impact of data breaches, and which can be achieved with support of the Redaction Capability.
MEASURE 2.10: Privacy risk of the AI system – as identified in the MAP function – is examined and documented.
MS-2.10-001	Conduct AI red-teaming to assess issues such as: Outputting of training data samples, and subsequent reverse engineering, model extraction, and membership inference risks; Revealing biometric, confidential, copyrighted, licensed, patented, personal, proprietary, sensitive, or trade-marked information; Tracking or revealing location information of users or members of training datasets.	Red-teaming efforts can be supported using the Detection and Reporting Capability which can give quick and reliable insights into whether output contains PII or confidential information.
MANAGE 2.2: Mechanisms are in place and applied to sustain the value of deployed AI systems.
MG-2.2-009	Consider opportunities to responsibly use synthetic data and other privacy enhancing techniques in GAI development, where appropriate and applicable, match the statistical properties of real-world data without disclosing personally identifiable information or contributing to homogenization.	The Redaction Capability can replace PII with synthetic PII to retain data utility while preserving privacy.
MANAGE 3.1: AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented.
MG-3.1-002	Test GAI system value chain risks (e.g., data poisoning, malware, other software and hardware vulnerabilities; labor practices; data privacy and localization compliance; geopolitical alignment).	When procuring any data from a third party, it is advisable to use the Detection and Reporting Capability to identify whether any PII or sensitive information is contained in the data, which helps with the risk assessment of these third-party resources.
MANAGE 4.3: Incidents and errors are communicated to relevant AI Actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented.
MG-4.3-003	Report GAI incidents in compliance with legal and regulatory requirements (e.g., HIPAA breach reporting, e.g., OCR (2023) or NHTSA (2022) autonomous vehicle crash reporting requirements.	GAI incident reporting can be aided by the Detection and Reporting Capability insofar as the incident involved a breach of PII. This Capability can provide accurate information on whose and what type of data was affected.

Conclusion

The release of Dioptra and the AI RMF Generative AI Profile by NIST marks a significant step forward in promoting responsible and secure development of Generative AI systems. These tools provide developers, researchers, and compliance professionals with valuable resources to assess, manage, and mitigate risks associated with AI technologies. As the field of AI continues to evolve rapidly, the importance of such frameworks and platforms cannot be overstated. By leveraging these tools alongside privacy-enhancing technologies like those offered by Private AI, organizations can better navigate the complex landscape of AI development and deployment.