3.12
.
Failure to Specify or Enforce Secure Model Requirements
sail
3.12
Risk
Failure to Specify or Enforce Secure Model Requirements
Description
Security, privacy, or operational requirements are not specified or enforced for models being built, resulting in insecure-by-default models.
Example
A model is trained without any requirements for robustness, leading to easy adversarial evasion after deployment.
Assets Affected
Model files
Dataset / RAG
Framework
Mitigation
- Specify and document clear AI system requirements including security, privacy, and robustness
- Validate model against requirements during build
- Involve AppSec and GRC in requirements review
Standards Mapping
- ISO 42001: A.6.2.2, A.6.1.2
- NIST AI RMF: MAP 1.6, GOVERN 1.2